How to Deploy Bitlocker using Intune Settings Catalog
In this article, I will demonstrate how you can deploy Bitlocker using Intune Settings Catalog. You can configure Bitlocker with Intune using the settings catalog, which offers more flexible configuration choices.
BitLockeris a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. It provides the maximum protection when used with aTrusted Platform Module (TPM) version 1.2or later versions.
BitLocker may be configured in Intune for Windows 10 and 11 devices using one of three methods:
- 一个端点保护配置文件
- 一个端点security disk encryption profile
- A settings catalog profile
The endpoint protection and endpoint security disk encryption profiles use BitLocker configuration service provider (CSP) to configure encryption of PCs and devices, whereas the settings catalog profile uses a combination of BitLocker CSP and ADMX backed settings.
Microsoft advises deploying Bitlocker using an Endpoint protection profile when choosing a configuration approach that best suits the requirements of your organisation. The settings catalog profile is a viable substitute if you require more setup flexibility and alternatives.
Refer to the guide on how toenable and configure Bitlocker using endpoint security disk encryption profile. In this article, I will demonstrate how to configure and deploy BitLocker on Windows 10 and 11 devices via the Intune settings catalog.
Prerequisites for Deploying Bitlocker via Intune Settings Catalog
The BitLocker for Intune is available on devices that run Windows 10 and Windows 11. Enabling Bitlocker using Intune requires the following prerequisites in place:
- You’ll need a valid Microsoft Intune license.
- The devices must be Azure AD orHybrid Azure AD joined.
- 设备不能encrypted using disk encryption software from a third party, such as McAfee Disk Encryption. When deploying BitLocker using Intune, you must completely decrypt any devices that have already been encrypted using other technologies.
- The end devices must have aTPM chip at version 1.2 or higher(TPM 2.0 strongly recommended).
- BIOS must be set to UEFI.
- To manage BitLocker in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.
Additional Bitlocker Settings available in Intune Settings Catalog
The following additional Bitlocker settings are available in Intune Settings Catalog and are not available in the other two policies-endpoint security and device configuration profiles.
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- Allow enhanced PINs for startup
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Select the encryption type: (Device)
Deploy Bitlocker using Intune Settings Catalog
Use the following steps to configure and deploy Bitlocker with the Settings Catalog:
- Sign-in to theMicrosoft Intune admin center.
- Navigate toDevices>Windows devices>Configuration profiles.
- Select+ Create profileand choose Windows 10 and later for the Platform and Settings catalog for the Profile type, then selectCreate.
Name the profile in theBasicstab of theCreate profilepane. Add a brief description about the profile. ClickNext.
On theConfiguration settingstab, select+Add settings.
Type “BitLocker” in the search box to find all related settings for configuring Bitlocker. TheIntune settings catalogallows you the flexibility to select which BitLocker settings are added to the policy.
There are five categories or group of settings that you can configure for Bitlocker in Intune:
- Bitlocker Drive Encryption
- Fixed Data Drives
- Operating System Drives
- Removable Data Drives
- Bitlocker settings
Bitlocker Settings
The BitLocker category enables silent encryption and recovery password rotation settings. Silent encryption will enable BitLocker on a device without the user having to interact. The important limitation for this configuration is, since the user doesn’t have to interact, they won’t be prompted for a startup PIN.
Note: You can don’t have to select all the settings, and configure only the ones that are required for your organization. For the purposes of this demonstration, I am going to add them all in.
Once you’re done making your category selections, use theXbutton to close the Settings picker pane and return to theConfigurationstab.
The following can be configured for Bitlocker settings:
- Allow warning for other disk encryption
- Configure recovery password rotation
- Removable drives excluded from Encryption
- Require Device Encryption
驱动器加密驱动器加密设置
From the Settings catalog, expand the Administrative Templates category to see the setting options starting with the BitLocker Drive Encryption. Here you can set the encryption method and cipher strength. In this below example, I have selectedXTS-AES 256-bitfor fixed data drives and operating system drives, andAES-CBC 128-bit (default)for removable data drives.
I’ve enabled the unique identifiers for illustration, but I haven’t filled them in. Note that outside the administrative templates, BitLocker CSP does not support the setup of the unique IDs.
Bitlocker Operating System Drives in Settings Catalog
When you configure and deploy Bitlocker using Intune Settings Catalog, you get the following additional settings that aren’t available with the other two methods.
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- Allow enhanced PINs for startup
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Select the encryption type: (Device)
Bitlocker Fixed Data Drives in Intune Settings Catalog
Configuring Fixed Data Drives settings are similar to those of endpoint security settings, with the exception of The Enforce drive encryption type on fixed data drives and the Select the encryption type (device). These settings allow the admin to specify whether BitLocker should encrypt used space only or the entire drive.
Configure Removable Data Drives via Intune Settings Catalog
For removable drives, you’ll find most of the settings similar to endpoint protection policies. However, you’ll want to consider requirements for the Allow users to suspend and decrypt BitLocker protection on removable data drives (device) and Enforce drive encryption type on removable data drives settings as well.
The screenshot below shows the configuration for removable data drives via Intune Settings catalog.
Once you have configured all the Bitlocker settings via Intune Settings Catalog, clickNext. On the Assignments tab, add the Azure AD groups to which you want to deploy the Bitlocker settings. ClickNext.
On theReview + createpage, you’ll find all the BitLocker settings that you have configured. When you’re done, selectCreate.
After deploying the BitLocker policy via Intune, the policy now appears under the list of Configuration Profiles. A notification also appears confirming that the policy is created.
After you deploy Bitlocker using Intune Settings catalog, the next step is to monitor the BitLocker encryption status on devices. You can do from thatIntune Admin center. In addition to that, there is a Microsoft Intune encryption report to view details about a device’s encryption status and find options to manage device recovery keys.
The Microsoft Intune encryption report is a central place to find out about a device’s encryption status and find ways to manage recovery keys. The recovery key options that are available depend on the type of device you’re viewing.
To find the report, sign in to the Microsoft Endpoint Manager admin center. SelectDevices>Monitor, and then under Configuration, selectEncryption Report.