Manage BitLocker policy for Windows 10 in Intune

Use Intune to configure BitLocker Drive Encryption on devices that run Windows 10.

BitLocker is available on devices that run Windows 10 or later. Some settings for BitLocker require the device have a supported TPM.

Use one of the following policy types to configure BitLocker on your managed devices

Tip

Intune provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices. After Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the encryption report.

You can also access important information for BitLocker from your devices, as found in Azure Active Directory (Azure AD). encryption report that presents details about the encryption status of devices, across all your managed devices.

Permissions to manage BitLocker

To manage BitLocker in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.

Following are the BitLocker permissions, which are part of the Remote tasks category, and the built-in RBAC roles that grant the permission:

  • Rotate BitLocker Keys
    • Help Desk Operator

Create and deploy policy

Use one of the following procedures to create the policy type you prefer.

Create an endpoint security policy for BitLocker

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security > Disk encryption > Create Policy.

  3. Set the following options:

    1. Platform: Windows 10 or later
    2. Profile: BitLocker

    Select the BitLocker profile

  4. On the Configuration settings page, configure settings for BitLocker to meet your business needs.

    If you want to enable BitLocker silently, see Silently enable BitLocker on devices, in this article for additional prerequisites and the specific setting configurations you must use.

    Select Next.

  5. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile.

    Select Next to continue.

  6. On the Assignments page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  7. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Create a device configuration profile for BitLocker

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Set the following options:

    1. Platform: Windows 10 and later
    2. Profile type: Endpoint protection

    Select the BitLocker profile

  4. Select Settings > Windows Encryption.

    BitLocker settings

  5. Configure settings for BitLocker to meet your business needs.

    If you want to enable BitLocker silently, see Silently enable BitLocker on devices, in this article for additional prerequisites and the specific setting configurations you must use.

  6. Select OK.

  7. Complete configuration of additional settings, and then save the profile.

Manage BitLocker

To view information about devices that receive BitLocker policy, see Monitor disk encryption. You can also view and retrieve BitLocker recovery keys when you view the encryption report.

Silently enable BitLocker on devices

You can configure a BitLocker policy that automatically and silently enables BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device.

Device Prerequisites:

A device must meet the following conditions to be eligible for silently enabling BitLocker:

  • The device must run Windows 10 version 1809 or later
  • The device must be Azure AD Joined

BitLocker policy configuration:

The following two settings for BitLocker base settings must be configured in the BitLocker policy:

  • Warning for other disk encryption = Block.
  • Allow standard users to enable encryption during Azure AD Join = Allow

The BitLocker policy must not require use of a startup PIN or startup key. When a TPM startup PIN or startup key is required, BitLocker can't silently enable and requires interaction from the end user. This requirement is met through the following three BitLocker OS drive settings in the same policy:

  • Compatible TPM startup PIN must not be set to Require startup PIN with TPM
  • Compatible TPM startup key must not set to Require startup key with TPM
  • Compatible TPM startup key and PIN must not set to Require startup key and PIN with TPM

View details for recovery keys

Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10 devices, from within the Intune portal. To be accessible, the device must have its keys escrowed to Azure AD.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > All devices.

  3. Select a device from the list, and then under Monitor, select Recovery keys.

    When keys are available in Azure AD, the following information is available:

    • BitLocker Key ID
    • BitLocker Recovery Key
    • Drive Type

    When keys aren't in Azure AD, Intune will display No BitLocker key found for this device.

Information for BitLocker is obtained using the BitLocker configuration service provider (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, and for Windows 10 Pro version 1809 and later.

Rotate BitLocker recovery keys

You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later.

Prerequisites

Devices must meet the following prerequisites to support rotation of the BitLocker recovery key:

  • Devices must run Windows 10 version 1909 or later

  • Azure AD-joined and Hybrid-joined devices must have support for key rotation enabled:

    • Client-driven recovery password rotation

    This setting is under Windows Encryption as part of a device configuration policy for Windows 10 Endpoint Protection.

To rotate the BitLocker recovery key

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > All devices.

  3. In the list of devices that you manage, select a device, select More, and then select the BitLocker key rotation device remote action.

  4. On the Overview page of the device, select the BitLocker key rotation. If you don’t see this option, select the ellipsis () to show additional options, and then select the BitLocker key rotation device remote action.

    Select the ellipsis to view more options

Next steps

Manage FileVault policy

Monitor disk encryption