BitLocker through Intune working differently between W10 and W11?

Question

I just wanted to reach out and ask if anyone else has noticed that there is a difference in how BitLocker policies work between Windows 10 and Windows 11.

In my environment, we don't have backing up BitLocker recovery keys to ADDS available, so we skipped over the section in "Endpoint security | Disk encryption" due to the backup option only noting ADDS and went with using Device Configuration policies that backup to Entra before enabling BitLocker.

What I noticed when setting up BitLocker policies in Intune, was that I needed to create two policies, one under "Endpoint protection" and another under "Settings catalog"

The "Settings catalog" settings for W11 specifically point out:

• Encryption method (we had specified XTS-AES 256-bit in "Endpoint protection" but it was still only encrypting with XTS-AES 128-bit (Default))
• Encryption type (we specified Full Disk, but it was only doing Used Space)
• Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (Disabled)
• Enhanced PIN (on W10 this was fine, but on W11 it only allowed numbers)

"Endpoint protection" allows for backing up to Entra before enabling BitLocker, but "Settings catalog" only backs up to ADDS before enabling BitLocker. So you do need to create two device configuration policies, but using both gets the job done.

Answer 1

@Jon Resele, Thanks for posting in Q&A. In general, Intune uses the CSP windows provided to deploy policy via Synml. For the BitLocker CSP, it can apply to both windows 10 and 11 devices. Some settings only applied to specific OS version You can check more details in the following link.

https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype

We can deploy the BitLocker policy either via Endpoint security disk encryption policy, endpoint protection policy, custom policy or Setting Catalog policy. This depends on your needs. Different profiles may have different configuration.

https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker

For the policy not applied issue, here are my thoughts for your reference:

For the Encryption method we configure under endpoint protection policy, it uses "./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType' to deploy the setting and under the setting description, it mentioned this policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.

https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype

For the Encryption Type to apply, I find some version needs with KB installed to be applied which mentioned in above BitLocker CAP doc. Please check if you met.

For Enhanced PIN, on official document, it says not all computers may support enhanced PINs in the pre-boot environment.

https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin

For these BitLocker settings, based on my reexperience, if we configure the same setting in different location with different value. conflict may occur. We recommended to only configure one setting with one value to avoid this issue.

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.