Silently Enforce Bitlocker Using Endpoint Manager (Intune)

Bitlocker is one of the most essential security features to deploy to your windows devices.

Source: Microsoft
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.

Step 1: Create Device Configuration Policy.

Start by visiting the Endpoint Manager portal, open up “Windows” under “Devices” and create a new configuration policy.

Endpoint Manager Admin Center

Platform: Windows 10 and later
Profile type: Templates
Template name: Endpoint Protection

Provide a name for your policy and a brief description for your new configuration policy. Keep in mind its a great idea to be very specific so future admins know exactly what the policy does.

Name: Silently Enforce Bitlocker
Description: This Policy will silently enable bitlocker on all targeted “Windows 10 and later” devices and backup the decryption key directly to the computer object in AzureAD.

Step 2: Configure Bitlocker Settings

In the configuration settings unfold the option “Windows Encryption

This is a rather long list of settings, below i will be providing screenshots of all the necessary settings.

Once you have configured the settings above you need to specify which devices will be targeted by our new Bitlocker policy. As always i recommend creating “filters” whenever possible.

Once you have targeted the devices you want to enforce bitlocker for you can save and create the policy.
The policy will automatically start applying with no user impact. Please allow up to 30 minutes before checking the bitlocker settings on the device.

Step 3: Confirm Bitlocker Has Been Enabled

One way of confirming that your policy works is by going on one of the targeted devices and confirm bitlocker has been enabled.

Another way is to go to the “Monitor” section of endpoint manager and choosing the “Encryption Report“. Here you can retrieve a full report of the encrypting status of all your devices, including mac devices.

Step 4: Retrieve Bitlocker Key From AzureAD.

The most important part of configuring silent bitlocker is to be able to retrieve the decryption key from a central location.

You should already have set this option within the policy.

Go to the “Endpoint Manger” portal and choose devices in the left pane. Search for your device and open settings for that devices. Here you will be able to retrieve bitlocker recovery key for the device.

If you have any questions / feedback or would like to correct me on any of the stuff above, please use the comment section or contact me directly using the blue button in the bottom right corner.

Leave a Comment