BitLocker Encryption and data protection

BitLocker drive encryption is a data protection feature that provides encryption for the operating system drive, fixed data and removable data drives using technologies like UEFI Secure Boot, hardware security interface(HSTI) and Trusted Platform Module TPM( Version 1.2 or later).

In an enterprise situation, Bitlocker can be deployed smoothly to your devices with minimal administrative overhead using multiple methods such as Group Policy and Microsoft Intune

BitLocker prerequisites

Valid Intune license
The device should have at least TPM 1.2 and above
Devices must be Azure AD or Hybrid Azure AD joined with BIOS set to UEFI
The hard disk must have two partitions required; Operating system drive that contains the operating system and the system drive that contains files needed to load windows after the firmware has prepared the system hardware, typically 35O MB size is recommended for system drive partition. However, in a new computer, windows automatically create this required partitions for BitLocker

In our article today we will cover BitLocker deployment via Intune. There are two methods that we can use to deploy Bitlocker using intune:

Creating a disk encryption policy in Endpoint security
Creating a configuration profile for Bitlocker

We will cover high-level steps on deploying bitlocker using Disk Encryption policy in intune.

Sign in to intune portal with an account that has enough admin rights and navigate to endpoint security on the left then click disk encryption and select create policy

then on the create a profile window select windows 10 and later under platform then profile set as BitLocker and click create

This will take you to the next page to name your policy. Give your policy a proper name and description then click next to define the settings for the policy under the configuration settings

Under bit locker base settings, use the following options;

Enable full disk encryption for OS – yes ( this enforces encryption on the drive)
Require storage cards to be encrypted– Not configured (when this is set to yes, encryption on storage cards will be required for mobile devices)
Hide Prompts about third-party encryption – Yes (
If BitLocker is enabled on a system that has already been encrypted by a third-party encryption product, it may render the device unusable. Data loss may occur and you may need to reinstall Windows. It is highly suggested to never enable BitLocker on a device that has third-party encryption installed or enabled. As part of the BitLocker setup wizard, users are informed and asked to confirm that no third-party encryption is in place. When this setting is set to Yes, this warning prompt will be suppressed. When set to not configured, the setting will return to default which is to warn users about third-party encryption. If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.)
Allow standard users to enable encryption during autopilot– yes (
When set to Yes, during Azure Active Directory Join (AADJ) silent enable scenarios, users do not need to be local administrators to enable BitLocker. When set to not configured, the setting will be left as client default which is to require local admin access to enable BitLocker.)
Configure client-driven recovery password rotation– setting this to Enable rotation on Azure AD-joined Devices will enable key rotation for Azure AD joined devices

Then under bitlocker fixed drive settings select configure and leave as follows.

Fixed drive recovery – configure (enables you to configure various drive recovery techniques)
Recovery key file creation – allowed (setting this to allowed enables an admin to create a 256-bit recovery file manually
Configure bitlocker recovery package– password and key.
Require devices to backup recovery information to azure AD – Yes (this enables recovery key information to be stored in Azure Active Directory)
Recovery password creation – Required ( this allows the creation of a 48 digit recovery password that is sent to Azure AD )
Hide recovery options during bitlocker setup– yes ( this blcoks the end user from being able to choose extra recovery options such as printing the recovery keys during bitlocker setup)
Enable bitlocker after recovery information to store – yes ( by setting to yes, bitlocker information will be saved to Active Directory Domain Services)
Block the use of certificate based data recovery agent – not configured.
Block write access to fixed data-drives not protected by bitlocker – yes (this will not allow any data to be written to fixed drives that are not bitlocker protected)
Configure encryption method for fixed data-drives – AES128bit XTS ( this is the recommended encryption by Microsoft

Then under bitlocker OS drive settings select configure in bitlocker system drive policy and set as follows ;

Startup authentication required– yes (Selecting “Require” allows you to configure the additional authentication requirements at system start up, including utilizing the use of Trusted Platform Module (TPM) or start up PIN requirements.)
Compatible TPM startup – required ( Setting this to Allow TPM will enable BitLocker using the TPM if it’s present. Setting this to Do not allow TPM will enable BitLocker without utilizing the TPM.)
Compatible TMP startup PIN – blocked (It is recommended that PIN is disabled where silent enablement of BitLocker is required)
Compatible TPM startup key and PIN – blocked ( It is recommended that PIN is disabled where silent enablement of BitLocker is required.)
Disable bitlocker on devices where TPM is incompatible – not configured
Enable preboot recovery url – yes ( Setting this to Yes will allow you to customize the pre-boot recovery message and URL.)
Preboot recovery message ( us this option to customize your recovery message)
System drive recovery – configure (Control how BitLocker-protected OS drives are recovered in the absence of the required start up key information. Selecting “Enable” allows you to configure various drive recovery techniques as follows;)
Recivery key file creation – allowed (Setting this to Allow will allow an admin user to create a 256-bit recovery key file manually)
Configure bitlocker recovery package – password and key (Choosing backup recovery password and key packages will include both the BitLocker recovery password and recovery key packages in Active Directory
Require device to backup recovery information to azure AD – yes.
Recovery password creation – required (Setting this to Require will generate a 48-digit recovery password during BitLocker initialization)
Hide recovery options during bitlocker setup– yes
Enable bitlocker after recovery information to store – yes ( this setting allows recovery information to be saved to Active Directory Domain Services)
Block the use if certificate based data recovery agent – not configured (Setting this to Yes will Block the ability to use Data Recovery Agent (DRA) to recover BitLocker enabled drives)

On the bitlocker removable drive section, select configure and set as follows then click next

Configure encryption method for removable data-drives ( AES 128bit XTS)
Block write access to removable data-drives not protected by bit locker – not configured
Block write access to devices configured in another organization – not configured.