BitLocker Encryption Management with Intune – Complete Guide

Deploy, escrow, and enforce BitLocker at scale through Intune — silent encryption, Conditional Access tie-in, self-service recovery, and the failure modes that actually happen.

BitLocker Encryption Management with Intune – Complete Guide

🔒 BitLocker Encryption Management with Intune

BitLocker provides full disk encryption for Windows devices, protecting data at rest. Managed through Intune, encryption becomes silent, enforceable, and auditable at scale — recovery keys escrow to Entra ID automatically, and compliance policies catch every unencrypted device before it becomes a liability.

XTS-AES 256 TPM 2.0 Intune-Managed Entra Key Escrow Conditional Access

📋 Overview

BitLocker encrypts the entire OS drive (and optionally removable drives) using AES-128 or AES-256 (XTS mode recommended). The encryption key is protected by one or more key protectors: TPM, TPM+PIN, Recovery Key.

ℹ️
Recommended Configuration: TPM 2.0 + PIN (startup PIN) for highest security. For large-scale enterprise with no keyboard at boot: TPM-only (Silent Encryption) as minimum — keys stored in Entra ID.
⚠️
Used Space Only vs. Full Encryption: New hardware from the factory should use Used Space Only — it encrypts only the blocks currently holding data, finishing in minutes instead of hours. Reserve Full Encryption for devices that previously stored unencrypted data, since deleted files can still leave recoverable remnants on unencrypted free space. Getting this backwards is the single most common cause of "encryption taking forever" tickets.
intune.microsoft.com › Endpoint security › Disk encryption
🏠 Home
📱 Devices
🔧 Configuration
🔒 Disk encryption
🛡️ Antivirus
Home › Endpoint securityDisk encryption
Disk encryption policies
+ Create policy
Refresh
Policy namePlatformProfileStatusAssigned
BitLocker-Windows11WindowsBitLocker Active All Windows devices
FileVault-macOSmacOSFileVault Active All Mac devices
💡 BitLocker recovery keys are automatically escrowed to Entra ID — retrieve from the device Azure AD page if a user locks out.
📸 Intune Disk Encryption policies — BitLocker enforced on all Windows, FileVault on all macOS.

🔑 Key Protectors

ProtectorHow it worksSecurity Level
TPM onlyTPM releases key automatically at boot if PCR values matchMedium – protects offline attacks
TPM + PINTPM + user-entered PIN at startupHigh – protects even if TPM is compromised
TPM + Network UnlockTPM + corporate network presence at boot (domain-joined)High – transparent for office devices
Recovery Key (48-digit)Manual 48-digit key entry when TPM failsBackup only – store in Entra ID
PasswordUser-entered password (without TPM)Low – not recommended

📱 Intune Policy (Endpoint Security → Disk Encryption)

SettingRecommended Value
Require BitLockerYes
BitLocker OS drive encryption methodXTS-AES 256
BitLocker fixed drive encryption methodXTS-AES 256
Require device to be Bitlocker protected before storing recovery infoYes
Save BitLocker recovery information to Azure ADYes
Store recovery passwords and key packagesYes
Startup authentication required (TPM+PIN)Yes (for high-security environments)
BitLocker removable drive policyConfigure – encrypt removable drives
Encryption type (OS and fixed drives)Used Space Only (new hardware) / Full (repurposed hardware)
Fixed drive recovery — save to Azure AD / hide UIYes / Yes
Deny write access to unprotected fixed drivesYes
Configure recovery password rotationEnabled (Windows 10 2004+ / Windows 11)
🔄
Recovery key rotation: On Windows 10 2004+ and Windows 11, Intune-managed devices automatically rotate the recovery password after it's used to unlock the drive — closing the window where a once-used key stays valid indefinitely. Confirm this is enabled; it's off by default on older baseline profiles.

🚦 Compliance & Conditional Access

The Disk Encryption profile turns BitLocker on — it does not, by itself, block an unencrypted device from reaching corporate resources. That enforcement comes from a Compliance Policy paired with Conditional Access.

LayerSettingEffect
Compliance Policy (Windows 10/11)Require encryption of data storage on device: RequireDevice is flagged non-compliant if BitLocker isn't active
Conditional AccessGrant access only if device marked CompliantNon-encrypted devices are blocked from Exchange Online, SharePoint, Teams, etc.
Intune → ReportsDevice compliance report, filtered by policySurfaces exactly which devices are failing the encryption check and why
⚠️
Don't skip this pairing: A Disk Encryption profile with no matching Compliance Policy means encryption is a suggestion, not a control. If a device fails to encrypt silently (missing TPM, Secure Boot disabled, third-party encryption conflict), Compliance + CA is what actually stops that device from touching company data — the encryption profile alone won't.

💾 Recovery Key Management

Recovery keys are automatically escrowed to Entra ID when using Intune-managed BitLocker. To retrieve:

# PowerShell – Get BitLocker recovery key from Entra ID
Get-MgDeviceBitLockerRecoveryKey -Filter "deviceId eq 'device-object-id'" |
    Select-Object Id, Key, CreatedDateTime

# Via Entra admin portal:
# Devices → [Device Name] → BitLocker Keys
⚠️
Access Control: Limit who can view BitLocker recovery keys in Entra ID. Use the "BitLocker Key Reader" role for help desk staff — not Global Admin.
🔀
Hybrid Join gotcha: On Hybrid Entra Joined devices, the recovery key escrows to Entra ID only after the device's Entra Connect sync cycle completes — not instantly at encryption time. A device encrypted minutes ago may show no key yet in Entra. For on-prem-only (non-hybrid) devices, escrow instead requires the AD schema extension and Group Policy "Store BitLocker recovery information in Active Directory Domain Services" — Intune's Entra escrow setting has no effect there.

🙋 Self-Service Recovery via Company Portal

Every recovery key call to the help desk is avoidable overhead. Intune's Company Portal app lets end users retrieve their own BitLocker recovery key directly, without exposing it through IT.

1
User hits the recovery screen
Device boots to the BitLocker recovery prompt and shows a Key ID.
2
User opens Company Portal on another device
Devices → select the locked device → "Get BitLocker recovery key" retrieves the matching 48-digit key by Key ID.
3
User enters the key and unlocks
No help desk ticket, no key exposure to an agent, and the retrieval itself is logged in Entra ID sign-in activity.
ℹ️
Self-service recovery requires the device to already be Entra registered/joined with the key escrowed — it's the same escrow this guide already assumes, just exposed to the end user instead of only IT.

🤫 Silent Encryption

Silent Encryption automatically enables BitLocker without user interaction. Prerequisites:

  • Device must have TPM 2.0
  • Device must be Modern Standby (HSTI compliant) or have WinPE pre-provisioning
  • Device must be Entra Joined or Hybrid Entra Joined
  • Recovery key automatically backed up to Entra ID

Used for mass corporate deployment — users don't see any BitLocker prompts.

Autopilot / Enrollment Status Page Timing

On devices without Modern Standby (most desktops and many laptops), silent encryption falls back to encrypting after first sign-in rather than during WinPE — meaning the Disk Encryption profile can still be "processing" for several minutes after the Enrollment Status Page (ESP) completes. Don't gate ESP on the encryption profile finishing; gate it on the required apps only, and let encryption catch up in the background. Devices with WinPE pre-provisioning (used with Autopilot "White Glove") avoid this gap entirely by encrypting before the user ever sees the desktop.

📊 Monitoring Encryption Status

Start with Intune's built-in report — Reports → Device encryption — before reaching for KQL. It shows encryption readiness and status per device out of the box, with no Log Analytics connector required.

# Check BitLocker status on local device
manage-bde -status C:

# KQL – Non-encrypted devices in Intune (Log Analytics / Sentinel)
IntuneDeviceComplianceOrg
| where isEncrypted == false
| where OS == "Windows"
| project DeviceName, UserName, isEncrypted, LastContact
| order by LastContact asc

🛠️ Troubleshooting — Common Failure Reasons

SymptomLikely CauseFix
Device stuck "Encryption pending"TPM not present/enabled, or Secure Boot disabled in firmwareEnable TPM 2.0 + Secure Boot in UEFI; confirm via Intune hardware inventory
Compliance shows non-encrypted but device is encryptedReport lag — device hasn't checked in since encryptingForce sync from Company Portal or wait one check-in cycle before escalating
Recovery key missing in Entra IDHybrid Join device, Entra Connect sync hasn't run yetWait for next sync cycle, or trigger a manual delta sync
Encryption never startsThird-party disk encryption already present (e.g., McAfee, Symantec, PGP)Fully decrypt and remove the conflicting product first — BitLocker won't co-exist with it
Full disk encryption takes hours"Full" encryption type applied to new/never-used hardwareSwitch policy to "Used Space Only" for new deployments
BitLocker suspends after every patch cycleFirmware/driver updates that touch boot config auto-suspend protectionConfirm auto-resume is enabled; Intune re-enables protectors automatically post-update — investigate if it isn't

✅ Checklist – BitLocker

    📱 Intune Policy
  • Create Endpoint Security Disk Encryption policy for Windows
  • Set encryption method: XTS-AES 256
  • Set encryption type: Used Space Only for new hardware, Full for repurposed devices
  • Enable: Save recovery key to Azure AD / Entra ID
  • Enable: Require encryption before storing recovery key
  • Enable recovery password rotation (Windows 10 2004+ / 11)
  • 🚦 Compliance & Conditional Access
  • Create Compliance Policy: Require encryption of data storage on device
  • Confirm Conditional Access blocks non-compliant devices from corporate resources
  • 🔒 Security
  • Verify TPM 2.0 present on all devices (Intune hardware report)
  • Configure PIN for high-security users (IT admins, executives)
  • For hybrid-joined fleets, confirm Entra Connect sync frequency is short enough for timely key escrow
  • 🙋 Self-Service
  • Confirm Company Portal "Get BitLocker recovery key" is available to reduce help desk load
  • 📊 Monitoring
  • Review Intune's native Device encryption report weekly
  • Limit BitLocker key viewer access (role-based — BitLocker Key Reader, not Global Admin)
  • Alert when compliance drops below 95% encryption rate