Microsoft Bitlocker Management from Intune

Frequent Contributor

Howdy Folks!


I guess everyone is doing well with the Microsoft as all of you might got inspired much from the session last week held in Las Vegas(Microsoft Inspire)!!


Though I missed it everyone badly as I didn't get chance to visit but the questions keep peeping on my head!!


Now with the BitLocker issue where I guess someone can answer this as well,


So my query is straight as I need to disable or hide this option of getting the Recovery Keys from the End User level as it is a vulnerable for the Admins to provide the Recovery Keys for OS Encryption Disk like given below with an example


Screenshot 2019-07-22 at 19.54.24.png

Bitlocker Keys Available from end user level using my


Is there any option from the administrator level from Azure Portal to hide this Keys from the end user side??


Please help me out as customer is seeking help for this!!

12 Replies

Hey @Mitul Sinha,


as far as I know it, there is no option to disable this. It is designed as a self-service with no option to disable it in the portal.



But I don't understand even after not setting up the MFA policies from Azure AD still It is asked once you sign in with the new profile to achieve Bitlocker via Azure AD Domain Join. Suppose Customer is not interested in getting the MFA then how we can remove it?

And there is one more question @Oliver Kieselbach  just clicked on my mind..Suppose BitLocker PIN if I reset it then will it generate the new recovery key or store the new recovery key in my or not?

Hey @Mitul Sinha,


what do you mean by MFA and BitLocker exactly? You can disable Windows Hello for Business, which would enforce you to do MFA for the Hello PIN creation (this PIN is only for WHfB!) and disable the AADJ MFA requirement, then you end up in a situation, that you can enroll a device without doing MFA. With the correct BitLocker policies in place, the Intune device will get encrypted and the key will backup to AAD.

A key rotation like MBAM implemented this for domain joined clients, is currently not available. Although, the implementation with MBAM was a key rotation after BitLocker key usage, not the BitLocker pre-boot PIN reset. The pre-boot BitLocker PIN is used to protect access to the TPM further. While TPM-only verifies just the integrity of the platform (hardware and a few firmware/software components) to control access to the TPM. So, even in the domain join scenario pre-boot auth PIN reset (aka BitLocker PIN reset) did not rotate the BitLocker recovery key. Native BitLocker key rotation in Intune is currently not available.




if you aren't setting up the MFA or Windows PIN which comes by default in Win10 Machines then the Policies which you are pushing for BitLocker Encryption from Intune won't work and it will show errors in Device Compliance and Configuration Policies. This is what I achieved from my Testing on Trial tenants.

For a successful Encryption we must have to set up the Windows 10 PIN. Though we haven't pushed any MFA or PIN policies from Intune.
best response confirmed by Mitul Sinha (Frequent Contributor)

Hey @Mitul Sinha,


then I think your test setup had a different problem because there is no dependency on MFA for BitLocker enablement. To really confirm my statement I verified it in my test tenant right now. I disabled all MFA (AADJ & WHfB), enrolled a device, didn't see any MFA prompt (no MFA at all) and my BitLocker policies in Intune enabled encryption and my AADJ device is encrypted. BitLocker key is in AAD and everything is fine in the Intune portal (green icons - configurations successful applied).


So, again BitLocker has no dependency to MFA and can be enabled without MFA. Your problem in your tests seems to be rooted somewhere else.


Key rotation is currently not available but BitLocker is functional without MFA.




Thank you so much @Oliver for the response. It's always a pleasure talking with MVP's and I will once again test the same and get back to you if any queries occur.

@Oliver So I have tested it out today came up with this screenshot as it always ask this option. Before asking if the Windows Machine has fingerprint I must have to set that as well so I set both the options MFA as well as PIN for Windows and then Encryption done for BitLocker but yes I didn't get any BitLocker PIN to setup as Device Configuration Policies didn't push and got error.

Windows PIN Setup at StartupWindows PIN Setup at Startup

Windows PIN at Startup

Device Configuration got failed from Intune but Device Compliance Got Successful

Device Compliance SuccessDevice Compliance Success

Device Compliance Successful

Device Configuration FailedDevice Configuration Failed

Device Configuration Failed


Please let me know how we can achieve successful Bitlocker encryption with Bitlocker PIN should appear!!

Hey @Mitul Sinha,


for silent encryption you have to skip the startup to require PIN settings. PIN can only achieved by using the Wizard which is user driven. Silent auto encryption is TPM-only. Can you please test automatic encryption with the following settings (no additional authentication at startup):




In addition I have a guide here:


Enabling BitLocker on non-HSTI devices with Intune



There you go...that's where customer is looking to get the prompt of Encryption instead of having an auto one!! So let me setup the Additional Authentication at startup as "not Configured"

But I must have to setup the BitLocker PIN to ask as per client's request!! In that case how will I able to disable this policy which you mentioned about "Additional Authentication at startup"

Hey @Mitul Sinha,


I have a guide for this here:


How to enable pre-boot BitLocker startup PIN on Windows with Intune




Well Done Champion! I am really excited to work with you.. good to see your articles!! Thank you so much once again