Managing BitLocker in the enterprise using Microsoft Endpoint Manager

Published Mar 06 2020 11:00 AM 18.1K Views

By Matt Shadbolt (@ConfigMgrDogs) | Principal Program Manager, Microsoft Endpoint Manager


In November 2019, we announced the integration of Microsoft Intune and Configuration Manager into a unified, integrated management platform. Customers who wish to deploy BitLocker management on-premises may do so using Configuration Manager without the need to deploy MBAM. We also support customers who prefer to manage BitLocker using Microsoft Intune cloud services without maintaining an on-premises infrastructure. And with key rolling fully integrated into Windows 10, version 1909, and Microsoft Endpoint Manager’s investment in BitLocker management, we are providing you an update on the BitLocker management roadmap, originally posted here



Figure 1: Microsoft BitLocker management lifecycle


Cloud-based BitLocker management using Microsoft Intune

Managing BitLocker via Intune gives organizations the confidence their Windows data is stored encrypted, without the need to manage an on-premises infrastructure. Here are some of the features you’ll get when using Intune for BitLocker management:

  • Silently enable BitLocker allowing BitLocker to be enforced and enabled without user interaction. Read more
  • Ability for encryption to be enabled by non-administrator users. Read more
  • New BitLocker readiness and compliance reports. Read more
  • IT Pro recovery key access experience. Read more
  • Recovery key rotation, both triggered at the client and the service. Read more
  • Migration from MBAM to Intune can be performed by triggering a BitLocker key rotation and removing redundant BitLocker management agents.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.



Figure 2: Microsoft BitLocker encryption settings in Intune



Figure 3: Trigger a BitLocker key rotation from the Intune portal


In future, we plan to release end-user self-service recovery key access, and Azure Active Directory based audits of key access.


On-premises BitLocker management using Configuration Manager

For customers who cannot move certain devices to cloud management, Microsoft Endpoint Manager includes both Intune and Configuration Manager capabilities. Native BitLocker management is available in Configuration Manager, version 1910 and newer releases. Some of the features include:

  • The ability to enforce the use of BitLocker on ConfigMgr managed clients. Read more
  • Helpdesk and end-user self-service of BitLocker recovery key experiences. Read more
  • BitLocker readiness and compliance reporting.  Read more
  • TPM, PIN, and recovery key management. Read more
  • Migration can be performed by upgrading the Configuration Manager client to version 1910. This upgrade will also automatically upgrade the MBAM agent, if necessary.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.



Figure 4: Create a BitLocker encryption policy from the Endpoint Manager console


Next steps

Delivering on the Microsoft Endpoint Manager vision, customers can confidently manage device encryption for Windows and other platforms using the tools that work best for them, whether on-premises or cloud-based. You can find information about the latest feature releases in our product documentation.



Great Blogpost ! Thanks for Sharing with the Community :cool:

Occasional Contributor

Great post,


however, is it possible to silently enable Bitlocker on a device that is Hybrid Azure AD Joined?




@Matt ShadboltI would like to learn the answer to the question from @torquetechit_tonyd 


I also tried to ask a few questions about Bitlocker strength under another blog post here Setting 256-bit encryption for BitLocker during Autopilot with the Windows 10 October 2018 Update Would you be able to comment?


Copy of my questions from the linked post:


1. I read in some forums that "Microsoft reduced their guidance in the Windows 10 baseline from 256 to 128, due to performance on some systems, and the requirement to decrypt if moving to 256." - Is this the case? I can not find any official coms.

2. Is there a way to gather BitLocker settings 128 vs 256 using Endpoint Manager or Security Center? Recommend monitoring option at "Select Devices > Monitor, and then under Configuration, select Encryption report." does not provide details. Is there an upcoming improvement for this?

3. Can you please provide a link to Microsoft recommended/endorsed process for converting devices from 128 to 256 in Azure AD joined estate.

Version history
Last update:
‎Mar 06 2020 08:43 AM
Updated by: