Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How to disable automatic BitLocker implementation when using Autopilot OOBE experience to join a dev

Copper Contributor



At my company, our workstations are not joined to the domain and are managed by Workspace ONE. I would like to join these workstations to Entra ID to use Microsoft accounts to authenticate. However, I will also be using Autopilot to have the OOBE and join the workstations directly. Workspace ONE will be added as an MDM to Entra ID and deployed when provisioning the PCs.


I noticed that BitLocker will be enabled automatically, and the recovery keys will be synced to Entra ID. In my case, I want Workspace ONE to manage the BitLocker keys. How can I disable BitLocker so that when joining the workstations to Entra ID, Workspace ONE will be downloaded and will manage the keys?


Thank you.

3 Replies

Hi @JoeSay,


To prevent BitLocker from being automatically enabled and ensure that Workspace ONE manages BitLocker keys when using Autopilot and Entra ID (formerly Azure AD), you can configure specific settings in Intune and Autopilot profiles. Here's how you can achieve this:


How to Disable Automatic BitLocker Implementation


1. Modify the Intune Device Configuration Profile

First, you need to configure a device configuration profile in Intune to disable automatic BitLocker encryption.


  1. Sign in to the Microsoft Endpoint Manager admin center:

  2. Create a Device Configuration Profile:

    • Navigate to Devices > Configuration profiles > Create profile.
    • Select Windows 10 and later as the platform.
    • Choose Templates > Endpoint protection.
    • Click Create.
  3. Configure BitLocker Settings:

    • In the Configuration settings page, expand Windows Encryption.
    • Set Require BitLocker to Not configured.
    • Optionally, configure any other settings as needed, but ensure that automatic BitLocker encryption is disabled.
  4. Assign the Profile:

    • Assign the configuration profile to the appropriate device groups.


2. Configure Autopilot Profile to Disable BitLocker

Next, configure the Autopilot profile to ensure BitLocker is not enabled during the Out-of-Box Experience (OOBE).


  1. Create or Modify an Autopilot Profile:

    • In the Microsoft Endpoint Manager admin center, navigate to Devices > Windows > Windows enrollment > Deployment profiles.
    • Select an existing Autopilot profile or create a new one.
  2. Edit the Autopilot Profile Settings:

    • In the Out of box experience (OOBE) section, ensure the following settings:
      • Convert all targeted devices to Autopilot: Enabled (if applicable).
      • Deployment mode: User-driven or Self-deploying (depending on your scenario).
      • Join to Azure AD as: Azure AD joined.
      • Apply device name template: (optional).
      • BitLocker: Select Disable to prevent automatic BitLocker encryption during the Autopilot process.
  3. Assign the Profile:

    • Assign the Autopilot profile to the appropriate groups of devices.


3. Configure Workspace ONE for BitLocker Management

Ensure that Workspace ONE is configured to manage BitLocker encryption and keys.

  1. Configure BitLocker Policies in Workspace ONE:

    • Go to the Workspace ONE UEM console.
    • Navigate to Devices > Profiles & Resources > Profiles.
    • Create or edit a Windows profile to manage BitLocker settings.
  2. Deploy Workspace ONE as MDM:

    • Ensure Workspace ONE is set as the MDM authority for the devices.
    • During the provisioning process, Workspace ONE should be downloaded and installed automatically.



By following these steps, you can disable automatic BitLocker implementation during the Autopilot OOBE and ensure that Workspace ONE manages BitLocker keys. This allows you to join your workstations to Entra ID without automatic BitLocker encryption and utilize Workspace ONE for managing BitLocker.


If you have any further questions or need additional assistance, feel free to ask.


Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Thank you for your response. As far as I understand, Intune is required to disable BitLocker, which means I need to purchase Intune licenses, correct?
Yes correct. Intune is used to "disable" this setting with a configuration which will be deployed to the endpoints.