Discription
This document outlines the steps and settings for creating a BitLocker Disk Encryption Policy Template using Microsoft Intune’s Endpoint Security node, focusing on silent encryption and key backup to Azure AD.
Intune Endpoint Security BitLocker Policy Template
This guide provides a configuration for a standard enterprise BitLocker policy designed for silent enablement on compatible Windows devices managed via Microsoft Intune (Endpoint Manager).
Prerequisites
For BitLocker to silently enable on the device, the following prerequisites must typically be met:
- Operating System: Windows 10/11 Pro, Enterprise, or Education.
- Device Join: Azure AD Joined or Hybrid Azure AD Joined.
- TPM: Trusted Platform Module (TPM) chip version 1.2 or higher (TPM 2.0 highly recommended and required for Windows 11).
- BIOS Mode: UEFI-native mode.
- No Startup PIN/Key: The policy must not require a TPM startup PIN or key, as this breaks silent enablement by requiring user interaction.
Policy Creation Steps (Endpoint Security)
- Sign in to the Microsoft Intune admin center .
- Navigate to Endpoint security > Disk encryption.
- Click Create Policy.
- Configure the Basics tab:
- Platform: Windows
- Profile: BitLocker
- Click Create.
- On the Basics tab:
- Name:
BitLocker - Windows 10/11 Silent Encryption(or a meaningful name) - Description: (Optional)
- Click Next.
- Name:
- On the Configuration settings tab, configure the settings as follows (key recommended settings for silent encryption and recovery):
| Setting Category | Setting Name | Recommended Value |
| BitLocker | Require Device Encryption | Enabled |
| Operating System Drives | Enforce drive encryption type on operating system drives | Enabled |
| Select the encryption type: (Device) | Full Encryption | |
| Choose how BitLocker-protected operating system drives can be recovered | Enabled | |
| Configure user storage of BitLocker recovery information | Allow 256-bit recovery key | |
| Allow 48-digit Recovery password | ||
| Configure storage of BitLocker recovery information to AD DS | Store recovery password only | |
| Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | True | |
| Save BitLocker recovery information to AD DS for operating system drives | True | |
| BitLocker – Fixed Drive Settings | Enforce drive encryption type on fixed data drives | Enabled |
| Select the encryption type: (Device) | Full Encryption | |
| Choose how BitLocker-protected operating system drives can be recovered | Enabled | |
| Configure user storage of BitLocker recovery information | Allow 256-bit recovery key | |
| Allow 48-digit Recovery password | ||
| Configure storage of BitLocker recovery information to AD DS | Store recovery password only | |
| Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | True | |
| Save BitLocker recovery information to AD DS for operating system drives | True |
- Scope tags (Optional): Add any required scope tags and click Next.
- Assignments: Select the Azure AD Security Groups containing the Windows devices you want to encrypt.
- Recommended: Assign to a pilot group first, then expand.
- Click Next.
- Review + create: Review your settings and click Create.
Monitoring and Recovery
- Monitoring: The encryption status can be monitored in the Microsoft Intune admin center under Devices > Monitor > Encryption report.
- Recovery Key Access: Recovery keys are stored in Azure AD.
- Go to Devices > All devices.
- Select the device you need the key for.
- Select Recovery keys under the Monitor section to retrieve the 48-digit recovery password. (Access to this requires appropriate RBAC permissions, such as the BitLocker key read permission).
