BitLocker with Intune – Step-by-Step Guide

This guide walks you through the complete end-to-end workflow for enabling BitLocker disk encryption using Microsoft Intune, from policy creation to compliance enforcement.

Prerequisites

  • Admin access to Microsoft Intune
  • Devices must be Azure AD joined or Hybrid joined
  • TPM 2.0 (recommended) enabled on devices
  • Secure Boot enabled

Step 1: Access the Microsoft Intune Admin Center

Open your browser and go to:

https://intune.microsoft.com

Sign in with your Intune administrator account.

Step 2: Navigate to Endpoint Security → Disk Encryption

From the left-hand menu, select Endpoint Security, then choose Disk Encryption.

Step 3: Create a New Disk Encryption Policy

Click Create Policy, then select:

  • Platform: Windows 10 and later
  • Profile: BitLocker

Click Create.

Step 4: Configure BitLocker Settings

Under Configuration settings, define the following:

SettingRecommendation
Enable BitLockerYes
Require TPMYes
TPM Startup PINNot required (optional)
Recovery key storageStore in Entra ID
Encryption methodXTS-AES 128-bit (or 256-bit for higher security)
Encrypt used disk space onlyRecommended for faster deployment

Step 5: Configure Recovery Key Escrow

Ensure recovery keys are backed up to Entra ID:

  • Set Save BitLocker recovery information to Yes
  • Set Store recovery keys in Azure Active Directory to Yes

This allows admins to retrieve recovery keys from Entra ID if users forget their PIN or hardware changes.

Step 6: Assign the Policy to Entra ID Group

Go to the Assignments section and select either a user group or device group that should receive the BitLocker policy.

Step 7: Create the Policy

Click Create. The policy will be deployed to all devices in the assigned group during their next sync with Intune.

Step 8: Policy Delivery to Device

Once delivered, the device receives the encryption configuration automatically. This applies to:

  • Azure AD Joined devices
  • Hybrid joined devices
  • Windows 10/11 endpoints

Step 9: Pre-Check Validation (Critical Step !)

Before encryption starts, the device must pass these checks:

  • ✔ TPM is available and ready
  • ✔ Secure Boot is enabled
  • ✔ Device is not already encrypted
  • ✔ No conflicting Group Policy
  • ✔ Device is eligible

If any pre-check fails: Encryption will NOT start. Admin must fix issues and re-sync the policy.

Step 10: Key Generation

Once pre-checks pass, the system generates:

  • VMK (Volume Master Key)
  • FVEK (Full Volume Encryption Key)

These keys are used to encrypt the disk.

Step 11: TPM Protection

Keys are secured using TPM (Trusted Platform Module). TPM acts as a hardware root of trust, ensuring keys are not accessible if the drive is moved to another device.

Step 12: Recovery Key Escrow to Entra ID

The recovery key is automatically uploaded to Microsoft Entra ID.

If escrow fails: Encryption pauses due to:

  • Network connectivity issues
  • Permission problems
  • Entra ID sync errors

Step 13: Encryption Starts

BitLocker encryption begins in the background. There is no major impact on user performance – users can continue working normally.

Step 14: Monitor Encryption Progress

You can monitor encryption status from:

Intune Admin Center → Endpoint Security → Disk Encryption → Select policy → Device status

Or run this command on the Windows device:

cmd

manage-bde -status

Step 15: Encryption Complete

Once finished, the entire disk is encrypted. The device becomes protected against unauthorized data access.

Step 16: Compliance & Access Control

After successful encryption, the device is marked Compliant in Intune. This enables:

  • Conditional Access policies
  • Zero Trust security model
  • Secure resource access

Final Outcome (Success)

After completing all steps successfully:

  • Data at rest is fully protected
  • Recovery keys securely stored in Entra ID
  • Device is marked compliant
  • Secure access is enforced

Common Failure Points

IssueSolution
TPM not present or not readyEnable TPM in BIOS
Secure Boot disabledEnable Secure Boot in BIOS
GPO conflictCheck local/domain policies
Recovery key not savedVerify Entra ID permissions
Network issuesEnsure device can reach Entra ID

Useful Validation Commands

Run these on the Windows device to troubleshoot:

CommandPurpose
manage-bde -statusCheck encryption status
tpm.mscCheck TPM status
dsregcmd /statusCheck Azure AD join status
gpresult /h report.htmlCheck GPO conflicts

Final Tips

Most BitLocker failures happen before encryption starts, especially during:

  • Pre-check validation – TPM or Secure Boot issues
  • Recovery key escrow – Network or permission problems

Always verify these two areas first when troubleshooting.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *