This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 11%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Hi,
Is there a way to force users to activate Bitlocker?
I created a profile and set Require under Encrypt devices,
And it only gives a one-time alert to the user and does not require him to activate the Bitlocker.
Thanks
Rash
Use conditional access and a compliance policy that requires device encryption.
Also, review https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/ to see how to enable it silently.
Thanks.
Some of our computers will be without a TPM. What needs to be changed in the script to run the bitlocker even without a TPM?
Without TPM, a password is required. Not sure if native Bitlocker capabilites in Intune will support that, but you might want to test manage-bde or powershell script to enforce bitlocker with generic password.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Exactly. If you set BitLocker CSP: RequireDeviceEncryption, it will only prompt users to enable device encryption. As a workaround, you can set a conditional access policy and require Bitlocker for Encrypt devices. If not, device will mark as Not compatible as cannot access corporate resource.
If the response is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 2%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
I would not fondle with complicated policies but instead use a script that informs the user about his (random) PIN and starts the encryption automatically. Would that be alright with you? Then I show you the script.
Knowing that users will not act on an alert about encrypting their disk, I would go with a silent script. Using Conditional Access and Compliance Policies are always nice, but it will just generate more support since users will have no clue why they can't access corporate data suddenly.
Keep it simple and use a scripts like the ones mentioned earlier by Jason, that's the approach I would use (and seen in action). https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot
Thanks.
Some of our computers will be without a TPM. What needs to be changed in the script to run the bitlocker even without a TPM?
I'm not sure if the silent enablement will work without a TPM as this requires user intervention. Why would you allow systems without a TPM? BitLocker on systems without a TPM should not be considered for use in an enterprise as they as suspect security-wise.
Remote users often purchase the computer for themselves. And not everyone has a TPM.
BTW. In the silent process of computer encryption. How is the bitlocker password or PIN selected? How will the user know the password or PIN to unlock the computer?
Remote users often purchase the computer for themselves.
That doesn't mean that you shouldn't have standards around this and requiring a TPM would definitely be one of these standards along with minimum memory and CPU (to name just a few).