Encrypting Windows 10 devices with BitLocker in Intune

Encrypting your Windows 10 device is a fairly painless process using Microsoft Intune.

To enable encryption on a device or set of devices, in the Azure Portal go to Microsoft Intune>Device Configuration and click Profiles.

2018-03-15 00_06_06-Dashboard - Microsoft Azure.jpg

Select Create profile.

2018-03-15 00_06_29-Device Configuration Profiles - Microsoft Azure.jpg

Enter a Name for the profile, select the Platform as Windows 10 and later and choose Profile type Endpoint protection. Click the Configure option in Settings and then choose Windows Encryption.

2018-03-15 00_07_11-Endpoint protection - Microsoft Azure.jpg

You will be presented with 37 configurable settings. Choose ones that fit your encryption scenario. For example, enable XTS-AES 256-bit encryption of the OS drive. Click OK to complete the configuration.

2018-03-15 00_08_35-Windows Encryption - Microsoft Azure.jpg

Click OK.

2018-03-15 00_09_26-Endpoint protection - Microsoft Azure.jpg

Click Create to complete the set up of the profile for BitLocker  encryption.

2018-03-15 00_09_37-Create profile - Microsoft Azure.jpg

Select Assignments.

2018-03-15 00_10_03-.jpg

Select any groups to assign the profile to in the Include tab.

2018-03-15 00_11_49-Dashboard - Microsoft Azure.jpg

In my example, I am assigning to a group of test devices.

2018-03-15 00_12_04-Select groups to include - Microsoft Azure.jpg

2018-03-15 00_12_15-Dashboard - Microsoft Azure.jpg

On next sync, the endpoint assigned the profile will prompt that the device needs to be encrypted. Click the message.

2018-03-16 01_28_46-Windows10-1709 on PC-SSD - Virtual Machine Connection.jpg

Select as relevant and click Yes to begin BitLocker encryption.

2018-03-16 01_29_13-Windows10-1709 on PC-SSD - Virtual Machine Connection.jpg



  1. Hey there,

    How does this work for devices that come pre-set with say something like AES-128? Does it check the current encryption level and decrypt the device if it is lower than the configuration policy? I’ve created one with XTS-AES256 and the machine is currently reading AES128.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s