Create an Intune BitLocker policy for Windows 10 devices

Benoit LecoursSCCMLeave a Comment

5
(2)

You may manage BitLocker in your organization using SCCM (MBAM). It’s also possible to create a policy for Bitlocker if you’ve switched to modern management and Endpoint Manager (Intune).

If you’re not aware, Bitlocker is a Microsoft solution for drive encryption. Bitlocker is not a new solution. It has been introduced in Windows 7. As a system administrator, you can manage how to deploy it, its policy and the most important part, keeping the recovery key in a safe place.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. 

In this post, we’ll show you how to create your first Intune Bitlocker policy (Endpoint Manager) for your Windows 10 computer. We’ll also give you some troubleshooting tips and hint on how to manage it in the long term.

Bitlocker Policy Intune Requirements

In Microsoft Intune, there’s no specific requirement to create a Bitlocker policy except that you need the right permission.

However if you’re unfamiliar with Bitlocker, there’s some requirement on the OS side. We recommend that you use a computer equipped with a TPM chip.

You can use the Endpoint Security Manager Built-in Role or you can create a new role and use the Remote Tasks permissions which include Bitlocker actions.

To use the Endpoint Security Manager role :

  • In the Endpoint Manager Console
  • Go to Tenant Administration / Roles / All Roles
  • Add your user to the Endpoint Security Manager
Bitlocker Policy Intune

To use create a new group :

Bitlocker Policy Intune
  • Create a new group and select the Rotate Bitlocker Key action under Remote Tasks to your newly created group
Bitlocker Policy Intune

Create the Bitlocker Policy in Intune

It’s now time to create our first Bitlocker policy

Bitlocker Policy Intune
  • Under Platform, select Windows 10
  • Under Profile, select BitLocker
  • Click Create at the bottom
Bitlocker Policy Intune
  • On the Basic tab, enter a policy name and click Next
Bitlocker Policy Intune
  • In the Configuration Settings pane, enter the desired options. There’s a lot of available option but Microsoft has done a great job of explaining it using the little “i” symbol. Just hover over a specific setting to have an explanation.
Bitlocker Policy Intune

If you need to silently install your policy without user intervention. You must set the following options in your configuration settings:

  • Warning for other disk encryption set to Block
  • Allow standard users to enable encryption during Azure AD Join set to Allow
  • Compatible TPM startup PIN must not be set to Require startup PIN with TPM
  • Compatible TPM startup key must not set to Require startup key with TPM
  • Compatible TPM startup key and PIN must not set to Require startup key and PIN with TPM

In addition, Microsoft documentation state that the device must meet the following requirements for silent installation:

  • If end users log in to the devices as Administrators, the device must run Windows 10 version 1803 or later.
  • If end users log in to the the devices as Standard Users, the device must run Windows 10 version 1809 or later.
  • The device must be Azure AD Joined
  • Device must contain TPM (Trusted Platform Module) 2.0
  • The BIOS mode must be set to Native UEFI only.
  • So once your options are set, click Next
  • In the Scope Tags tabs, enter a scope tags if needed, click Next
  • In the Assignment tab, choose the group of device you want to deploy your configuration, click Next
Bitlocker Policy Intune
  • Review your options and click Create at the bottom
  • Back in the Disk Encryption node, validate that your Policy has been created

You can now log on a machine or use the portal to initiate a Sync request for your machine to receive the new policy.

  • Go to Devices / All Devices and click on your Device
  • On the top, click the Sync button

Monitor your Biltocker Deployment

It’s now time to see if our policy is working. To monitor your Bitlocker deployment :

  • Go to Device / Monitor / Encryption Report
  • All required information is displayed
  • In our example, the DESKTOP-EKADMM9 machine is not yet encrypted
Bitlocker Policy Intune

Troubleshooting Intune Bitlocker Policy

If you encounter an error while encrypting a device. The first step is to look at the Event Viewer of the affected machine.

Bitlocker events are stored in Applications and Services logs\Microsoft\Windows\BitLocker-API and BitLocker-DrivePreparationTool

Bitlocker Policy Intune

Bitlocker AAD Recovery keys

From the Intune portal, you can view BitLocker Key IDs and Bitlocker recovery keys for your Windows 10 devices

  • In the Endpoint Manager Portal
  • Go to Devices / All devices
  • Select a device and then Recovery keys
Bitlocker Policy Intune

We hope this article helps you to manage Windows 10 and your Intune Bitlocker Policy. Feel free to use the comment section if you have any questions.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

Leave a Reply