BitLocker, Intune, and Raven

Hello Paul Bergson, back again with another story about my dog Raven.  From time to time we get a visit from a family member and they will bring their dog along, problem is we have never socialized Raven with other dogs.  She has no interest in sharing any of her toys but like a four year old human, she takes them out of her toy box (yes she has one) and leaves them laying all over the house.  When our visiting canine begins to play with one of Raven's toys, she gets jealous and just waits to get it away from her visitor.  If she had a choice, she would stop any dog from ever touching her toys.  Unfortunately for Raven she does not have any type of protective measures, to guard against strangers accessing her stuff that is laying around the house “at rest”.

Lucky for Microsoft customers, we have a technology we provide that can prevent unwelcome visitors from playing with your data when you aren't using it (at rest).  Enabling and using BitLocker to encrypt data at rest on a single device is easy and straight forward.  Managing on 1,000, 10,000, 100,000 or more is a challenge and yes there is Microsoft's Administration and Monitoring (MBAM) but that is in extended support.  So, what is an enterprise administrator to do? 

Microsoft doesn't want to see our customer's administrators frantic with fear of not being able to protect their data at rest.  We say, “Look to the Cloud” for support.

Microsoft provides Windows 10 BitLocker management from both Azure (via Intune) and SCCM with enhanced features expected to be released in the second half of 2019.  Management of Enterprise BitLocker management includes assessing readiness, key management & recovery, and compliance reporting.

To manage BitLocker from Azure you will need to log into the Azure portal. and select the Intune Blade -or-

Once you have gained access to the Intune blade you can begin the configuration setup for your enterprise.  There are two separate items that will need to be modified, Device Configuration and Device Compliance.



Device Compliance (Policies)
Used to assess a devices compliance to defined values that are required by your enterprise to ensure they are compliant to this enterprise “Policy.”  If these settings aren't compliant, they can be used with Conditional Access to ensure only devices that comply with the corporate Policy to gain access to the .

To configure an Intune Policy for BitLocker, within the Azure Portal browse to the Intune blade and select “Device Compliance” –> “Policies” –> “+ Create Policy.”


  • Name – Enter a unique name for the new Policy
  • Description – Optionally enter a description for this new policy
  • Platform – Select “Windows 10 and later”


  • Settings/Configure – Device Health
    • Require BitLocker – “Require”
  • Actions for noncompliance
    • Action – Mark device as noncompliant
      • Set the time in days to flag the offending device (Default)
        • From immediate (0) to number of days in grace mode
      • Optional other settings
        • “Send email to end users”
        • “Remotely lock the noncompliant device”

Once a policy has been defined, it will need to be assigned against either “All Users” or one or more groups.


Device Configuration (Profiles)
A devices' “Profile” is used to define the configuration to be deployed to the asset.

To configure an Intune Profile for BitLocker, within the Azure Portal browse to the Intune blade and select “Device Configuration” –> “Profiles” –> “+ Create Profile.”


  • Name – Enter a unique name for the new Policy
  • Description – Optionally enter a description for this new policy
  • Platform – Select “Windows 10 and later”
  • Profile type
    • “Endpoint protection”




  • Settings/Configure
  • Windows Encryption
    • Windows Settings
      • Encrypt devices – Require
    • BitLocker base settings
      • Warning for other disk encryption – Block
      • Allow standard users to enable encryption during Join – Allow
      • Configure encryption methods – Enable
        • Encryption for operating system drives – Corporate standard
        • Encryption for fixed data-drives – Corporate standard
        • Encryption for removable data-drives – Corporate standard
      • BitLocker OS drive settings
        • Additional at startup – Require
        • Minimum PIN Length – Enable
          • Minimum characters –Corporate standard
        • OS drive recovery – Enable
          • Save BitLocker recovery information to Azure Active Directory – Enable
        • BitLocker fixed data-drive settings
          • Write access to fixed data-drive not protected by BitLocker – Block
          • Fixed drive recovery – Enable
            • Save BitLocker recovery information to Azure Active Directory – Enable
          • BitLocker removable data-drive settings
            • Write access to removable data-drive not protected by BitLocker – Block

Once a profile has been defined, it will need to be assigned against either “All Users & All Devices,” “All Devices,” “All Users” or one or more groups.



Once the process has begun to roll out BitLocker to the enterprise, a review of the current status of devices will be required.  Unfortunately, the review of compliance will fall under ALL Intune managed devices not just BitLocker'd devices.  Reviewing the screenshots below, it can be seen that the “Compliant” and “Non-Compliant” machines can be selected to bring up the complete list for that category. 

Note: that it only brings back the first 100.



Encryption Monitoring

To better understand which devices have been properly secured with BitLocker, it is recommend to review the “Encryption Report”.

To review the report, browse too “Device Configuration” à “Encryption report” (under the “Monitor” header).  To find  which devices are currently encrypted, look at the “Encryption status” column.



BitLocker keys can be managed by the user and available through a self-service portal:

If a user logs in there, they should be able to see their corporate device(s) and they can then select the device they need to recover their key(s) as seen in the two screen shots below.



Administrators can view the keys within the “Devices” blade of Azure AD from the Azure AD portal.
“Azure Active Directory” –> “Devices”


From the “Devices” blade, select the device to recover the BitLocker key from and then select which key is needed.  In the example below both the os and the data drive have been encrypted.

Selecting copy from the selected Key, will place the Id and Recovery Key to the clipboard.



Client Side

Ensuring that the client has pulled down the Profile and Policy, a user can review what has been applied against it.

  • From the start menu, select “Settings”


  • Within the “Settings” menu select “Accounts”


  • Select “Access work or School” and then click on “Connected to…,” which should expose both an “Info” and “Disconnect” button


  • Click on the “Info” button
    • The info button will bring up a new page which detailed “Policies” applied, “Connection info” and “Device sync status”
      • To start an immediate sync from the device to Intune, click on the “Sync” button


Note: For clients that are already BitLocker'd, when they are joined to AAD they should upload their recovery key to their respective object within the directory.



For complete details see BitLocker policies in Microsoft Intune

Review the devices BitLocker status from within Control Panel.  It may be working on encrypting the device, but it hasn't completed the task yet.

From an administrative command prompt –> manage-bde -status


The diagnostics report can be reviewed:

  • On the client run a Sync (As seen earlier in this document)


  • Click on “Create report,” once the sync has completed


  • Review the Diagnostic .html report

Event Logs

Event Viewer –> Applications and Services Logs –> Microsoft –> Windows –> BitLocker API –> Management

Device Registry Configuration Settings


Hopefully, you can leverage BitLocker with Intune management to protect your data at rest and not be like Raven who has to sit and wait to try and get back her toys (data) that was left lying around and unprotected.

Helpful URL's


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.