By Luke Ramsdale – Service Engineer | Microsoft Endpoint Manager – Intune
This is the first in a five-part series about using BitLocker with Intune. The series will review basic concepts and recommended approaches to deploying BitLocker using Intune. Upcoming posts will describe simple and advanced troubleshooting techniques.
This post covers the concepts, requirements, and configurations needed for a successful deployment.
Intune is a cloud-based service that focuses on mobile device management (MDM) and app protection policies (APP also known as MAM). It helps administrators manage enrolled devices through policies. You use a policy to enable and configure BitLocker on Windows 10 devices.
Intune uses the Windows configuration service provider (CSP) to read, set, modify, or delete configuration settings on Windows devices enrolled into Intune using Synchronization Markup Language (SyncML) or Wireless Application Protocol (WAP) protocols. BitLocker Intune uses the BitLocker CSP.
BitLocker is a built-in Windows data protection feature. It encrypts drives, and prevents the theft of data from lost, stolen, or decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM), version 1.2 or later.
It is important to understand that BitLocker has specific hardware requirements and that some methods of enabling BitLocker are dependent on those conditions. Silent encryption, for example, requires TPM on a device.
Hardware requirements include:
Note
We highly recommended that the device you are encrypting has a supported TPM chip (version 1.2 and higher).
If BitLocker enters recovery mode when starting the operating system, there are ways to restore access. Choose one of the following options to restore access to the protected drive:
Note
A data recovery agent (DRA) is someone authorized to decrypt data on a Windows operating system. The agent can use their credentials to unlock the drive. However, Intune doesn’t support DRA certificates so the process would have to occur outside the Intune environment.
Before you configure a BitLocker encryption policy, consider the following options:
For OS volumes and fixed drives: XTS-AES 128-bit is the Windows default encryption method and the recommended value.
For removable drives: Use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1510 or earlier.
Note: For Autopilot devices, please read Setting the BitLocker encryption algorithm for Autopilot devices | Microsoft Docs to avoid devices from automatically encrypting when Azure AD joining with a different encryption algorithm to the one configured in the policy.
Here are best practices and recommended processes for using BitLocker with Intune.
Sign into the Microsoft Endpoint Manager admin center.
Select Endpoint security > Disk encryption > Create Policy.
In the Platform list, choose Windows 10 and later.
Under Profile, select BitLocker.
Select Create.
Note
To avoid conflicts, avoid assigning more than one BitLocker profile to a device and consolidate settings into this new profile.
For further resources on this subject, please see the links below.
BitLocker Overview and Requirements FAQ
BitLocker recovery guide (Windows 10)
Manage BitLocker policy for Windows 10 in Intune
Encryption report for encrypted devices in Microsoft Intune
Configure endpoint protection settings in Microsoft Intune
This is the first post in this series. Catch up on the other blogs:
Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
Blog post updates:
2/22: Updated post that additional licenses may be required for certain Microsoft BitLocker settings.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.