BitLocker with Intune – Step-by-Step Guide
This guide walks you through the complete end-to-end workflow for enabling BitLocker disk encryption using Microsoft Intune, from policy creation to compliance enforcement.
Prerequisites
- Admin access to Microsoft Intune
- Devices must be Azure AD joined or Hybrid joined
- TPM 2.0 (recommended) enabled on devices
- Secure Boot enabled
Step 1: Access the Microsoft Intune Admin Center
Open your browser and go to:
Sign in with your Intune administrator account.
Step 2: Navigate to Endpoint Security → Disk Encryption
From the left-hand menu, select Endpoint Security, then choose Disk Encryption.
Step 3: Create a New Disk Encryption Policy
Click Create Policy, then select:
- Platform: Windows 10 and later
- Profile: BitLocker
Click Create.
Step 4: Configure BitLocker Settings
Under Configuration settings, define the following:
| Setting | Recommendation |
|---|---|
| Enable BitLocker | Yes |
| Require TPM | Yes |
| TPM Startup PIN | Not required (optional) |
| Recovery key storage | Store in Entra ID |
| Encryption method | XTS-AES 128-bit (or 256-bit for higher security) |
| Encrypt used disk space only | Recommended for faster deployment |
Step 5: Configure Recovery Key Escrow
Ensure recovery keys are backed up to Entra ID:
- Set Save BitLocker recovery information to Yes
- Set Store recovery keys in Azure Active Directory to Yes
This allows admins to retrieve recovery keys from Entra ID if users forget their PIN or hardware changes.
Step 6: Assign the Policy to Entra ID Group
Go to the Assignments section and select either a user group or device group that should receive the BitLocker policy.
Step 7: Create the Policy
Click Create. The policy will be deployed to all devices in the assigned group during their next sync with Intune.
Step 8: Policy Delivery to Device
Once delivered, the device receives the encryption configuration automatically. This applies to:
- Azure AD Joined devices
- Hybrid joined devices
- Windows 10/11 endpoints
Step 9: Pre-Check Validation (Critical Step !)
Before encryption starts, the device must pass these checks:
- ✔ TPM is available and ready
- ✔ Secure Boot is enabled
- ✔ Device is not already encrypted
- ✔ No conflicting Group Policy
- ✔ Device is eligible
If any pre-check fails: Encryption will NOT start. Admin must fix issues and re-sync the policy.
Step 10: Key Generation
Once pre-checks pass, the system generates:
- VMK (Volume Master Key)
- FVEK (Full Volume Encryption Key)
These keys are used to encrypt the disk.
Step 11: TPM Protection
Keys are secured using TPM (Trusted Platform Module). TPM acts as a hardware root of trust, ensuring keys are not accessible if the drive is moved to another device.
Step 12: Recovery Key Escrow to Entra ID
The recovery key is automatically uploaded to Microsoft Entra ID.
If escrow fails: Encryption pauses due to:
- Network connectivity issues
- Permission problems
- Entra ID sync errors
Step 13: Encryption Starts
BitLocker encryption begins in the background. There is no major impact on user performance – users can continue working normally.
Step 14: Monitor Encryption Progress
You can monitor encryption status from:
Intune Admin Center → Endpoint Security → Disk Encryption → Select policy → Device status
Or run this command on the Windows device:
cmd
manage-bde -status
Step 15: Encryption Complete
Once finished, the entire disk is encrypted. The device becomes protected against unauthorized data access.
Step 16: Compliance & Access Control
After successful encryption, the device is marked Compliant in Intune. This enables:
- Conditional Access policies
- Zero Trust security model
- Secure resource access
Final Outcome (Success)
After completing all steps successfully:
- Data at rest is fully protected
- Recovery keys securely stored in Entra ID
- Device is marked compliant
- Secure access is enforced
Common Failure Points
| Issue | Solution |
|---|---|
| TPM not present or not ready | Enable TPM in BIOS |
| Secure Boot disabled | Enable Secure Boot in BIOS |
| GPO conflict | Check local/domain policies |
| Recovery key not saved | Verify Entra ID permissions |
| Network issues | Ensure device can reach Entra ID |
Useful Validation Commands
Run these on the Windows device to troubleshoot:
| Command | Purpose |
|---|---|
manage-bde -status | Check encryption status |
tpm.msc | Check TPM status |
dsregcmd /status | Check Azure AD join status |
gpresult /h report.html | Check GPO conflicts |
Final Tips
Most BitLocker failures happen before encryption starts, especially during:
- Pre-check validation – TPM or Secure Boot issues
- Recovery key escrow – Network or permission problems
Always verify these two areas first when troubleshooting.