Configuring BitLocker with Intune

Zehadi Alam

Introduction

Implementing disk encryption is a key component of an organization's overall security strategy. This article will focus on the configuration of BitLocker, Microsoft's proprietary disk encryption technology. Configuring BitLocker settings within Intune can be complex, but this guide will simplify the procedure and offer a functional configuration that enables BitLocker automatically and silently on targeted devices with an active TPM.

enlightenedTip: If you are unsure of what to configure for a setting that is left to individual IT units to decide, you can utilize the setting shown in the article. It is intended to be broadly applicable.

Implementation

1. Within the Microsoft Intune Admin Center navigate to Endpoint security Disk encryption and select Create Policy

enlightenedTip: Although BitLocker can also be configured from the configuration profiles section, it is recommended to utilize the Endpoint security blade for configuring BitLocker. This approach not only enhances administrative compartmentalization of policies but also consolidates all modern BitLocker settings into one convenient template.



2. Select Windows 10 and later as the Platform and BitLocker for the Profile



3. Provide a name and description for the profile



4. The following are the broadly recommended settings under Windows Components > BitLocker Drive Encryption > Removable Data Drives

Enforcing BitLocker for removable media and/or denying write access to removable media not protected by BitLocker may serve to be overly restrictive. Setting the following options as Not configured allows for the flexibility of either utilizing or not utilizing BitLocker for removable media. The specifics of these settings are up to individual IT units to decide.



5. Configure the settings under Windows Components > BitLocker Drive Encryption > Fixed Data Drives as follows

Explanation of choices
- Enforcing drive encryption type on fixed data drives is not configured, as it will conflict with the settings under Windows Components > BitLocker Drive Encryption
- It is prudent to not enable BitLocker until recovery information has been backed up, otherwise that information may not be available when needed
- Allowing 256-bit recovery key permits the silent enablement of BitLocker
- Allowing data recovery agent is functionally equivalent to not configuring it; it is the default setting
- Allowing 48-digit recovery password permits the silent enablement of BitLocker
- Saving BitLocker recovery information is a prudent step for future recovery
- Omitting recovery options from the BitLocker setup wizard permits the silent enablement of BitLocker
- Denying write access to fixed drives not protected by BitLocker is left to individual IT units to decide, but is shown as not configured here

Note: the exclusive mention of AD DS appears to be erroneous, as the BitLocker recovery information is in fact stored to Entra ID (formerly Azure AD).



6. Configure the settings under Windows Components > BitLocker Drive Encryption > Operating System Drives as follows

Explanation of choices
- Enabling startup authentication allows for the use of the TPM for authentication. A startup key and PIN are disallowed, as either will prevent the silent enablement of BitLocker. Requiring the TPM is recommended, as its utilization for authentication will lead to a seamless startup experience on BitLocked devices
- BitLocker should be disallowed on devices without a compatible TPM, as that will require entering a recovery key every time the computer starts up
- All settings involving a PIN are left unconfigured as the use of a PIN was disallowed
- BitLocker authentication requiring preboot keyboard input is unconfigured, as the Windows recovery environment should be enabled and will allow for BitLocker recovery
- The reasoning behind the settings found in fixed data drives apply here. Configure them the same way
- A preboot recovery message is configured, so end users know to contact their IT team for assistance with BitLocker recovery




7. For maximum data security, configure the settings under Windows Components > BitLocker Drive Encryption as follows

enlightenedTip: Use XTS-AES encryption over AES-CBC where possible: https://www.kingston.com/en/blog/data-security/xts-encryption



8. Configure the settings under BitLocker as follows

Explanation of choices
- Requiring device encryption is congruent with deploying a BitLocker policy to devices
- Disabling warning for other disk encryption facilitates the silent enablement of BitLocker
- Allowing standard user encryption allows BitLocker to be enabled in scenarios where the signed-in user is a non-admin
- Recovery password rotation is a beneficial feature for both Azure AD and hybrid-joined devices



9. Assign the profile to device groups


10. Retrieve recovery keys as follows
After the policy has been successfully applied to the targeted devices, navigate to the Recovery keys blade by selecting one of the computers. Within this interface, the recovery keys for operating systems and fixed drives will be displayed. Clicking on Show recovery key will allow for the secure retrieval of the recovery key. This process can also be carried out on a mobile device for convenience.

 

Additional Tip

In the event of a compromised recovery key, it is possible to manually rotate the recovery key by initiating a remote action on a device.

Print Article

Related Articles (2)

Configuring a FileVault Policy
This article explains how to configure and deploy a FileVault policy using Microsoft Intune.
Configuring LAPS with Intune
This article explains how to configure and deploy a LAPS policy using Microsoft Intune.