Introduction #
This configuration will silently enable BitLocker encryption on OS and Fixed drives for Windows 10 and later devices. The BitLocker recovery keys will be backed up to Azure AD and rotated automatically after they are used on a device.
- Encrypt Operating System drive and fixed drives using AES 256bit XTS
- Encrypt drive using TPM, without a pin or startup key
- Configure BitLocker silently without any user interaction
- Save BitLocker recovery keys to Azure AD
- Allow silently enabling BitLocker during Azure AD Join for users who are not local administrators
- BitLocker won’t be enabled until recovery keys have been successfully saved to Azure Active Directory
BitLocker will only be enabled if TPM is present and usable
Requirements #
- A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware
- TPM (Trusted Platform Module) 1.2 or later
- Devices must have the BIOS configured for UEFI boot mode
- The Device must be enrolled into Microsoft Endpoint Manager
Profile Settings #
BitLocker – Base Settings
| Enable full disk encryption for OS and fixed data drives | Yes |
| Hide prompt about third-party encryption | Yes |
| Allow standard users to enable encryption during Autopilot | Yes |
| Configure client-driven recovery password rotation | Enable rotation on Azure AD and Hybrid-joined devices |
BitLocker – Fixed Drive Settings
| BitLocker fixed drive policy | Configure |
| Fixed drive recovery | Configure |
| Recovery key file creation | Allowed |
| Configure BitLocker recovery package | Password and key |
| Require device to back up recovery information to Azure AD | Yes |
| Recovery password creation | Allowed |
| Hide recovery options during BitLocker setup | Yes |
| Enable BitLocker after recovery information to store | Yes |
| Block write access to fixed data-drives not protected by BitLocker | Yes |
| Configure encryption method for OS drives | AES 256bit XTS |
BitLocker – OS Drive Settings
| BitLocker system drive policy | Configure |
| Startup authentication required | Yes |
| Compatible TPM startup | Required |
| Compatible TPM startup PIN | Blocked |
| Compatible TPM startup Key | Blocked |
| Compatible TPM startup key and PIN | Blocked |
| Disable BitLocker on devices where TPM is incompatible | Yes |
| System drive recovery | Configure |
| Recovery key file creation | Allowed |
| Configure BitLocker recovery package | Password and key |
| Require device to back up recovery information to Azure AD | Yes |
| Recovery password creation | Allowed |
| Hide recovery options during BitLocker setup | Yes |
| Enable BitLocker after recovery information to store | Yes |
| Minimum PIN length | 10 |
| Configure encryption method for OS drives | AES 256bit XTS |
BitLocker – Removable Drive Settings
| BitLocker – Removable Drive Settings | Configure |
| Configure encryption method for removable data-drives | AES 256bit XTS |
Assignments #
Users, Groups and Devices
| Includes | – All Users |
