Disk encryption policy for endpoint security in Intune

Endpoint security Disk encryption profiles focus on only the settings that are relevant for a devices built-in encryption method, like FileVault or BitLocker. This focus makes it easy for security admins to manage disk encryption settings without having to navigate a host of unrelated settings.

While you can configure the same device settings by using Endpoint Protection profiles for device configuration, the device configuration profiles include additional categories of settings. These additional settings are unrelated to disk encryption and can complicate the task of configuring only disk encryption.

Find the endpoint security policies for disk encryption under Manage in the Endpoint security node of the Microsoft Intune admin center.

Prerequisites for disk encryption policy

  • macOS - macOS 10.13 or later
  • Windows - Windows 10/11

Disk encryption profiles

macOS profiles:

Windows profiles:

  • BitLocker - BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

    Note

    Beginning on June 19, 2023, the BitLocker profile for Windows 10 and later was updated to use the settings format as found in the Settings Catalog. The new profile format includes the same settings as the older profile. With this change you can no longer create new versions of the old profiles. Your existing instances of the old profile remain available to use and edit.

    With the new profile format, we no longer publish a dedicated list of settings as found in the profile. Instead, use the Learn more link in the UI while viewing information for a setting, to open BitLocker CSP in the Windows documentation, where the setting is detailed in full.

    You can continue to find a list of settings from the original BitLocker profile at BitLocker settings in the Intune documentation.

    To create a BitLocker profile, see Use BitLocker disk encryption for Windows.

Manage device encryption

After you deploy policy to encrypt a device disk, see the following articles for information on managing encryption:

Next steps