Once in a while, I get the question from a community member why their devices are not automatically starting the encryption of the operating system drive. They configure some BitLocker settings in Microsoft Intune and deploy these to their devices. But the encryption isn`t automatically started and different sorts of error messages are seen on the device.
Where it is no problem to respond to each person separate, I thought let`s share the configuration which works for me to auto start BitLocker encryption.
Before we move over to the settings itself, some ‘notes from the field‘, otherwise your below setup might not work and you still see errors like described in this previous post:
- Outdated BIOS and TPM firmware/ drivers might cause issues. So updates these drivers.
- Make sure Secure Boot is turned on!
- And while testing, use real hardware and no virtual machines.
Below settings do work for Azure AD and Hybrid Azure AD joined devices. But there is a big difference. On AAD joined devices encryption starts already during Autopilot enrollment, where encryption on HAADJ devices starts as soon as the first user signs in.
Let`s move over to the configuration part.
Configure Endpoint Protection profile
At the moment of writing, I still use an Endpoint Protection profile in Microsoft Intune to configure encryption settings as I haven`t tested the BitLocker settings yet which are found on the Endpoint Security tab.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configuration Profiles tab click +Create profile
- Choose Windows 10 and later as Platform
- Choose Endpoint Protection as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click Next
Under Windows Encryption it is important to at least configure these settings for silent encryption to work for the OS drive. Key in this is to allow standard users to enable encryption and to only allow (require) TPM startup (and block the other options):
BitLocker base settings
- Encrypt Devices – Require
- Warning for other disk encryption – Block
- Allow standard users to enable encryption during Azure AD Join – Allow
- Configure encryption methods – Enable
- Encryption for operating system drives – Choose your preferred algorith
BitLocker OS drive settings
- Additional authentication at startup – Require
- BitLocker with non-compatible TPM chip – Block
- Compatible TPM startup – Require TPM
- Other Compatible TPM options – Do Not allow
Additional settings to configure, related to BitLocker recovery information.
This should do the trick. If needed you can also configure the settings related to fixed drive and removable data-drive, but it`s not needed for the OS drive.
Thank for reading and let me know when you have any questions related to this post.
11 Comments
Hi Peter, nice to greet you. Thanks for your posts. I would like to know if there is a way to remove disk encryption from Intune on a Windows 10 PC. Thank you.
Hi Pablo,
No, I`m not aware of that option.
You can do it with Intune by deploying a powershell script to the PC’s where you want bitlocker to be removed. You can set it up from Devices -> Policy -> Scripts
Hi Peter,
Thanks for another great post. I was wondering one thing. A little while now you can also configure the bitlocker in the “endpoint protection” node as well. I read somewhere that this is the new place to configure your security and that the configuration profile for bitlocker will become absolute. What is you reason for still using the config profile?
Hi Guus,
At the moment I tested the settings from the Endpoint Protection node, not all settings which I needed could already be configured via that node. After that moment, I did another short test but wasn’t really sure about a few settings. So I`m still using these settings, as I know for sure this works as expected (at least in the tenants I`m managing).
Thanks for this post, it is very useful and answers the question I had!
Do you know what would happen if an existing policy that prompts the user for Bitlocker settings was changed to the one you have outlined above?
If you mean that the user’s device is already encrypted, nothing should change in this.
Hi, is there a way to enable bitlocker the opposite way. From script locally to enable bitlocker for Intune, since intune saves recovery keys and such.
Is there also a way to set a predefined Bitlocker pin through intune? Instead of having the end user setting it up?
No, not by a policy. You end up by setting this using a PowerShell script for example.
Thanks Peter for the clear demonstration.
I Have question in mind, How to enroll my domain joined devices?
Note:
I am having my on-prem AD and using AD Connect to replicate to Azure AD.