How to Deploy Bitlocker using Intune Settings Catalog 📑
In this article, I will demonstrate how you can deploy Bitlocker using Intune Settings Catalog. You can configure Bitlocker with Intune using the settings catalog, which offers more flexible configuration choices.
BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions.
BitLocker may be configured in Intune for Windows 10 and 11 devices using one of three methods:
- An endpoint protection profile
- An endpoint security disk encryption profile
- A settings catalog profile
The endpoint protection and endpoint security disk encryption profiles use BitLocker configuration service provider (CSP) to configure encryption of PCs and devices, whereas the settings catalog profile uses a combination of BitLocker CSP and ADMX backed settings.
Microsoft advises deploying Bitlocker using an Endpoint protection profile when choosing a configuration approach that best suits the requirements of your organisation. The settings catalog profile is a viable substitute if you require more setup flexibility and alternatives.
Refer to the guide on how to enable and configure Bitlocker using endpoint security disk encryption profile. In this article, I will demonstrate how to configure and deploy BitLocker on Windows 10 and 11 devices via the Intune settings catalog.
Prerequisites for Deploying Bitlocker via Intune Settings Catalog
The BitLocker for Intune is available on devices that run Windows 10 and Windows 11. Enabling Bitlocker using Intune requires the following prerequisites in place:
- You’ll need a valid Microsoft Intune license.
- The devices must be Azure AD or Hybrid Azure AD joined.
- Devices must not be encrypted using disk encryption software from a third party, such as McAfee Disk Encryption. When deploying BitLocker using Intune, you must completely decrypt any devices that have already been encrypted using other technologies.
- The end devices must have a TPM chip at version 1.2 or higher (TPM 2.0 strongly recommended).
- BIOS must be set to UEFI.
- To manage BitLocker in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.
Additional Bitlocker Settings available in Intune Settings Catalog
The following additional Bitlocker settings are available in Intune Settings Catalog and are not available in the other two policies-endpoint security and device configuration profiles.
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- Allow enhanced PINs for startup
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Select the encryption type: (Device)
Deploy Bitlocker using Intune Settings Catalog
Use the following steps to configure and deploy Bitlocker with the Settings Catalog:
- Sign-in to the Microsoft Intune admin center.
- Navigate to Devices > Windows devices > Configuration profiles.
- Select + Create profile and choose Windows 10 and later for the Platform and Settings catalog for the Profile type, then select Create.
Name the profile in the Basics tab of the Create profile pane. Add a brief description about the profile. Click Next.
On the Configuration settings tab, select +Add settings.
Type “BitLocker” in the search box to find all related settings for configuring Bitlocker. The Intune settings catalog allows you the flexibility to select which BitLocker settings are added to the policy.
There are five categories or group of settings that you can configure for Bitlocker in Intune:
- Bitlocker Drive Encryption
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
- Bitlocker settings
Bitlocker Settings
The BitLocker category enables silent encryption and recovery password rotation settings. Silent encryption will enable BitLocker on a device without the user having to interact. The important limitation for this configuration is, since the user doesn’t have to interact, they won’t be prompted for a startup PIN.
Note: You can don’t have to select all the settings, and configure only the ones that are required for your organization. For the purposes of this demonstration, I am going to add them all in.
Once you’re done making your category selections, use the X button to close the Settings picker pane and return to the Configurations tab.
The following can be configured for Bitlocker settings:
- Allow warning for other disk encryption
- Configure recovery password rotation
- Removable drives excluded from Encryption
- Require Device Encryption
Bitlocker Drive Encryption Settings
From the Settings catalog, expand the Administrative Templates category to see the setting options starting with the BitLocker Drive Encryption. Here you can set the encryption method and cipher strength. In this below example, I have selected XTS-AES 256-bit for fixed data drives and operating system drives, and AES-CBC 128-bit (default) for removable data drives.
I’ve enabled the unique identifiers for illustration, but I haven’t filled them in. Note that outside the administrative templates, BitLocker CSP does not support the setup of the unique IDs.
Bitlocker Operating System Drives in Settings Catalog
When you configure and deploy Bitlocker using Intune Settings Catalog, you get the following additional settings that aren’t available with the other two methods.
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- Allow enhanced PINs for startup
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Select the encryption type: (Device)
Bitlocker Fixed Data Drives in Intune Settings Catalog
Configuring Fixed Data Drives settings are similar to those of endpoint security settings, with the exception of The Enforce drive encryption type on fixed data drives and the Select the encryption type (device). These settings allow the admin to specify whether BitLocker should encrypt used space only or the entire drive.
Configure Removable Data Drives via Intune Settings Catalog
For removable drives, you’ll find most of the settings similar to endpoint protection policies. However, you’ll want to consider requirements for the Allow users to suspend and decrypt BitLocker protection on removable data drives (device) and Enforce drive encryption type on removable data drives settings as well.
The screenshot below shows the configuration for removable data drives via Intune Settings catalog.
Once you have configured all the Bitlocker settings via Intune Settings Catalog, click Next. On the Assignments tab, add the Azure AD groups to which you want to deploy the Bitlocker settings. Click Next.
On the Review + create page, you’ll find all the BitLocker settings that you have configured. When you’re done, select Create.
After deploying the BitLocker policy via Intune, the policy now appears under the list of Configuration Profiles. A notification also appears confirming that the policy is created.
After you deploy Bitlocker using Intune Settings catalog, the next step is to monitor the BitLocker encryption status on devices. You can do from that Intune Admin center. In addition to that, there is a Microsoft Intune encryption report to view details about a device’s encryption status and find options to manage device recovery keys.
The Microsoft Intune encryption report is a central place to find out about a device’s encryption status and find ways to manage recovery keys. The recovery key options that are available depend on the type of device you’re viewing.
To find the report, sign in to the Microsoft Endpoint Manager admin center. Select Devices > Monitor, and then under Configuration, select Encryption Report.
I have one question: we lost the Bit Locker recovery key and verified it on the Azure portal and user login portal. Unfortunately, we didn’t get the key. Now the user is working on the laptop, and it is asking for a bit of a locker key. What is the solution? And the same fixed drive also enabled the bit locker; if I removed the hard drive and connected any additional device, could we recover the data? As per my knowledge, the fixed drive bit locker key is also saved on C Drive. Any recovery tools to recover D drive data