X LinkedIn Facebook Reddit Threads Email

How to Enable and Configure BitLocker Using Microsoft Intune

Deploy BitLocker drive encryption across Windows 10/11 devices through Microsoft Intune admin center with both silent and interactive methods, including policy configuration and troubleshooting.

April 4, 2026 15 min —

mediumbitlocker 9 steps 15 min

Why Deploy BitLocker Through Microsoft Intune?

BitLocker drive encryption protects your organization's data by encrypting entire drives, making stolen or lost devices useless to unauthorized users. While you can enable BitLocker manually on individual devices, managing encryption across hundreds or thousands of Windows endpoints requires a centralized approach.

Microsoft Intune provides enterprise-grade BitLocker management through cloud-based policies that automatically deploy encryption settings, manage recovery keys, and ensure compliance across your entire Windows fleet. The 2026 version of Intune offers streamlined BitLocker deployment through dedicated Endpoint Security policies, supporting both silent encryption (no user interaction required) and interactive methods.

What BitLocker Deployment Methods Does Intune Support?

Intune supports two primary BitLocker deployment approaches. The recommended method uses Endpoint Security disk encryption policies, which provide a simplified interface specifically designed for encryption management. This approach works best for organizations wanting straightforward BitLocker deployment with minimal configuration complexity.

The alternative method uses traditional Device Configuration profiles with either Endpoint Protection templates or the Settings Catalog. While more complex, this approach offers granular control over every BitLocker setting and works well for organizations with specific compliance requirements or complex encryption scenarios.

What Are the Key Requirements for Intune BitLocker Deployment?

Successful BitLocker deployment through Intune requires proper licensing, compatible hardware, and correct device enrollment. Your devices must run Windows 10 Pro/Enterprise (version 1803 or later) or Windows 11, be joined to Microsoft Entra ID (formerly Azure AD), and include TPM 1.2 or higher (TPM 2.0 recommended for Windows 11).

The devices must also use UEFI BIOS mode rather than legacy BIOS, and cannot have pre-existing third-party encryption software. Your organization needs Microsoft Intune licensing with appropriate permissions for device configuration and endpoint security management.

Implementation Guide

Full Procedure

Access Microsoft Intune Admin Center and Navigate to Disk Encryption

Start by signing into the Microsoft Intune admin center where you'll configure BitLocker policies. This is the centralized location for all endpoint security configurations.

Open your web browser and navigate to https://endpoint.microsoft.com. Sign in with your administrator credentials that have Intune device configuration permissions.

Once logged in, navigate to Endpoint security in the left navigation pane, then select Disk encryption. This section contains all encryption-related policies for your managed devices.

Pro tip: Bookmark the Intune admin center URL for quick access. The new endpoint.microsoft.com URL replaced the older portal.azure.com interface for Intune management.

Verification: You should see the Disk encryption overview page with options to create new policies and view existing ones. If you don't see these options, verify your account has the necessary Intune permissions.

Create a New BitLocker Policy Using Endpoint Security

Create a dedicated BitLocker policy using the recommended Endpoint Security method. This approach provides a streamlined interface specifically designed for encryption management.

Click Create policy in the Disk encryption section. In the policy creation wizard:

Set Platform to Windows 10 and later
Set Profile to BitLocker
Click Create

On the Basics tab, configure the following:

Name: EndpointSecurity-BitLocker-Production
Description: BitLocker encryption policy for Windows 10/11 devices with silent enablement

Click Next to proceed to configuration settings.

Warning: Use descriptive names for your policies. You'll likely have multiple encryption policies for different device groups, and clear naming prevents confusion during troubleshooting.

Verification: The policy creation wizard should advance to the Configuration settings tab, showing BitLocker-specific options.

Configure BitLocker Core Settings for Silent Deployment

Configure the essential BitLocker settings that enable silent encryption without user interaction. These settings are crucial for enterprise deployments where you want encryption to happen automatically.

In the Configuration settings section, configure these key options:

BitLocker Options:

Require Device Encryption: Enabled
Allow Warning For Other Disk Encryption: Disabled
Allow standard users to enable encryption during Entra ID join: Enabled

Operating System Drives:

Silently enable BitLocker on devices with TPM: Enabled
Encryption method for operating system drives: XTS-AES 256-bit
Minimum PIN length: 6 (if using PIN authentication)
Configure recovery password rotation: Enabled

Fixed Data Drives:

Encryption method for fixed data drives: XTS-AES 256-bit
Deny write access to fixed drives not protected by BitLocker: Enabled

The XTS-AES 256-bit encryption method provides the strongest security while maintaining good performance on modern hardware.

Pro tip: Enable recovery password rotation to automatically refresh BitLocker recovery keys periodically. This enhances security by ensuring old recovery keys become invalid over time.

Verification: Hover over the information icons next to each setting to see detailed explanations of what each option does.

Configure Recovery Key Management and Storage

Set up proper recovery key management to ensure users can recover their data if they forget passwords or encounter hardware issues. Recovery keys are automatically stored in Microsoft Entra ID.

Configure these recovery settings in the same Configuration settings section:

Recovery options for operating system drives:
- Configure recovery password rotation: Enabled
- Rotation frequency: 180 days
- Save BitLocker recovery information to Azure Active Directory: Enabled
- Recovery information to store: Recovery passwords and key packages
- Allow recovery information to be stored before enabling BitLocker: Required

For additional security, configure these advanced recovery options:

Hide recovery options during BitLocker setup: Enabled
Enable recovery information to be stored before enabling BitLocker: Required
Block the use of certificate-based data recovery agent: Enabled

These settings ensure that recovery keys are safely stored in the cloud before encryption begins, preventing lockout scenarios.

Warning: Never skip recovery key storage configuration. Without proper recovery key management, users could permanently lose access to their encrypted data if they forget their passwords or lose their devices.

Verification: The policy should show all recovery options configured. You can verify recovery keys are being stored by checking the device properties in Entra ID after deployment.

Assign the Policy to Target Device Groups

Assign your BitLocker policy to specific groups of devices or users. Proper group assignment ensures the policy deploys only to intended devices and prevents conflicts.

Click Next to reach the Scope tags section. If you use scope tags for role-based administration, assign appropriate tags. Otherwise, click Next to continue.

On the Assignments tab, configure your target groups:

Click Add groups under Included groups
Search for and select your target device groups (e.g., "Windows-Workstations" or "Finance-Laptops")
Click Select

For testing, start with a small pilot group:

Included groups: BitLocker-Pilot-Devices (10-20 devices)
Excluded groups: BitLocker-Exceptions (devices that shouldn't be encrypted)

You can assign to both user groups and device groups. Device groups are generally preferred for encryption policies as they ensure consistent application regardless of who logs in.

Pro tip: Always test with a pilot group first. BitLocker encryption can take several hours to complete, and any policy issues are easier to resolve with a smaller group.

Verification: The Assignments section should show your selected groups with the correct inclusion/exclusion settings.

Review and Deploy the BitLocker Policy

Complete the policy creation process and deploy it to your selected devices. This final step activates the BitLocker encryption across your managed endpoints.

On the Review + create tab, carefully review all your configuration settings:

Policy name and description
Platform and profile type (Windows 10 and later, BitLocker)
All configuration settings you've defined
Target group assignments

If everything looks correct, click Create to deploy the policy.

After creation, the policy will appear in your Disk encryption policies list with a status of "Deploying" or "Active".

Monitor the initial deployment by navigating to Devices > Monitor > Encryption report. This report shows:

Device encryption status:
- Encrypted: Devices with BitLocker successfully enabled
- Ready: Devices that meet requirements but encryption hasn't started
- Not applicable: Devices that don't support BitLocker
- Error: Devices with deployment failures

Warning: BitLocker encryption can take 2-8 hours depending on drive size and system performance. Don't interrupt the process or force restart devices during initial encryption.

Verification: Check the encryption report within 24 hours. Devices should show "Ready" status initially, then progress to "Encrypted" as the process completes.

Verify BitLocker Deployment on Target Devices

Confirm that BitLocker is properly deployed and functioning on your target devices. This verification step ensures the policy worked correctly and encryption is active.

On a target device, open Command Prompt as administrator and run:

manage-bde -status

You should see output similar to:

BitLocker Drive Encryption: Configuration Tool version 10.0.22000
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
[OS Volume]

    Size:                 476.84 GB
    BitLocker Version:    Windows 10
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100%
    Encryption Method:    XTS-AES 256
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:       TPM

Additionally, verify in the Intune admin center:

Navigate to Devices > All devices
Select a target device
Check the Encryption section in device properties
Confirm status shows "Encrypted" and recovery key is stored

You can also verify recovery keys are properly stored by checking Devices > Monitor > Encryption report for detailed device-by-device status.

Pro tip: Use the PowerShell command Get-BitLockerVolume for more detailed information about encryption status, including protection status and key protector types.

Verification: All target devices should show "Protection On" status and "100% Encrypted" in the manage-bde output.

Configure Compliance Policies for BitLocker Enforcement

Create compliance policies that enforce BitLocker encryption and take action on non-compliant devices. This ensures ongoing security compliance across your organization.

Navigate to Devices > Compliance policies > Create policy. Configure the following:

Platform: Windows 10 and later
Name: BitLocker-Compliance-Policy
Description: Enforce BitLocker encryption on all managed Windows devices

In the Device Health section, configure:

Require BitLocker: Require
Require Secure Boot to be enabled on the device: Require
Require code integrity: Require

Set up actions for noncompliance in the Actions for noncompliance section:

Action: Mark device noncompliant
Schedule: Immediately

Action: Send email to end user
Schedule: 1 day after noncompliance

Action: Block access to company resources
Schedule: 7 days after noncompliance

Assign this compliance policy to the same groups as your BitLocker encryption policy to ensure consistent enforcement.

Warning: Be careful with blocking access to company resources. Ensure users have adequate time and support to resolve compliance issues before access is blocked.

Verification: Check Devices > Monitor > Noncompliant devices to see any devices that don't meet your BitLocker requirements.

Troubleshoot Common BitLocker Deployment Issues

Address the most common issues that occur during BitLocker deployment through Intune. Understanding these problems helps you resolve them quickly when they arise.

TPM and Hardware Issues:

If devices show "Not applicable" status, check TPM availability:

tpm.msc

Common solutions:

Enable TPM in BIOS/UEFI settings
Ensure UEFI mode is enabled (not Legacy BIOS)
Update TPM firmware if using TPM 1.2 on Windows 11

Pre-existing Encryption Conflicts:

If third-party encryption is detected, decrypt the drive first:

manage-bde -off C:

Wait for decryption to complete before applying the Intune policy.

Policy Conflicts:

Check for conflicting policies by reviewing:

Devices > Configuration profiles - Look for multiple encryption policies
Endpoint security > Disk encryption - Ensure only one active BitLocker policy per device group

Standard User Permission Issues:

For Windows 10 devices earlier than 1809, standard users cannot enable BitLocker during Entra ID join. Solutions:

Upgrade to Windows 10 1809 or later
Use administrator accounts for initial setup
Enable the "Allow standard users to enable encryption during Entra ID join" setting

Pro tip: Use the Intune encryption report to identify patterns in failed deployments. Common issues often affect multiple devices with similar configurations.

Verification: After applying fixes, devices should progress from "Error" or "Not applicable" status to "Ready" and then "Encrypted" in the encryption report.

Frequently Asked Questions

How long does BitLocker encryption take through Microsoft Intune?+

BitLocker encryption through Intune typically takes 2-8 hours depending on drive size, system performance, and encryption method. The process runs in the background and doesn't interrupt normal device usage. Intune uses 'Used Space Only' encryption by default, which only encrypts data that exists on the drive, significantly reducing initial encryption time compared to full drive encryption.

Can I deploy BitLocker silently without user interaction using Intune?+

Yes, Intune supports silent BitLocker deployment on Windows 10 version 1803 and later, and all Windows 11 versions. Enable the 'Silently enable BitLocker on devices with TPM' setting in your Endpoint Security policy. This requires devices to have TPM 2.0, be Entra ID joined, and use UEFI BIOS mode. Silent deployment automatically encrypts drives without prompting users for passwords or PINs.

Where are BitLocker recovery keys stored when deployed through Intune?+

BitLocker recovery keys are automatically stored in Microsoft Entra ID (formerly Azure AD) when deployed through Intune. Administrators can access these keys through the Intune admin center under device properties or through the Azure portal. Users can also retrieve their own recovery keys by visiting account.microsoft.com and signing in with their work account. Recovery keys are encrypted and stored securely in Microsoft's cloud infrastructure.

What happens if a device doesn't have TPM when deploying BitLocker via Intune?+

Devices without TPM will show 'Not applicable' status in the Intune encryption report and won't receive BitLocker encryption. Modern Windows 10/11 devices typically include TPM 1.2 or 2.0, but older hardware may lack TPM chips. You can check TPM availability using 'tpm.msc' on the device. For devices without TPM, consider hardware upgrades or alternative encryption solutions, as BitLocker requires TPM for secure key storage in enterprise environments.

How do I troubleshoot BitLocker deployment failures in Microsoft Intune?+

Check the Intune encryption report under Devices > Monitor > Encryption report to identify failed devices. Common issues include TPM not enabled in BIOS, legacy BIOS mode instead of UEFI, pre-existing third-party encryption, or insufficient Windows version. Use 'manage-bde -status' on affected devices to check BitLocker status locally. Review device compliance reports and event logs for specific error codes. Ensure devices meet all prerequisites: TPM 1.2+, UEFI mode, Windows 10 1803+/Windows 11, and Entra ID join status.

Further Intelligence

Deepen your knowledge with related resources

tutorial

Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive

How to Fix Intune Policies Causing Unexpected Reboots During Windows Autopilot OOBE

tutorial

Cloud Computing

How to Fix Intune Policies Causing Unexpected Reboots During Windows Autopilot OOBE

Deep Dive

tutorial

Cybersecurity

How to Enable and Configure BitLocker Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights