Skip to Content
DevicesConfigurationBitLocker Encryption

BitLocker Encryption

Configure and manage BitLocker drive encryption on Windows devices through Intune. Encrypt operating system drives, fixed data drives, and removable drives to protect data at rest.

Note: BitLocker requires TPM 1.2 or later (TPM 2.0 recommended). Windows 10/11 Pro, Enterprise, or Education.

Encryption Settings

Operating System Drive

  • Require encryption — Enforce encryption on the OS drive
  • Encryption method — XTS-AES 128-bit or XTS-AES 256-bit (recommended)
  • Startup authentication — TPM only, TPM + PIN, TPM + startup key
  • Minimum PIN length — 4 to 20 characters

Fixed Data Drives

  • Require encryption — Encrypt all fixed data drives
  • Encryption method — XTS-AES 128-bit or XTS-AES 256-bit
  • Auto-unlock — Automatically unlock when OS drive is unlocked

Removable Data Drives

  • Require encryption — Encrypt removable drives when written to
  • Encryption method — AES-CBC 128-bit or AES-CBC 256-bit
  • Block write access — Block writing to unencrypted drives

Recovery Key Management

Azure AD Key Escrow

Recovery keys are automatically backed up to Azure AD:

  • Recovery key stored with the device object
  • Admins retrieve keys from the Azure portal
  • Users view their own keys at myaccount.microsoft.com

Recovery Options

  • Recovery Password — 48-digit numerical recovery password
  • Recovery Key — 256-bit key stored on USB drive
  • Data Recovery Agent — Certificate-based recovery

Silent Encryption

Enable BitLocker without user interaction:

  • Requires TPM 2.0 and Secure Boot
  • No pre-boot authentication required for silent enablement
  • Encryption starts automatically after policy applies

Encryption Status

StatusDescription
EncryptedDrive is fully encrypted
Encryption in ProgressEncryption is running
Not EncryptedDrive is not encrypted
SuspendedEncryption is paused
ErrorEncryption failed

Compliance Integration

  • Require BitLocker encryption for device compliance
  • Non-compliant devices blocked via Conditional Access
  • Grace period allows time for encryption to complete

Best Practices

  • Use XTS-AES 256-bit encryption for OS and fixed drives
  • Enable silent encryption with TPM 2.0
  • Always escrow recovery keys to Azure AD
  • Configure compliance policies to require encryption
  • Test on pilot devices before broad deployment

API Reference

  • GET /api/devices/bitlocker/status — Get encryption status
  • GET /api/devices/bitlocker/keys/:deviceId — Get recovery keys
  • POST /api/devices/bitlocker/rotate/:deviceId — Rotate recovery key
  • GET /api/devices/bitlocker/report — Get encryption compliance report
Last updated on
Administrative TemplatesCompliance Policies