Create Windows 10 Bitlocker Policy on Intune

We will use Intune to configure Bitlocker drive encryption on devices using Windows 10.

BitLocker is available on devices running Windows 10 or later. Some BitLocker configurations require the device to have a TPM built into your device.

Read more:

How do I enable MFA for Office 365 accounts via Conditional Access?
How to hide user from address list (AD Connect)
How to use Windows Hello for Business in 100 % Cloud environments
Migrating Azure AD Connect to a new server
Creating users in Microsoft Azure (portal)

Intune provides an internal encryption report that details the encryption status of the devices on all managed devices. After Intune encrypts a Windows 10 device with BitLocker, you can view and manage BitLocker recovery keys when viewing the encryption report.

Important information can also be found in Azure Active Directory, an internal encryption report that details the encryption status of devices on all managed devices.

Permissions to manage BitLocker

To manage BitLocker on Intune, the account must have the applicable Intune RBAC (role-based access control) permissions.

The following are BitLocker permissions, which are part of the Remote Tasks category, as well as the internal RBAC functions that grant permission:

  • Toggle BitLocker keys
  • Technical support operator

Create an endpoint security policy for BitLocker

  • On the page Configuration settings, configure BitLocker settings to meet your business needs.

If you want to enable BitLocker silently, check out Enable BitLocker silently on devices in this article to learn about additional prerequisites and specific configurations that should be used.

Select Advance.

  • On the page Scope (Brands), choose select scope marks to open the panel select marks and assign scope marks to the profile.

Select Advance.

  • On the page Assignments, choose the groups that will receive this profile. For more information on assigning profiles, see assigning user and device profiles.

Select Advance.

  • When you're done, choose to create on the page Review + create. The new profile is displayed in the list when you select the type of policy for the profile you created.

Create a device configuration profile for BitLocker

On the page Configuration settings, expand Windows encryption.

  • Configure BitLocker settings to suit your business needs.

If you want to enable BitLocker silently, there is also this possibility of configuration, check the details below:

  • Select Next to continue.
  • Complete the configuration of additional settings and then save the profile.

Enable BitLocker on devices silently

There is a possibility that you can configure a BitLocker policy that automatically and silently enables it on a device.

This means that BitLocker is successfully enabled without presenting any user interface to the end user, even when that user is not a local administrator on the device.

Device prerequisites

The device must meet the following conditions to be qualified to enable BitLocker silently:

  • If end users log on to devices as Administrators, the device must be running Windows 10 version 1803 or later.
  • If end users log on to devices as Standard Users, the device must be running Windows 10 version 1809 or later.
  • The device must be signed in to Azure AD or Azure AD Hybrid.
  • The device must contain TPM (Trusted Platform Module) 2.0
  • The BIOS mode must be set to Native UEFI only.

BitLocker policy configuration

The following two BitLocker Basic Settings settings need to be configured in the BitLocker policy:

  • Warning for other disk encryptions = Lock.
  • Allow standard users to enable encryption when joining Azure AD = Allow

BitLocker policy cannot require the use of a PIN or a startup key. When a startup PIN or TPM startup key is required, BitLocker cannot be enabled silently and requires end user interaction.

This requirement is met through the following three BitLocker OS drive configurations in the same policy:

  • Compatible TPM startup PIN cannot be set to Require TPM startup PIN
  • Startup key of compatible TPM cannot be set to require startup key with TPM
  • Compatible TPM startup key and PIN cannot be set to require startup key and PIN with TPM

View Recovery Key Details

Intune provides access to the Azure AD sheet for BitLocker, you can view BitLocker key IDs and recovery keys for your Windows 10 devices from the Microsoft Endpoint Manager admin center.

To be accessible, the device must have its keys kept in the custody of Azure AD.

Get in on Microsoft Endpoint Manager Administration Center.

Select Devices > All devices.

Select a device from the list and then To monitor, select Recovery keys.

click in Show Recovery Key. Selecting this will generate an audit log entry in the 'KeyManagement' activity.

When the keys are available in Azure AD, the following information will be available:

  • BitLocker key ID
  • BitLocker recovery key
  • Unit type

When the keys are not in Azure AD, Intune will display any BitLocker keys found for this device.

IT administrators need to have specific permission in Azure Active Directory to view the device's BitLocker recovery keys: Some roles in Azure AD have this permission, including those of Cloud Device Administrator, Technical Support Administrator, etc.


A resource of great importance within the corporate environment, especially nowadays where people are adopting work in a hybrid way, in the home office and sometimes in the office circulating with their assets to one side and the other, it is extremely important to have your data protected, preventing unauthorized users from violating data protection, improperly stolen or disabled.

If this feature is configured on the device, the user would be a little safer if something similar to the one mentioned above happens, a well-known feature that, moreover, on a daily basis we find that they are little used within organizations.

Was this article helpful?

To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...

Help us to keep the project active! 

Follow the news in real time. Follow our Instagram profile..

Diego Gonzalez
Cloud Security Consultant in one of the largest Digital Security consultancies in Brazil, graduated in Computer Science responsible for Cloud Security tools (Azure), MDM and MAM management in Intune, for administering and supporting (Microsoft CAS, Defender ATP, Azure ATP, Conditional Access, AIP, Secure Identity Management and Compliance), Currently I work in the Implementation of new Projects and business continuation related to Information Security in products such as Office 365 and Azure, I am certified by Microsoft and I am still searching new Certifications on existing platforms in the market.



Do you want to upgrade your career? 

Invest in yourself and get ahead! Get that dream job in 2022!