Managing BitLocker in the enterprise using Microsoft Endpoint Manager
Published Mar 06 2020 11:00 AM 25.1K Views

By Matt Shadbolt (@ConfigMgrDogs) | Principal Program Manager, Microsoft Endpoint Manager


In November 2019, we announced the integration of Microsoft Intune and Configuration Manager into a unified, integrated management platform. Customers who wish to deploy BitLocker management on-premises may do so using Configuration Manager without the need to deploy MBAM. We also support customers who prefer to manage BitLocker using Microsoft Intune cloud services without maintaining an on-premises infrastructure. And with key rolling fully integrated into Windows 10, version 1909, and Microsoft Endpoint Manager’s investment in BitLocker management, we are providing you an update on the BitLocker management roadmap, originally posted here



Figure 1: Microsoft BitLocker management lifecycle


Cloud-based BitLocker management using Microsoft Intune

Managing BitLocker via Intune gives organizations the confidence their Windows data is stored encrypted, without the need to manage an on-premises infrastructure. Here are some of the features you’ll get when using Intune for BitLocker management:

  • Silently enable BitLocker allowing BitLocker to be enforced and enabled without user interaction. Read more
  • Ability for encryption to be enabled by non-administrator users. Read more
  • New BitLocker readiness and compliance reports. Read more
  • IT Pro recovery key access experience. Read more
  • Recovery key rotation, both triggered at the client and the service. Read more
  • Migration from MBAM to Intune can be performed by triggering a BitLocker key rotation and removing redundant BitLocker management agents.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.



Figure 2: Microsoft BitLocker encryption settings in Intune



Figure 3: Trigger a BitLocker key rotation from the Intune portal


In future, we plan to release end-user self-service recovery key access, and Azure Active Directory based audits of key access.


On-premises BitLocker management using Configuration Manager

For customers who cannot move certain devices to cloud management, Microsoft Endpoint Manager includes both Intune and Configuration Manager capabilities. Native BitLocker management is available in Configuration Manager, version 1910 and newer releases. Some of the features include:

  • The ability to enforce the use of BitLocker on ConfigMgr managed clients. Read more
  • Helpdesk and end-user self-service of BitLocker recovery key experiences. Read more
  • BitLocker readiness and compliance reporting.  Read more
  • TPM, PIN, and recovery key management. Read more
  • Migration can be performed by upgrading the Configuration Manager client to version 1910. This upgrade will also automatically upgrade the MBAM agent, if necessary.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.



Figure 4: Create a BitLocker encryption policy from the Endpoint Manager console


Next steps

Delivering on the Microsoft Endpoint Manager vision, customers can confidently manage device encryption for Windows and other platforms using the tools that work best for them, whether on-premises or cloud-based. You can find information about the latest feature releases in our product documentation.


Version history
Last update:
‎Nov 30 2023 04:10 PM
Updated by: