BitLocker Encryption Management with Intune – Complete Guide
Deploy, escrow, and enforce BitLocker at scale through Intune — silent encryption, Conditional Access tie-in, self-service recovery, and the failure modes that actually happen.
🔒 BitLocker Encryption Management with Intune
BitLocker provides full disk encryption for Windows devices, protecting data at rest. Managed through Intune, encryption becomes silent, enforceable, and auditable at scale — recovery keys escrow to Entra ID automatically, and compliance policies catch every unencrypted device before it becomes a liability.
📋 Overview
BitLocker encrypts the entire OS drive (and optionally removable drives) using AES-128 or AES-256 (XTS mode recommended). The encryption key is protected by one or more key protectors: TPM, TPM+PIN, Recovery Key.
| Policy name | Platform | Profile | Status | Assigned |
|---|---|---|---|---|
| BitLocker-Windows11 | Windows | BitLocker | Active | All Windows devices |
| FileVault-macOS | macOS | FileVault | Active | All Mac devices |
🔑 Key Protectors
| Protector | How it works | Security Level |
|---|---|---|
| TPM only | TPM releases key automatically at boot if PCR values match | Medium – protects offline attacks |
| TPM + PIN | TPM + user-entered PIN at startup | High – protects even if TPM is compromised |
| TPM + Network Unlock | TPM + corporate network presence at boot (domain-joined) | High – transparent for office devices |
| Recovery Key (48-digit) | Manual 48-digit key entry when TPM fails | Backup only – store in Entra ID |
| Password | User-entered password (without TPM) | Low – not recommended |
📱 Intune Policy (Endpoint Security → Disk Encryption)
| Setting | Recommended Value |
|---|---|
| Require BitLocker | Yes |
| BitLocker OS drive encryption method | XTS-AES 256 |
| BitLocker fixed drive encryption method | XTS-AES 256 |
| Require device to be Bitlocker protected before storing recovery info | Yes |
| Save BitLocker recovery information to Azure AD | Yes |
| Store recovery passwords and key packages | Yes |
| Startup authentication required (TPM+PIN) | Yes (for high-security environments) |
| BitLocker removable drive policy | Configure – encrypt removable drives |
| Encryption type (OS and fixed drives) | Used Space Only (new hardware) / Full (repurposed hardware) |
| Fixed drive recovery — save to Azure AD / hide UI | Yes / Yes |
| Deny write access to unprotected fixed drives | Yes |
| Configure recovery password rotation | Enabled (Windows 10 2004+ / Windows 11) |
🚦 Compliance & Conditional Access
The Disk Encryption profile turns BitLocker on — it does not, by itself, block an unencrypted device from reaching corporate resources. That enforcement comes from a Compliance Policy paired with Conditional Access.
| Layer | Setting | Effect |
|---|---|---|
| Compliance Policy (Windows 10/11) | Require encryption of data storage on device: Require | Device is flagged non-compliant if BitLocker isn't active |
| Conditional Access | Grant access only if device marked Compliant | Non-encrypted devices are blocked from Exchange Online, SharePoint, Teams, etc. |
| Intune → Reports | Device compliance report, filtered by policy | Surfaces exactly which devices are failing the encryption check and why |
💾 Recovery Key Management
Recovery keys are automatically escrowed to Entra ID when using Intune-managed BitLocker. To retrieve:
# PowerShell – Get BitLocker recovery key from Entra ID
Get-MgDeviceBitLockerRecoveryKey -Filter "deviceId eq 'device-object-id'" |
Select-Object Id, Key, CreatedDateTime
# Via Entra admin portal:
# Devices → [Device Name] → BitLocker Keys
🙋 Self-Service Recovery via Company Portal
Every recovery key call to the help desk is avoidable overhead. Intune's Company Portal app lets end users retrieve their own BitLocker recovery key directly, without exposing it through IT.
🤫 Silent Encryption
Silent Encryption automatically enables BitLocker without user interaction. Prerequisites:
- Device must have TPM 2.0
- Device must be Modern Standby (HSTI compliant) or have WinPE pre-provisioning
- Device must be Entra Joined or Hybrid Entra Joined
- Recovery key automatically backed up to Entra ID
Used for mass corporate deployment — users don't see any BitLocker prompts.
Autopilot / Enrollment Status Page Timing
On devices without Modern Standby (most desktops and many laptops), silent encryption falls back to encrypting after first sign-in rather than during WinPE — meaning the Disk Encryption profile can still be "processing" for several minutes after the Enrollment Status Page (ESP) completes. Don't gate ESP on the encryption profile finishing; gate it on the required apps only, and let encryption catch up in the background. Devices with WinPE pre-provisioning (used with Autopilot "White Glove") avoid this gap entirely by encrypting before the user ever sees the desktop.
📊 Monitoring Encryption Status
Start with Intune's built-in report — Reports → Device encryption — before reaching for KQL. It shows encryption readiness and status per device out of the box, with no Log Analytics connector required.
# Check BitLocker status on local device
manage-bde -status C:
# KQL – Non-encrypted devices in Intune (Log Analytics / Sentinel)
IntuneDeviceComplianceOrg
| where isEncrypted == false
| where OS == "Windows"
| project DeviceName, UserName, isEncrypted, LastContact
| order by LastContact asc
🛠️ Troubleshooting — Common Failure Reasons
| Symptom | Likely Cause | Fix |
|---|---|---|
| Device stuck "Encryption pending" | TPM not present/enabled, or Secure Boot disabled in firmware | Enable TPM 2.0 + Secure Boot in UEFI; confirm via Intune hardware inventory |
| Compliance shows non-encrypted but device is encrypted | Report lag — device hasn't checked in since encrypting | Force sync from Company Portal or wait one check-in cycle before escalating |
| Recovery key missing in Entra ID | Hybrid Join device, Entra Connect sync hasn't run yet | Wait for next sync cycle, or trigger a manual delta sync |
| Encryption never starts | Third-party disk encryption already present (e.g., McAfee, Symantec, PGP) | Fully decrypt and remove the conflicting product first — BitLocker won't co-exist with it |
| Full disk encryption takes hours | "Full" encryption type applied to new/never-used hardware | Switch policy to "Used Space Only" for new deployments |
| BitLocker suspends after every patch cycle | Firmware/driver updates that touch boot config auto-suspend protection | Confirm auto-resume is enabled; Intune re-enables protectors automatically post-update — investigate if it isn't |
✅ Checklist – BitLocker
- Create Endpoint Security Disk Encryption policy for Windows
- Set encryption method: XTS-AES 256
- Set encryption type: Used Space Only for new hardware, Full for repurposed devices
- Enable: Save recovery key to Azure AD / Entra ID
- Enable: Require encryption before storing recovery key
- Enable recovery password rotation (Windows 10 2004+ / 11)
- Create Compliance Policy: Require encryption of data storage on device
- Confirm Conditional Access blocks non-compliant devices from corporate resources
- Verify TPM 2.0 present on all devices (Intune hardware report)
- Configure PIN for high-security users (IT admins, executives)
- For hybrid-joined fleets, confirm Entra Connect sync frequency is short enough for timely key escrow
- Confirm Company Portal "Get BitLocker recovery key" is available to reduce help desk load
- Review Intune's native Device encryption report weekly
- Limit BitLocker key viewer access (role-based — BitLocker Key Reader, not Global Admin)
- Alert when compliance drops below 95% encryption rate