Disk Encryption
Manage disk encryption across Windows and macOS devices through Intune endpoint security. Configure BitLocker (Windows) and FileVault (macOS) to protect data at rest.
BitLocker (Windows)
| Setting | Options |
|---|---|
| Require Encryption | Yes / No |
| Encryption Method (OS) | XTS-AES 128 / XTS-AES 256 |
| Encryption Method (Fixed) | XTS-AES 128 / XTS-AES 256 |
| Encryption Method (Removable) | AES-CBC 128 / AES-CBC 256 |
| Startup Authentication | TPM / TPM+PIN / TPM+Key |
| Recovery Key Escrow | Azure AD (required) |
Silent Encryption
Requires TPM 2.0 and Secure Boot. Set auth to TPM Only. Starts automatically.
FileVault (macOS)
| Setting | Options |
|---|---|
| Enable FileVault | Yes / No |
| Recovery Key Type | Personal / Institutional |
| Escrow Location | Intune |
| Number of Times to Defer | 0-10 |
| Recovery Key Rotation | Days between rotation |
FileVault Enrollment
- User receives prompt at next login
- FileVault enabled with login password
- Personal recovery key generated
- Key escrowed to Intune
- Encryption begins
Encryption Status
| Status | Description |
|---|---|
| Encrypted | All drives fully encrypted |
| Encrypting | Encryption in progress |
| Not Encrypted | Device not encrypted |
| Suspended | Encryption paused |
| Error | Encryption failed |
Compliance Integration
- Require encryption for device compliance
- Non-compliant devices blocked via Conditional Access
- Grace period for encryption to complete
Monitoring
- Encryption status per device
- Adoption rates across fleet
- Failed or missing encryption
- Recovery key escrow status
API Reference
GET /api/devices/security/encryption/status— Get status summaryGET /api/devices/security/encryption/:deviceId— Device encryption detailsGET /api/devices/security/encryption/keys/:deviceId— Get recovery keysPOST /api/devices/security/encryption/policies— Create policy
Last updated on