BitLocker

Configure BitLocker drive encryption policies through Intune endpoint security. BitLocker protects data on Windows devices by encrypting entire drive volumes.

Policy Configuration

Operating System Drive

Fixed Data Drives

Removable Data Drives

• Require encryption when writing
• AES-CBC 256-bit encryption
• Block write to unencrypted drives

Silent Encryption

Enable BitLocker without user interaction:

• Requires TPM 2.0 and Secure Boot
• Set startup auth to TPM Only for silent enablement
• Encryption begins automatically after policy deployment

Recovery Key Management

Recovery keys automatically escrowed to Azure AD. Admins view keys in Azure portal. Users access at myaccount.microsoft.com. Rotate keys after recovery events.

Encryption Status Monitoring

• Encrypted vs. unencrypted device counts
• Encryption in progress
• Encryption errors and failures
• Recovery key availability

Compliance Integration

• Require BitLocker for device compliance
• Non-compliant devices blocked via Conditional Access
• Grace period before blocking access

Troubleshooting

Encryption Not Starting

Verify TPM enabled, Secure Boot on, no conflicting Group Policies.

Recovery Key Missing

Check Azure AD device properties. Verify key escrow policy configured.

Best Practices

• Use XTS-AES 256-bit for OS and fixed drives
• Require TPM for hardware-backed encryption
• Always escrow recovery keys to Azure AD
• Enable silent encryption for seamless deployment
• Include encryption in compliance policies

API Reference

• GET /api/devices/security/bitlocker/status — Get encryption status
• GET /api/devices/security/bitlocker/keys/:deviceId — Get recovery keys
• POST /api/devices/security/bitlocker/rotate/:deviceId — Rotate key
• POST /api/devices/security/bitlocker/policies — Create policy