Configure BitLocker on Intune Enrolled Windows 10 Devices

BitLocker can be managed in several ways in the enterprise. GPOs, MBAM, ConfigMgr are the most common methods. But what if you don't have Microsoft EA to bring in MBAM or you have Windows 10 Professional devices? And you have mobile Windows 10 devices that does not joined to ADDS. To overcome above issues, there's a possibility to manage BitLocker through Microsoft Intune and Azure AD. But to keep in mind this method does not provide funtionality as MBAM. In the end of this post I will describe limitations of this method.

Following are the steps to configure BitLocker through Intune and AAD. I have tested this on a Azure AD joined Windows 10 (1703) machine that directly enrolled in Intune as MDM.

1. Go to Azure portal (portal.azure.com) and click on Intune blade.

2. Click Device configuration > Profiles. And then click Create Profile.

3. In Create Profile blade,
         Enter Name and Description.
         Select Platform as Windows 10 and later.
         Select Profile type as Endpoint protection.

4. Click on Configure and select Windows Encryption.

5. On Windows Encryption blade, configure following settings.

Encrypt devices -  Require 

Configure encryption methods -  Enable 
Select Encryption Algorithm (XTS-AES is recommended)

Additional authentication at startup -  Require 

In startup options, select the desired option. If you Allow several options, then end user can select a preferred method; TPM only, TPM + PIN or TPM + USB Key. But if you make one option as Require, all other options should be marked as Do not allow.

In my configuration I have configured Require startup PIN with TPM. I think this is by far the best option since if the HDD plugged into some other machine data cannot be read because the TPM is missing and if the device is stolen, still cannot access the data because, intruder has to enter the BitLocker PIN.

Enter the required minimum PIN length (4-20 characters)

OS drive recovery -  Enable 

Certificate-based data recovery agent (using DRA) can be Block now. Previously the option was to Enable it.

If you Block the Recovery options in the BitLocker setup wizard, users won't get print or save recovery key to OneDrive window.

If Save BitLocker recovery information to AD DS is Enabled, recovery key will be stored in Azure AD and you can retrieve it later for drive recovery.

You can configure BitLocker fixed data-drive settings as well. But for me it didn't work at all. Fixed data-drive didn't get encrypted. Even the wizard was not displayed. The only worked thing is, Write access to fixed data-drive not protected by BitLocker policy.

I didn't test removable media encryption because I used a VM.


6. click OK and then click Create.

7. Assign the policy to appropriate group.

End-user Experience.

1. Once the policy has synced with the device, you will get a notification saying, "Encryption needed".

2. When you click on it, wizard will display to start the encryption process. Select the the first option and click Yes. Do not click Yes if you have already encrypted the device using some other software. Otherwise your data may get corrupted.

3. Now the wizard will check the BitLocker prerequisites, policies. If there's is a policy conflict you'll get an error at this point.

4. Depending on the configuration of your startup options, you might get a window asking to enter a desired PIN. Since I have configured TPM + PIN option I got this.

5. Then the encryption process will start. It will get some to encryption to be complete. You can shutdown or restart the machine and encryption will continue after the machine booted up.

After the encryption is completed you can view encryption algorithm and key protectors by running Powershell windows as Administrator and type, manage-bde -status

Retrieving the Recovery Key

1. Administrator can get it form Azure AD.

Go to portal.azure.com > Intune >  Devices > Azure AD devices.

Click on the device and in Devices blade you can find BitLocker Key ID and Recovery Key.

2. End-user can get the recover key by visiting (account.activedirectory.windowsazure.com/profile)

Click on Get BitLocker keys.

In TPM + PIN method, if user wants to change the PIN or reset a forgotten PIN

Open Control Panel > go to BitLocker Driver Encryption.

Click Change PIN > in Change startup PIN window, enter old PIN and new PIN and click Change PIN.

If PIN needs to be reset, click on Reset a forgotten PIN and enter new PIN and click Set PIN.

Additionally you can configure a Device Compliance policy to view devices that are not encrypted.

Concerns and Limitations

1. Encrypt fixed-data drive never worked for me.
2. Encryption type is Used space encryption which is good for new devices and devices that have not stored confidential data in the past.
3. This does not force an encryption like MBAM policies does after the grace period.