Introduction
BitLocker encryption is a powerful way to protect sensitive data on Windows 11 devices. With Microsoft Intune, IT administrators can centrally deploy and manage BitLocker policies, ensuring consistent encryption across all endpoints. In this guide, we’ll walk you through how to create an Intune BitLocker policy for Windows 11 devices—step by step.
Why Use Intune to Manage BitLocker?
Using Microsoft Intune to enforce BitLocker encryption provides several advantages:
- Centralized policy management
- Automated compliance enforcement
- Integration with Entra-ID
- Silent deployment with no user interaction
- Key recovery via Microsoft Intune
By enforcing a BitLocker policy through Intune, you can ensure data protection and regulatory compliance across your organization’s Windows 11 fleet.
Prerequisites
Before creating the policy, ensure the following:
- Devices must be Windows 11 Pro, Enterprise, or Education
- Devices must be Azure AD joined or Hybrid Azure AD joined
- Devices must be enrolled in Intune
- TPM (Trusted Platform Module) 1.2 or higher must be enabled on the device
- Admin access to Microsoft Intune admin center
Step-by-Step: Create an Intune BitLocker Policy
Step 1: Sign in to Microsoft Endpoint Manager
- Go to the Microsoft Intune Admin center.
- Sign in with your admin credentials.
Step 2: Create a Device Configuration Profile
- In the left-hand menu, select Devices.
- Click on Manage Devices > Configuration profiles > + Create.
- Set the platform to Windows 10 and later.
- Set the profile type to Templates > Endpoint protection and click on Create.
Step 3: Configure BitLocker Settings
- Under Basics, fill in the Name and Description.
- Click on Next
Step 3: Configure BitLocker Settings
Under Configuration settings, configure the following settings:
-
- Under Windows settings, configure
- Encrypt devices > Require
- Under BitLocker base settings
- Warning for other disk encryption > Block
- Allow standard users to enable encryption during Microsoft Entra join > Allow
- Configure encryption methods > Enable
- Encryption for operating system drives > XTS-AES 256-bit
- Encryption for fixed data-drives > XTS-AES 256-bit
- Encryption for removable data-drives > XTS-AES 256-bit
- Under BitLocker fixed data-drive settings, configure
- Fixed drive recovery > Enable
- User creation of recovery password > Require 48-digit recovery password
- User creation of recovery key > Require 256-bit recovery key
- Recovery options in the BitLocker setup wizard > Block
- Save BitLocker recovery information to Microsoft Entra ID > Enable
- BitLocker recovery Information stored to Microsoft Entra ID > Backup recovery passwords and key packages
- Store recovery information in Microsoft Entra ID before enabling BitLocker > Require
- Under Windows settings, configure
Step 4: Assign the Policy
- Click Next to go to the Assignments tab.
- Assign the policy to the appropriate Azure AD group(s).
- Click Next and review your settings.
- Click Create to apply the policy.
Step 5: Monitor Deployment and Compliance
After deployment, monitor policy status:
- Go to Devices > Monitor > Encryption report to track compliance.
- Use the Intune Troubleshooting Portal for in-depth diagnostics.
You can also view BitLocker recovery keys in Azure AD under Devices > [Device Name] > BitLocker keys.
Best Practices for Intune BitLocker Policies
- Use silent deployment to avoid user prompts
- Require TPM 2.0 with secure boot for stronger protection
- Enforce BitLocker recovery key rotation
- Regularly audit encryption status across all devices
- Combine BitLocker policies with compliance policies in Intune
Conclusion
Implementing a BitLocker policy via Intune for Windows 11 devices is essential for ensuring data security, especially in remote and hybrid environments. With centralized management, automated deployment, and integration with Azure AD, you can simplify encryption enforcement and reduce risk. Start protecting your devices today by following the steps outlined in this guide.
Recent Comments