Microsoft Intune – BitLocker Deployment

Introduction

This guide will provide you with steps to how to configure and deploy a Windows BitLocker policy through Microsoft Intune. BitLocker is a full volume encryption feature which helps address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker can be deployed through Microsoft Intune which is a cloud-based endpoint management solution.

Recovery keys will be stored in your Entra ID environment.

Requirements

  • Intune administrator or global administrator role
  • Devices must be enrolled in Intune
    • Windows Pro, Enterprise E3/E5, or Education E3/E5 licenses
  • Devices must have a supported (at least 1.2) trusted platform module (TPM)
    • Devices without a TPM can still be encrypted but require a startup key or password
  • Device must run Windows 10 v1809 or later, or Windows 11
  • The BIOS mode must be set to Native UEFI only

Further reading on BitLocker requirements: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/

Configure BitLocker Encryption Policy

Navigate To and Create Policy

  1. Navigate to the Intune admin portal: Microsoft Intune admin center
  2. Click on Endpoint Security on the left menu blade
  3. Click on Disk Encryption under the Manage menu blade
  4. To create a new policy select Create Policy
    1. For the purpose of this document, we will be reviewing the already created policy: BitLocker Deployment

BitLocker Configuration Settings

Within the BitLocker configuration settings, we must configure overall BitLocker policy and then specific administrative templates relating to the entire system as well as for each drive.

By requiring encryption and allowing for standard user encryption we can silently encrypt the devices in the background. Users will not notice or be interrupted.

BitLocker Drive Encryption

Here we specify encryption methods. We will leave everything as default:

BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using policy settings.

Operating System (OS) Encryption

Here we will specify how the OS drives will encrypt:

The screenshot above depicts the following:

  • OS drives will be encrypted
  • Drives will be fully encrypted (as opposed to used space encryption only)
  • No startup pin is required
    • As a result, all the other options are not configured

Next we will dive into recovery options:

The screenshot above depicts the following:

  • A data recovery agent will not be allowed to be used to recover data
    • This can be enabled and also backed up to Entra ID if you wish
  • BitLocker will not be enabled until the 48-digit recovery password is stored and backed up to Entra ID
  • The pre-boot recovery message and URL will remain as default. You can customize this if you wish to display a company logo or a help desk number to call for assistance.

Fixed Data Drives Encryption

Similar to OS-level encryption above, we will configure encryption for fixed data drives:

The screenshot above, similar to OS-level encryption, depicts the following:

  • Fixed data drives will be encrypted
  • Drives will be fully encrypted (as opposed to used space encryption only)
  • A data recovery agent will not be allowed to be used to recover data
    • This can be enabled and also backed up to Entra ID if you wish
  • BitLocker will not be enabled until the 48-digit recovery password is stored and backed up to Entra ID
  • Deny write access to unencrypted fixed drives is off
    • It is recommended to turn this on if you plan to encrypt devices prior to user handoff to ensure no company data can be stored on non-encrypted drives

Removable Drives Encryption

Unlike operating system and fixed data drives, we will elect to not enable encryption on removable drives.

If your organization has strict data drive policies, be sure to check out our next blog post on limiting access to USB storage devices via Intune!

Policy Assignments

Once the policy is configured, click next and assign tags if you wish, then we are at the assignments tab. This is where we specify groups, users, or devices for the policy to apply to or exclude from.

The policy can be created and saved without any group assignments and updated at a later time. It is always recommended to start with a small test group before rolling out changes to an entire organization.

Verification

The policy deployment and device encryption can be verified through the policy itself under the View Report tab. Here we can view which devices the policy applied to and review any errors. Additionally, encryption can be verified on the device in Intune found within the Hardware tab under conditional access it will note if the device is Encrypted (Yes/No).

Obtaining Recovery Password

BitLocker recovery passwords are a 48-digit number used to unlock a volume when it is in recovery mode. Users may call into to request this password to unlock their device if it went into recovery mode. As part of the BitLocker encryption policy configured in Intune, these recovery passwords are automatically backed up to the device in Entra ID/Intune.

  1. Navigate to the device either in Intune or Entra ID
  2. Select Recovery Keys on the left menu blade
  3. Choose Show Recovery Key to obtain the key

Things to Consider

  • If the Intune BitLocker encryption policy is applied to an already BitLocker encrypted device, (encrypted via any method such as manual, Intune, or GPO) then the policy will see the device is already encrypted and will not make any changes to the device even if the Intune policy has different settings than the already existing policy.
    • The device will not decrypt and re-encrypt
    • The device will not remove or change startup pin
  • BitLocker Startup PINs
    • It is currently not possible to require a startup pin and allow standard user encryption due to administrative permissions being required here. An admin is required to set the initial pin and the BitLocker policy begins to apply to a device without an administrator logged in, encryption will not complete due to lack of permissions
    • We get around this requirement by deploying a BitLocker script with a pre-set startup PIN on devices.
  • Ensure new devices are not being encrypted via an existing BitLocker GPO as this take priority over Intune
  • Existing BitLocker encrypted devices do not have their recovery passwords backed up to Entra ID
    • If you wish to migrate these recovery passwords to Entra ID this can be accomplished through a remediation script.

Contact Us

Looking for more Microsoft assistance? Contact Us today to schedule a free consultation with our certified engineers!

Discover more from Covene

Subscribe to get the latest posts sent to your email.

Leave a Reply