![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 11%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
471 questions
In Microsoft Intune, BitLocker is not automatically enabled by default in Autopilot. However, it can be enabled through Intune policies during or after the Autopilot process. The situation you are describing, where the BitLocker recovery key appears in Intune even though disk encryption isn't explicitly managed, typically occurs because of built-in security features in Windows.
Here’s how it might be happening:
Autopilot and Windows Settings: When you set up a device with Windows Autopilot, Windows might enable BitLocker automatically based on the device’s configuration, especially if the version of Windows supports it. Windows 10/11 automatically enables BitLocker during Out-of-Box-Experience (OOBE) on devices that meet specific hardware requirements (like having TPM).
MDM Policies: Even though disk encryption isn't explicitly set in Intune, Windows has its default encryption policies that apply if the device is compliant with TPM requirements. Additionally, Intune may enforce encryption through a security baseline or compliance policy, even without a specific disk encryption policy being listed under "Manage Disk Encryption."
Windows Configuration: Starting with Windows 10 version 1803, BitLocker can be automatically enabled on capable devices if they are part of an organization’s Azure Active Directory (AAD). This can happen without a specific BitLocker policy in Intune if there is an overall security baseline or compliance policy requiring encryption.
BitLocker via Compliance or Security Baseline: Check the Security Baselines and Compliance Policies in Intune. There may be a baseline or compliance setting enforcing BitLocker without it being a standalone setting.
Thus, while Autopilot doesn't inherently enable BitLocker, it might appear to do so due to automatic encryption based on the hardware and compliance policies applied during enrollment. To verify, review the security baseline and compliance policies applied to the device in Intune.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)