I would like to know where Bitlocker is enabled in Intune.

ChikaraTaro 80 Reputation points
2024-09-25T07:02:04.9866667+00:00

I am verifying Intune.

Intune>Manage Disk encryption is not set.

However, the PC set up with AutoPilot

has a BitLocker Recovery Key in Intune>Devices>Windows>Target device>Recovery keys, and is encrypted.

There is no Bitlocker item in the AutoPilot parameters,

so I would like to know where Bitlocker is enabled in Intune.

Does this mean that Bitlocker is always enabled with AutoPilot?User's image

User's image

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
468 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,053 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Alex Burlachenko 990 Reputation points
    2024-09-25T08:08:20.32+00:00

    In Microsoft Intune, BitLocker is not automatically enabled by default in Autopilot. However, it can be enabled through Intune policies during or after the Autopilot process. The situation you are describing, where the BitLocker recovery key appears in Intune even though disk encryption isn't explicitly managed, typically occurs because of built-in security features in Windows.

    Here’s how it might be happening:

    Autopilot and Windows Settings: When you set up a device with Windows Autopilot, Windows might enable BitLocker automatically based on the device’s configuration, especially if the version of Windows supports it. Windows 10/11 automatically enables BitLocker during Out-of-Box-Experience (OOBE) on devices that meet specific hardware requirements (like having TPM).

    MDM Policies: Even though disk encryption isn't explicitly set in Intune, Windows has its default encryption policies that apply if the device is compliant with TPM requirements. Additionally, Intune may enforce encryption through a security baseline or compliance policy, even without a specific disk encryption policy being listed under "Manage Disk Encryption."

    Windows Configuration: Starting with Windows 10 version 1803, BitLocker can be automatically enabled on capable devices if they are part of an organization’s Azure Active Directory (AAD). This can happen without a specific BitLocker policy in Intune if there is an overall security baseline or compliance policy requiring encryption.

    BitLocker via Compliance or Security Baseline: Check the Security Baselines and Compliance Policies in Intune. There may be a baseline or compliance setting enforcing BitLocker without it being a standalone setting.

    Thus, while Autopilot doesn't inherently enable BitLocker, it might appear to do so due to automatic encryption based on the hardware and compliance policies applied during enrollment. To verify, review the security baseline and compliance policies applied to the device in Intune.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. ChikaraTaro 80 Reputation points
    2024-09-25T08:46:54.61+00:00

    Alex Burlachenko-san,

    Thank you for your accurate and detailed explanation.

    Because of built-in security features in Windows.

    I understand now.

    I have just started using Intune for testing, so neither compliance policies nor security baselines have been set.

    User's image

    User's image


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.