Device encryption is a crucial security feature that protects your data from unauthorized access in case your device is lost, stolen, or compromised. BitLocker is a built-in encryption tool for Windows 10/11 devices that encrypts the entire drive and requires a recovery key to unlock it. Intune is a cloud-based service that allows you to manage and deploy device encryption and BitLocker settings for your organization’s devices.

How to manage device encryption and BitLocker settings with Intune

To manage device encryption and BitLocker settings with Intune, you need to create a device configuration profile that applies to your Windows 10/11 devices. A device configuration profile is a set of settings that you can assign to devices in your organization. You can create different profiles for different groups of devices, depending on your security needs and preferences.

To create a device configuration profile for device encryption and BitLocker, follow these steps:

• Sign in to the Microsoft Endpoint Manager admin center.
• Select Devices > Configuration profiles > Create profile.
• Enter a name and description for the profile, and select Windows 10 and later as the platform.
• Select Endpoint protection as the profile type.
• Select Device encryption under Settings.
• Configure the device encryption settings according to your preferences. You can choose to require encryption for OS and fixed data drives, removable data drives, and pre-boot authentication. You can also choose to allow standard users to enable encryption, and to hide the BitLocker recovery options from the control panel.
• Select BitLocker under Settings.
• Configure the BitLocker settings according to your preferences. You can choose the encryption method, the cipher strength, the recovery options, the PIN complexity, and the TPM settings for each drive type. You can also choose to enable BitLocker silently, to allow BitLocker without a compatible TPM, and to enforce BitLocker encryption on fixed data drives.
• Select OK to save the settings.
• Select Scope tags to assign tags to the profile, if needed.
• Select Assignments to assign the profile to the devices or groups that you want to apply the settings to.
• Select Review + create to review the profile settings and create the profile.

After you create the profile, the device encryption and BitLocker settings will be applied to the assigned devices the next time they check in with Intune. You can monitor the status of the profile and the devices on the Microsoft Endpoint Manager admin center.

Powershell is a powerfull tool that can help you to manage some aspects of your Bitlocker. If you want to learn more about managing Bitlocker with powershell, please, read this post.