Intune Silently Enable BitLocker

May 27, 2023bytheDXT

When you are managing devices with Microsoft Intune aka Microsoft Endpoint Manager it’s great to control BitLocker but silently enabling BitLocker for all devices is even better.

Here is everything you need to know to silently enable BitLocker with Intune.

Disk Encryption Policy Profile

First up we need to create a disk encryption policy profile that we can use later on with our configuration profile. The Disk Encryption Policy Profile by itself really does nothing other than defining the settings that will apply when referenced by a configuration profile.

Click on Endpoint Security

Click on Disk encryption

Click on Create Policy

The naming is conflicting because now it’s called a profile. Let’s just call it a Policy Profile to keep things simple.

Set the Platform as Windows 10 and later and the Profile as BitLocker

Give your BitLocker Policy Profile a name. I’m going to call mine BitLocker Policy Profile

Set the following options for BitLocker – Base Settings
- Set Enable full disk encryption for OS and fixed data drives to Yes
- Set Hide prompt about third-party encryption to Yes
- Set Allow standard users to enable encryption during Autopilot to Yes
- I’m going to set Configure client-driven recovery password rotation to Enable rotation on Azure AD and Hybrid-joined devices but you should set it to your preference.

Set the following options for BitLocker – Fixed Drive Settings
- Set BitLocker fixed drive policy to Configure
- Set Configure encryption method for fixed data-drive to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
Set the following options for BitLocker – OS Drive Settings
- Set BitLocker system drive policy to Configure
- Set Configure encryption method for Operating system drives to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
Set the following options for BitLocker – Removable Drive Settings
- Set BitLocker removable drive policy to Configure
- Set Configure encryption method for removable data-drives to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
After you’ve set all of that click Next

Set your Scope tags if applicable and click Next

Select the device groups you want to target this BitLocker Policy Profile to.

I like to use some of my dynamic device groups for this. You can read more about the dynamic device groups I like to use in my post called Intune Dynamic Device Groups

When you select the groups this won’t actually make any of the settings take effect. We are just defining the settings so that a configuration profile can reference them. Which is the next part.

Review the BitLocker Policy Profile you’ve drafted if everything looks good click Create

Configuration Profile

Now we can create the BitLocker Configuration Profile that will apply to the devices which will reference the BitLocker Policy Profile we just created.

Click on Devices

Click on Configuration profiles

Click on Create profile

Set the Platform as Windows 10 and later set the profile type as Templates and select Endpoint protection

Give your Profile a name. I’m going to call mine BitLocker Configuration Profile

Under Windows Encryption set the following settings
- Set Encrypt devices to Require
- Set Warning for other disk encryption to Block
- Set Allow standard users to enable encryption during Azure AD Join to Allow

We don’t need to configure our encryption methods because that’s already taken care of in the BitLocker Policy Profile we created.

I like to enable additional authentication at startup as Required to be extra secure but you don’t need to set that setting.

Select your Assignments

This is where selecting only the corporate owned devices is very important as you have told it to enable BitLocker even if the device is using some third party encryption which can cause issues if a user has VeraCrypt or something else also enabled. I will use my Intune Dynamic Device groups to make sure my targeting is on point.