Did you know that you can utilize Microsoft Endpoint Manager to help manage BitLocker on your Windows devices?
In May of 2019, we announced that we would be adding capabilities to manage Microsoft BitLocker on enterprise Windows devices to both Microsoft Intune and Configuration Manager. We then announced the marriage of Microsoft Intune and Configuration Manager with Microsoft Endpoint Manager.
Here is a quick summary of those announcements and the current status (although I do recommend you read both posts in detail):
- We have added many configuration service providers, or CSPs, to Microsoft Intune to help you turn on, manage, report the status of, and turn off BitLocker encryption, including Trusted Platform Module (TPM) management. In Intune, these CSPs were added in the second half of 2019. We added these capabilities to Configuration Manager starting with a private preview in June 2019, and they are generally available today.
- In November of 2019, we combined our two enterprise management offerings—Microsoft Intune for cloud management and Configuration Manager for on-premises management—into a single offering called Microsoft Endpoint Manager. Today over 200 million devices are managed with Microsoft Endpoint Manager.
Last year, we also announced extended support for Microsoft BitLocker Administration and Monitoring (MBAM). Those of you using MBAM can continue to do so until April 14, 2026. In the meantime, we recommend that you start thinking about migrating your devices to Microsoft Endpoint Manager to manage BitLocker.
Manage BitLocker using Microsoft Intune
Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.
The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.
creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager
Next, enter the basics, such as the name of the policy and an optional description, then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings. Also notice the options offered for key rotation. This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.
Create an Endpoint Security profile in Microsoft Endpoint Manager
As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.
Configuring BitLocker settings in Microsoft Endpoint Manager
Finally, add Scope tags, assign the new policy to specific groups of users or devices, and select Create.
The settings that can be configured here include:
- BitLocker – Base Settings
- Enable full disk encryption for OS and fixed data drives
- Require storage cards to be encrypted (mobile only)
- Hide Prompt about third-party encryption
- Configure client-driven recovery password rotation
- BitLocker – Fixed Drive Settings
- BitLocker fixed drive policy
- BitLocker – OS Drive Settings
- BitLocker system drive policy
- BitLocker – Removable Drive Settings
- BitLocker removable drive settings
For more details, see the RequireDeviceEncryptionsection of the BitLocker CSP.
Manage BitLocker using Configuration Manager
For enterprise organizations currently using on-premises management of their endpoint devices, the best approach would be to enable co-management with Microsoft Intune and Configuration Manager, and use the CSPs available in Microsoft Intune. This may not be an option, so we’ve also made BitLocker management available in Configuration Manager current branch, as early as July 2019. When using Configuration Manager, BitLocker management also supports Windows 8.1. And, although Windows 7 is no longer a supported operating system, we are not blocking BitLocker management on Windows 7; however, some settings may not apply to Windows 7 devices. Please review the product support lifecycle page for end of support dates for these operating systems.
When you open the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > BitLocker Management. From there, you can create a new BitLocker Management Control Policy, where you can specify whether to encrypt the Operating System Drive, and/or Fixed Drives, and/or Removeable Drives, and set Client Management policies.
Creating a new BitLocker Management Control Policy to manage BitLocker on the Configuration Manager managed devices
As you select these checkboxes, additional pages will appear in the navigation pane on the left.
Enabling the Drive encryption policy, then allows you to choose the encryption method: AES 128-bit (default), AES 128-bit with Diffuser, AES 256-bit with Diffuser, or AES 256-bit. Enabling the encryption and cypher strength (Windows 10) offers a few more choices: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, XTS-AES 256-bit. Hovering over a policy displays a message box full of information. For more information about the different encryption and cypher strengths available, see the BitLocker settings reference.
Specifying setup information for the BitLocker Management Control Policy
All entries listed in the screenshot above are the default once enabled and are not necessarily the recommended settings. Research the different encryption and cypher strengths available before configuring the policy.
The next page brings you to the Operating System Drive, where you can enable settings such as TPM protector, and PIN length. PIN must be between 4-20 characters. You can also configuration settings for Enhanced PINs – that is, PINs that allow upper and lower case letters, numbers, special characters, and spaces, and a password for operating system drives, which likewise allows you to either allow or require password complexity.
Configuring BitLocker Management Control Policy settings for OS drives
Configuring the settings on the Fixed Drive page allows you to enable fixed drive encryption, as well as specify whether or not fixed drives can be auto-unlocked, deny write access to fixed drives that are not protected by BitLocker, and specify whether or not to install BitLocker To Go on FAT formatted drives.
Configuring BitLocker Management Control Policy settings for fixed drives
The next page allows you to specify the settings which will be applied to removeable drives, such as denying access to those drives which have not been protected with BitLocker, and whether or not these removeable drives should be accessible from earlier versions of Windows.
Configuring BitLocker Management Control Policy settings for removable system drives
Finally, the Client Management policy allows you to manage the key recovery service backup of the BitLocker information, such as Recovery password and key package, or Recovery password only. You can also configure how often the client will check for changes to the BitLocker policy, and a method for users to request and exemption from this policy. These choices are URL, email address, or Phone number.
Configuring client management settings for the BitLocker Management Control Policy
Once the policy has been created, deploy it to the target Collection.
Deploying the new BitLocker Management Control Policy to a target collection in Configuration Manager
Once you set the policy, in the Configuration Manager console navigate to Monitoring > Overview > Reporting > Reports. From here you can report on BitLocker compliance in the enterprise.
BitLocker reports in Configuration Manager
Note: To manage encryption on co-managed Windows 10 devices using the Microsoft Endpoint Manager cloud service, switch the Endpoint Protection workload to Intune. For more information on the endpoint protection device configuration profile, see Windows 10 (and later) settings to protect devices using Intune.
Whether you are a current MBAM customer or are using a third-party tool to manage BitLocker, Microsoft can help you transition to Microsoft Endpoint Manager, at your pace. Don’t have Endpoint Manager, or need to learn more? Start a free trial or buy a subscription today!
Frequently asked questions
What licenses do I need to manage Microsoft BitLocker?
BitLocker can be enabled and disabled using Microsoft Endpoint Manager on Windows 10 Pro, Enterprise, or Education. However, all other management, such as enforcing a key rotation and compliance reporting require a Microsoft 365 E3/E5 or Windows E3/E5 license.
Can I enable BitLocker while deploying a device with Windows Autopilot?
Yes! You can configure the BitLocker policy in Endpoint Manager and link the policy to all devices, including those deployed with Windows Autopilot.
What settings are available for my Windows 7 workstations?
Windows 7 is no longer a supported operating system, and as such we do not test any BitLocker settings on Windows 7 clients. Using Configuration Manager, you can deploy the BitLocker policy to a Collection that contains Windows 7. However, as encryption and cyphers strengthen over time, these new settings may not work on Windows 7 workstations. The settings to enable and disable BitLocker, and a supported strength, should work on Windows 7, but again these are not tested. Our recommendation is that you upgrade to a supported operating system as soon as possible, but we’ll help you keep Windows 7 encrypted and more secure during your migration project.
How can I migrate my clients from using Configuration Manager to using Intune to manage BitLocker policies and compliance?
To migrate the clients to use Intune, enable co-management and set the Endpoint Protection workload to Intune.
Can I migrate from a third- party encryption to Microsoft BitLocker without decrypting the device?
No. If you are using a third-party disk encryption product, you must decrypt the device and then set the Microsoft BitLocker policies. To make this quicker, set the policy to only encrypt used space.
I’m using Microsoft BitLocker but am using a third-party management tool. How can I migrate the recovery key to Microsoft Endpoint Manager?
You can remove the third-party agent, configure the BitLocker policies in Endpoint Manager, and force a key rotation. This will change the recovery key from the key stored on the third-party management tool and upload a new recovery key in Endpoint Manager. You should check with the third-party management tool documentation if the removal of the agent will force a decryption of the drive.