When you are managing devices with Microsoft Intune aka Microsoft Endpoint Manager it’s great to control BitLocker but silently enabling BitLocker for all devices is even better.
Here is everything you need to know to silently enable BitLocker with Intune.
Disk Encryption Policy Profile
First up we need to create a disk encryption policy profile that we can use later on with our configuration profile. The Disk Encryption Policy Profile by itself really does nothing other than defining the settings that will apply when referenced by a configuration profile.
- Login to Microsoft Intune admin center
- Click on Endpoint Security
- Click on Disk encryption
- Click on Create Policy
The naming is conflicting because now it’s called a profile. Let’s just call it a Policy Profile to keep things simple.
- Set the Platform as Windows 10 and later and the Profile as BitLocker
- Give your BitLocker Policy Profile a name. I’m going to call mine BitLocker Policy Profile
- Set the following options for BitLocker – Base Settings
- Set Enable full disk encryption for OS and fixed data drives to Yes
- Set Hide prompt about third-party encryption to Yes
- Set Allow standard users to enable encryption during Autopilot to Yes
- I’m going to set Configure client-driven recovery password rotation to Enable rotation on Azure AD and Hybrid-joined devices but you should set it to your preference.
- Set the following options for BitLocker – Fixed Drive Settings
- Set BitLocker fixed drive policy to Configure
- Set Configure encryption method for fixed data-drive to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
- Set the following options for BitLocker – OS Drive Settings
- Set BitLocker system drive policy to Configure
- Set Configure encryption method for Operating system drives to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
- Set the following options for BitLocker – Removable Drive Settings
- Set BitLocker removable drive policy to Configure
- Set Configure encryption method for removable data-drives to AES 128bit XTS. (This is the default setting, you can change it to whatever you want)
- After you’ve set all of that click Next
- Set your Scope tags if applicable and click Next
- Select the device groups you want to target this BitLocker Policy Profile to.
I like to use some of my dynamic device groups for this. You can read more about the dynamic device groups I like to use in my post called Intune Dynamic Device Groups
When you select the groups this won’t actually make any of the settings take effect. We are just defining the settings so that a configuration profile can reference them. Which is the next part.
- Review the BitLocker Policy Profile you’ve drafted if everything looks good click Create
Configuration Profile
Now we can create the BitLocker Configuration Profile that will apply to the devices which will reference the BitLocker Policy Profile we just created.
- Click on Devices
- Click on Configuration profiles
- Click on Create profile
- Set the Platform as Windows 10 and later set the profile type as Templates and select Endpoint protection
- Give your Profile a name. I’m going to call mine BitLocker Configuration Profile
- Under Windows Encryption set the following settings
- Set Encrypt devices to Require
- Set Warning for other disk encryption to Block
- Set Allow standard users to enable encryption during Azure AD Join to Allow
We don’t need to configure our encryption methods because that’s already taken care of in the BitLocker Policy Profile we created.
I like to enable additional authentication at startup as Required to be extra secure but you don’t need to set that setting.
- Select your Assignments
This is where selecting only the corporate owned devices is very important as you have told it to enable BitLocker even if the device is using some third party encryption which can cause issues if a user has VeraCrypt or something else also enabled. I will use my Intune Dynamic Device groups to make sure my targeting is on point.
- Set your Applicability rules if applicable
- Review the draft BitLocker Configuration Profile if all looks good click Create
That’s all it takes. If you set the settings correctly your devices will now start silently enabling BitLocker.