BitLocker Deployment
Encrypting endpoints with BitLocker managed through Intune.
Overview
BitLocker provides full-disk encryption for Windows devices, protecting data at rest in case of loss or theft. When managed through Intune, you can configure an endpoint protection profile that silently enables encryption without any user interaction on supported hardware.
Prerequisites
- TPM 2.0 chip present and enabled in BIOS/UEFI
- UEFI firmware (not legacy BIOS)
- Secure Boot enabled
- Windows 10 Pro / Enterprise or Windows 11 Pro / Enterprise
- Device enrolled in Microsoft Intune
Recommended Configuration
Configure the encryption method to XTS-AES 256 for OS drives. Recovery keys are automatically escrowed to Azure AD, making them accessible to administrators through the device properties blade in Intune or Entra.
- Encryption method — XTS-AES 256-bit for OS and fixed drives
- Recovery key rotation — enable automatic rotation after each use
- Recovery key escrow — back up to Azure AD before encryption begins
- Silent encryption — requires TPM-only protector, no user prompt
Tip
Enable the "Rotate BitLocker recovery passwords" setting in Intune. This automatically generates a new recovery key each time one is used, preventing key reuse if a recovery key is compromised.
Checking Status
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, EncryptionMethod, KeyProtector |
Format-ListManual Enablement
Enable-BitLocker -MountPoint "C:" `
-EncryptionMethod XtsAes256 `
-TpmProtector
# Backup recovery key to Azure AD
$BLV = Get-BitLockerVolume -MountPoint "C:"
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" `
-KeyProtectorId $BLV.KeyProtector[1].KeyProtectorIdWarning
If a device does not have a TPM or has Secure Boot disabled, silent encryption will fail without any visible error. Always validate hardware compliance before deploying the Intune profile at scale.