In this guide, we’ll explore how to deploy BitLocker using the Intune Settings Catalog, which allows for more flexible configuration options. BitLocker is a data protection feature integrated with the operating system to protect against data theft or exposure from lost, stolen, or improperly decommissioned computers. It provides maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
BitLocker can be configured in Intune for Windows 10 and 11 devices using one of three methods:
- An endpoint protection profile
- An endpoint security disk encryption profile
- A settings catalog profile
The endpoint protection and endpoint security disk encryption profiles use BitLocker configuration service provider (CSP) to configure encryption of PCs and devices, while the settings catalog profile uses a combination of BitLocker CSP and ADMX backed settings.
Microsoft recommends deploying BitLocker using an Endpoint protection profile based on your organization’s requirements. The settings catalog profile is a suitable alternative if you need more setup flexibility and options.
In this guide, we’ll demonstrate how to configure and deploy BitLocker on Windows 10 and 11 devices using the Intune settings catalog.
Prerequisites for Deploying BitLocker via Intune Settings Catalog
BitLocker for Intune is available on devices running Windows 10 and Windows 11. Enabling BitLocker using Intune requires the following prerequisites:
- A valid Microsoft Intune license
- Azure AD or Hybrid Azure AD joined devices
- Devices not encrypted with third-party disk encryption software, such as McAfee Disk Encryption
- Devices with TPM chip version 1.2 or higher (TPM 2.0 strongly recommended)
- BIOS set to UEFI
- Appropriate Intune role-based access control (RBAC) permissions for your account
Additional BitLocker Settings available in Intune Settings Catalog
The Intune Settings Catalog offers additional BitLocker settings not available in the other two policies—endpoint security and device configuration profiles.
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- Allow enhanced PINs for startup
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Select the encryption type: (Device)
Deploy BitLocker using Intune Settings Catalog
To configure and deploy BitLocker with the Settings Catalog, follow these steps:
- Sign in to the Microsoft Intune admin center.
- Navigate to Devices > Windows devices > Configuration profiles.
- Select + Create profile, choose Windows 10 and later for the Platform and Settings catalog for the Profile type, then select Create.
- Name the profile in the Basics tab of the Create profile pane. Add a brief description about the profile. Click Next.
- On the Configuration settings tab, select +Add settings.
- Type “BitLocker” in the search box to find all related settings for configuring BitLocker. The Intune settings catalog allows you to select which BitLocker settings are added to the policy.
There are five categories or groups of settings that you can configure for BitLocker in Intune:
- BitLocker Drive Encryption
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
- BitLocker settings
Note: You can configure only the settings required for your organization.
Once you’ve made your category selections, close the Settings picker pane and return to the Configurations tab.
The following can be configured for BitLocker settings:
- Allow warning for other disk encryption
- Configure recovery password rotation
- Removable drives excluded from Encryption
- Require Device Encryption
Configuring Fixed Data Drives settings are similar to those of endpoint security settings, with the exception of enforcing drive encryption type on fixed data drives and selecting the encryption type (device). These settings allow admins to specify whether BitLocker should encrypt used space only or the entire drive.
For removable drives, most settings are similar to endpoint protection policies. However, you’ll want to consider requirements for the “Allow users to suspend and decrypt BitLocker protection on removable data drives (device)” and “Enforce drive encryption type on removable data drives” settings as well.
After configuring all the BitLocker settings via Intune Settings Catalog, click Next. On the Assignments tab, add the Azure AD groups to which you want to deploy the BitLocker settings. Click Next.
On the Review + create page, you’ll find all the BitLocker settings that you have configured. When you’re done, select Create.
After deploying the BitLocker policy via Intune, the policy now appears under the list of Configuration Profiles. A notification also appears confirming that the policy is created.
Once you have deployed BitLocker using Intune Settings Catalog, the next step is to monitor the BitLocker encryption status on devices. You can do this from the Intune Admin center. Additionally, there is a Microsoft Intune encryption report to view details about a device’s encryption status and find options to manage device recovery keys.
The Microsoft Intune encryption report is a central place to learn about a device’s encryption status and find ways to manage recovery keys. The recovery key options that are available depend on the type of device you’re viewing.
To find the report, sign in to the Microsoft Endpoint Manager admin center. Select Devices > Monitor, and then under Configuration, select Encryption Report.