Configure BitLocker policies using Microsoft Intune
You manage Windows devices with Microsoft Intune and need to protect corporate data when a device is lost, stolen or retired. BitLocker provides full-volume encryption for Windows devices, but protection depends on consistent policy configuration and reliable recovery key storage.
In this unit, you configure a BitLocker policy in Intune, choose settings that support standard or silent encryption, identify when Personal Data Encryption (PDE) complements BitLocker for Windows 11 user files, assign the policy to devices and review how platform-specific options affect the user experience and recovery process.
| Configuration step | What you configure | Why it matters |
|---|---|---|
| 1. Choose the policy type | Endpoint security disk encryption policy or settings catalog profile | Selects the management experience for BitLocker settings |
| 2. Configure drive encryption | Operating system, fixed data and removable drive settings | Defines which volumes receive encryption protection |
| 3. Configure encryption behavior | Encryption method, cipher strength, TPM usage and startup authentication | Balances security requirements with user experience |
| 4. Configure recovery options | Recovery key escrow and recovery key visibility | Ensures administrators can recover protected devices |
| 5. Add Personal Data Encryption when required | Windows Personal Data Encryption profile and protected folders | Adds credential-bound file protection for selected Windows 11 user folders |
| 6. Assign and monitor the policy | Device or user groups, encryption reports and compliance status | Confirms that devices receive and apply encryption settings |
Choose a BitLocker policy type that matches your management goal
You start by choosing where to configure BitLocker in the Microsoft Intune admin center. Intune supports BitLocker configuration through Endpoint security > Disk encryption and through Devices > Configuration profiles using the settings catalog.
Endpoint security disk encryption policies provide a focused experience for security administrators. This option keeps BitLocker settings separate from unrelated device configuration settings, which makes the policy easier to review, assign and troubleshoot.
Settings catalog profiles provide a broader configuration experience. You use this option when you need to manage BitLocker settings together with other Windows settings in a single profile or when you need granular control that aligns with a custom configuration model. That said, it is still recommended to use a separate policy for BitLocker to ensure proper assignment.
| Policy type | Best use | Considerations |
|---|---|---|
| Endpoint security > Disk encryption | Configure BitLocker as a dedicated security policy | Recommended for most BitLocker deployments because it focuses only on encryption settings |
| Devices > Configuration profiles > Settings catalog | Configure BitLocker with other Windows settings | Useful for granular configuration, but policy review can become more complex |
| Endpoint security > Disk encryption > Windows Personal Data Encryption | Configure PDE as a complementary Windows 11 policy | Protects selected user folders after your BitLocker baseline is in place |
Add Personal Data Encryption for user-file protection
Personal Data Encryption or PDE, adds file-based protection for selected user content on supported Windows 11 devices. BitLocker protects the whole volume and helps protect data if a device is lost, stolen, retired or the drive is removed. PDE protects specific user files after Windows is running by tying access to the signed-in user's credentials. This layered approach helps with a different risk: a powered-on or locked device where sensitive user files remain on the device.
PDE works alongside BitLocker; it does not replace BitLocker. In this module, enable BitLocker first as the device encryption baseline and then use PDE when you need extra protection for user folders such as Desktop, Documents and Pictures.
| Protection layer | What it protects | Access model |
|---|---|---|
| BitLocker | Entire volumes and drives | Releases the drive encryption key during startup when the device meets the configured protector requirements |
| Personal Data Encryption | Selected user files and folders | Releases file access only after the user signs in with Windows Hello on a supported Microsoft Entra joined or Microsoft Entra hybrid joined device |
Use Intune to configure PDE from Endpoint security > Disk encryption > Create policy. Select Windows as the platform and select Personal Data Encryption as the Profile. In the policy, enable PDE and choose which folders receive protection. For known folders, configure protection for Desktop, Documents and Pictures when those locations contain corporate data that needs protection after the device locks or another user signs in.
| PDE configuration item | What you configure | Why it matters |
|---|---|---|
| Enable Personal Data Encryption | Turns on PDE for the targeted user context | Allows protected files and folders to use PDE |
| Protect Desktop | Applies PDE to the Desktop folder | Protects files users often save for quick access |
| Protect Documents | Applies PDE to the Documents folder | Protects common business documents |
| Protect Pictures | Applies PDE to the Pictures folder | Protects image-based business data, screenshots and scanned content |
| Prerequisites | Windows 11 version 22H2 or later, Intune enrollment, Microsoft Entra joined or Microsoft Entra hybrid joined device and Windows Hello sign-in | Ensures the device and user sign-in method can release PDE-protected content correctly |
Plan recovery differently for PDE-protected files. BitLocker has recovery keys that administrators can retrieve when a device enters BitLocker recovery. PDE does not use the same administrator-accessible recovery key workflow. Access depends on the user's protected credentials and a working sign-in experience. If the user's account or credential state is permanently lost, restore PDE-protected files from backup, such as a managed cloud backup or file sync solution.
Configure BitLocker settings for Windows devices
You configure BitLocker by creating a Windows BitLocker profile and selecting the settings that match your organization's encryption requirements. A typical corporate configuration encrypts the operating system drive, stores recovery keys in Microsoft Entra ID and uses the device Trusted Platform Module or TPM, to protect encryption keys.
The TPM is a hardware-based security component that helps protect BitLocker keys. When a device starts, the TPM validates the device state before it releases the key that unlocks the encrypted operating system drive. This behavior helps protect data if someone removes the drive or tampers with the device startup process.
| Setting area | Common configuration | Learner note |
|---|---|---|
| Operating system drive | Enable BitLocker for the system drive | Protects Windows and user data stored on the primary volume |
| Fixed data drives | Enable encryption for internal data drives | Protects additional internal storage volumes |
| Removable drives | Control write access or require encryption | Reduces data leakage through USB storage devices |
| Encryption method | Use XTS-AES 128-bit or XTS-AES 256-bit | The setting applies when BitLocker starts encryption for the first time |
| Startup authentication | Use TPM-only for silent encryption or TPM plus PIN for stronger startup protection | TPM-only reduces user prompts; TPM plus PIN increases user interaction |
| Recovery key storage | Store recovery keys in Microsoft Entra ID | Supports help desk recovery and administrative access when users need assistance |
Windows Automatic Device Encryption
Windows Automatic Device Encryption or ADE, is a Windows operating system behavior that can encrypt the operating system drive during the out-of-box experience before Intune applies a BitLocker policy. ADE is separate from Intune-managed silent BitLocker enablement. Silent encryption is an Intune policy-driven process, while ADE starts from Windows when the device meets the Windows requirements and the user completes initial setup with a Microsoft account or a work or school account.
Starting with Windows 11 version 24H2, ADE applies to more device types than in earlier Windows releases because Windows no longer requires Modern Standby or Hardware Security Test Interface or HSTI, compliance for ADE. This change means many new Windows 11 devices can arrive in Intune with the operating system drive already encrypted.
When the Intune BitLocker policy arrives on an already encrypted device, Intune validates the existing encryption state against the policy. If the device uses a different encryption method or was encrypted before Intune initiated encryption, the encryption report can show an encrypted device with a profile error. This state is not always an assignment problem. First confirm whether the existing ADE-applied encryption method and protector settings match your policy. If your policy requires a different encryption algorithm or encryption type than the device already uses, BitLocker must use that setting when encryption first starts, so changing it can require decrypting and encrypting the drive again.
Silent encryption prerequisites apply primarily when the device is not already encrypted. For many new Windows 11 version 24H2 devices, your main Intune tasks are to escrow recovery information to Microsoft Entra ID, validate policy alignment and monitor compliance rather than initiate encryption from scratch.
| Scenario | What happens | Administrator action |
|---|---|---|
| Device encrypts during OOBE with ADE | Windows starts BitLocker before the Intune policy applies | Verify recovery key escrow and confirm that policy settings match the existing encryption state |
| Intune policy reaches an already encrypted device | Intune evaluates the encryption method, protectors and reporting state | Use the encryption report to distinguish policy mismatch from assignment or readiness failure |
| Encryption method does not match policy | The report can show an encrypted device with a profile error or method mismatch | Align the policy to the ADE-applied method when acceptable or plan decryption and re-encryption when the organization requires a different method |
| Device is not already encrypted | Intune silent encryption settings initiate and manage encryption | Validate silent encryption prerequisites, including TPM, UEFI, Windows Recovery Environment and Microsoft Entra join state |
Assign the policy and control the user experience
You assign the BitLocker policy to a device group or user group. Device-based assignment is common for corporate-owned devices because encryption applies consistently regardless of who signs in. User-based assignment can fit scenarios where policy follows a user across enrolled devices.
Silent BitLocker enablement reduces user interaction. With silent encryption, Intune applies the policy and starts encryption without requiring the user to be a local administrator. This approach works best when devices meet prerequisites, including supported Windows editions, TPM availability and compatible startup configuration.
Standard BitLocker enablement allows more user interaction. Users can see prompts during encryption or recovery configuration depending on policy settings. This approach provides flexibility, but it can create support variance if users delay or misunderstand prompts.
| Assignment choice | When you use it | Where its works |
|---|---|---|
| Assign to devices | Corporate-owned or shared Windows devices | Encryption applies consistently to targeted devices |
| Assign to users | User-owned or role-based device management scenarios | Encryption follows targeted users across applicable enrolled devices |
| Silent encryption | Devices meet readiness requirements and require minimal user involvement | Users typically see no encryption prompt |
| Standard encryption | You allow user interaction during encryption setup | Users can see prompts or configuration messages |
Monitor encryption status and support recovery
You verify policy success by using Intune reporting. Encryption reports show which devices are encrypted, which devices need attention and whether recovery information is available. This view helps you confirm that policy assignment results in actual device protection.
Compliance policies status can rely on BitLocker enforcement. When you combine BitLocker compliance with Conditional Access, you can block access to corporate resources until the device reports the required encryption state. This control connects encryption status to real access decisions.
Recovery key management remains an operational requirement. When a device enters BitLocker recovery, an authorized administrator retrieves the recovery key from Intune, Microsoft Entra ID or the local AD. This process keeps recovery centralized and prevents unmanaged local key storage.
PDE monitoring uses a different signal than BitLocker monitoring. PDE status does not appear as a BitLocker recovery-key state in the BitLocker encryption report. Verify PDE by checking the Intune policy and device configuration status and by confirming on a test device that protected files show the PDE protection indicator in File Explorer or report PDE protection details with supported local validation tools.
| Operational task | Where you check | Why it matters |
|---|---|---|
| Confirm encryption state | Intune encryption report | Shows whether devices apply BitLocker successfully |
| Identify policy issues | Device configuration status and encryption reporting | Helps isolate assignment, readiness or policy conflicts |
| Retrieve recovery keys | Intune admin center or Microsoft Entra ID device record | Supports secure recovery when a device requires unlock assistance |
| Enforce encryption compliance | Windows compliance policy | Links BitLocker state to access control decisions |
| Verify PDE protection | PDE policy status, device configuration status and Windows file protection indicators | Confirms that selected folders receive user credential-based protection |