Create an Intune BitLocker policy for Windows 11 devices

With Windows 10 almost out of support, it’s a good time to review how BitLocker is managed in your environment alongside rolling out Windows 11. You may manage BitLocker in your organization using SCCM (MBAM), but like many things these days, moving toward Intune makes it even easier.

In this post, we’ll show you 2 ways to create an Intune Bitlocker policy for Windows 11 computers.

If you are new to BitLocker…

Bitlocker is a Microsoft solution for drive encryption. It is not a new solution; it was introduced in Windows 7. As a system administrator, you can manage how to deploy it, its policy, and, most importantly, keep the recovery key in a safe place.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM), version 2.0 or later. Version 2.0 is now mandatory for Windows 11. TPM is a hardware component installed in most computers these days. 

Intune Bitlocker Policy Requirements

In Microsoft Intune, there’s no specific requirement to create a Bitlocker policy except that you need permission to manage device configurations and security.

• Windows 11 Pro, Enterprise, and Education are all supported.
• As stated previously, Windows 11 requires TPM v2.0.
• SecureBoot should be considered for added security, but not mandatory.

For more details about requirements on the OS side.

Which policy type should be used?

There are 2 ways of doing BitLocker configuration in Intune

• Disk Encryption, which falls under the Endpoint security section

• Device configuration profile, using templates for Endpoint Protection

At first look, there isn’t much difference between the 2 methods, and both will be able to silently encrypt a drive with backup to EntraID/Intune.

Entra ID-only devices, as a general rule, can use both methods with the same result.

Hybird Entra ID Joined device does have a behavior change. The Disk Encryption policy will explicitly require AD DS backup turned ON for silent encryption and key rotation and will also backup recovery keys to Entra ID/Intune. This can lead to confusion since Intune can reach devices external to the corporate network and not have a line of sight to AD DS and achieve recovery key backup. Using this method will result in hit-and-miss.

The Entra ID backup isn’t configurable with the Disk Encryption method. It is enabled by default.

Hybrid Entra ID Joined devices should be using a Device Configuration profile because :

• No mandatory AD DS backup
• Toggle Entra ID backup
• It will silently encrypt from anywhere
• It will support key rotation(manual and automatic) from anywhere.

Create the Disk Encryption BitLocker Policy in Intune

This should be the main scenario for Entra ID devices

• In the Intune portal, go to Endpoint security / Disk encryption / Create Policy

• Under Platform, select Windows 10 and later
• Under Profile, select BitLocker
• Click Create at the bottom

• On the Basic tab, enter a policy name and click Next

• In the Configuration Settings pane, enter the desired options. There are a lot of available options, but Microsoft has done a great job explaining it using the little “i” symbol. Just hover over a specific setting to have an explanation.

Silently enabled Bitlocker on the devices with disk encryption method

To silently encrypt drives, you must set the following options in your configuration settings:

• Warning for other disk encryption set to Block
• Allow standard users to enable encryption during Azure AD Join set to Allow
• Compatible TPM startup PIN must not be set to Require startup PIN with TPM
• Compatible TPM startup key must not set to Require startup key with TPM
• Compatible TPM startup key and PIN must not set to Require startup key and PIN with TPM

During the configuration settings section, make sure to configure Base Settings like below:

In the OS Drive Settings, configure as of the section below:

In addition, Microsoft documentation states that the device must meet the following requirements for silent installation:

1. If end users log in to the devices as Administrators, they must run Windows 10 version 1803 or later.
2. If end users log in to the devices as Standard Users, they must run Windows 10 version 1809 or later.
3. The device must be Azure AD Joined
4. The device must contain TPM (Trusted Platform Module) 2.0
5. The BIOS mode must be set to Native UEFI only.

Create a device configuration profile

• In the Intune portal, go to Devices / Configuration / Create New Policy

• Select Windows 10 or Later , Templates and Endpoint Protection.

• Enter the policy name and click next

• Expend the section Windows Encryption. All the settings we need are under this section.

• The following settings will silently enabled Bitlocker on the devices with a configuration profile.

• This here is the difference with the disk encryption policy. We specify Entra ID backup, without anything to do with AD DS at all.

• Resume of settings

Monitor your Intune Bitlocker Policy Deployment

It’s now time to see if our policy is working. To monitor your Bitlocker deployment :

• Go to Device / Monitor / Encryption Report
• All required information is displayed
• In our example, the DESKTOP-EKADMM9 machine is not yet encrypted

Note that the Encryption Readiness state is also important. Many items are validated by default. SEe Microsoft learn for more details.

Troubleshooting Intune Bitlocker Policy

Suppose you encounter an error while encrypting a device. The first step is to look at the Event Viewer of the affected machine.

Bitlocker events are stored in Applications and Services logs\Microsoft\Windows\BitLocker-API and BitLocker-DrivePreparationTool

• In these logs, look for these events. Microsoft Documentation has resolutions for all these Bitlocker errors :

• Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
• Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
• Event ID 854: WinRE is not configured
• Event ID 851: Contact manufacturer for BIOS upgrade
• Event ID 846, 778, and 851: Error 0x80072f9a
• Error message: Conflicting Group Policy settings for recovery options on operating system drives
• Troubleshooting BitLocker with the Intune encryption report – Intune | Microsoft Learn
• and more…

Bitlocker Recovery keys from Intune portal

BitLocker recovery keys are saved to the Microsoft Entra ID device object, which is also visible from the Intune portal for convenience.

From the Intune portal, you can view BitLocker Key IDs and Bitlocker recovery keys for your Windows 11 devices

• In the Intune Portal
• Go to Devices / All devices
• Select a device and then Recovery keys

Manage access for BitLocker in Intune

You can use the Endpoint Security Manager Built-in Role or create a new role and use the Remote Tasks permissions, including Bitlocker actions.

To use the Endpoint Security Manager role :

• In the Endpoint Manager Console
• Go to Tenant Administration / Roles / All Roles
• Add your user to the Endpoint Security Manager

To use a new group :

• In the Endpoint Manager Console, go to Tenant Administration / Roles / All Roles / New Role

• Create a new group and select the Rotate Bitlocker Key action under Remote Tasks to your newly created group

We hope this article helps you to manage Windows 11 and your Intune Bitlocker Policy. Feel free to use the comment section if you have any questions.