BitLocker Configuration Options and Policy Settings

Overview

BitLocker is a built-in encryption feature in Windows that helps protect data by encrypting entire drives. This article outlines the available methods to configure BitLocker, licensing requirements, and policy settings applicable via Configuration Service Provider (CSP) and Group Policy (GPO). Refer to the Microsoft Learn knowledge base article Configure Bitlocker for additional information.

Configuration Methods

You can configure BitLocker using one of the following options:

1. Intune - Configuration Service Provider (CSP)

  • Used for devices managed by Mobile Device Management (MDM) solutions like Microsoft Intune.
  • BitLocker CSP allows configuration and status reporting to the MDM.
  • BitLocker status can be used in compliance policies and Conditional Access rules.
  • Conditional Access can restrict access to services like Exchange Online and SharePoint Online based on BitLocker status.

Related Intune Articles:

2. Group Policy (GPO)

  • Suitable for devices joined to Active Directory or using local group policy editor.
  • Ideal for environments not using MDM solutions.
Important Notes
  • Windows Server does not support BitLocker configuration via CSP or Configuration Manager. Use GPO instead.
  • Some BitLocker settings are exclusive to either CSP or GPO.
  • Most settings are enforced only when BitLocker is first enabled; changing settings later does not re-encrypt drives.

BitLocker Policy Settings

BitLocker policies are categorized as follows:

  • Common settings – apply to all BitLocker-protected drives
  • Operating system drive – apply to the Windows OS drive
  • Fixed data drives – apply to local non-OS drives
  • Removable data drives – apply to USB and external drives

Common Settings Overview

Policy Name CSP GPO
Allow standard user encryption
Choose default folder for recovery password
Choose drive encryption method and cipher strength
Configure recovery password rotation
Disable new DMA devices when computer is locked
Prevent memory overwrite on restart
Provide unique identifiers for your organization
Require device encryption
Validate smart card certificate usage rule

Policy Highlight: Allow Standard User Encryption

This policy enforces device encryption even when the logged-in user lacks administrative rights. It is useful in scenarios where BitLocker must be enabled without elevating privileges.

How To

Creating the BitLocker CSP in Intune

To configure BitLocker using Intune and the BitLocker CSP, follow these steps:

Step 1: Create a Device Configuration Profile

  1. Go to the Microsoft Intune admin center.
  2. Navigate to Devices > Configuration profiles > Create profile.
  3. Choose:
    • Platform: Windows 10 and later
    • Profile type: Endpoint protection

Step 2: Configure BitLocker Settings

  1. In the Endpoint protection profile, select BitLocker.
  2. Configure the following settings as needed:
    • Require device encryption
    • Encryption method
    • Start-up authentication
    • Recovery options
  3. Save and assign the profile to the appropriate device groups.

Step 3: Monitor Compliance

  • Use Device compliance policies to enforce BitLocker requirements.
  • Combine with Conditional Access to restrict access to corporate resources if BitLocker is not enabled.

Tip: You can also use reporting features in Intune to monitor encryption status across your device fleet.

Creating and Managing Settings Using Group Policy

Group Policy in Windows allows administrators to centrally manage and configure operating system, application, and user settings in an Active Directory environment.

Create a Group Policy Object (GPO)

  1. Open Group Policy Management Console (GPMC)

    • On a domain controller or a system with GPMC installed, open Group Policy Management from the Start menu or run gpmc.msc.

  2. Create a New GPO

    • In the left pane, expand your forest and domain.
    • Right-click on the Group Policy Objects container and select New.
    • Name your GPO descriptively.

  3. Edit the GPO

    • Right-click the newly created GPO and choose Edit.
    • Use the Group Policy Management Editor to configure settings under:
      • Computer Configuration (applies to machines)
      • User Configuration (applies to users)

  4. Configure Specific Settings

    • Navigate to the appropriate policy path (e.g., Administrative Templates > System > Device Installation).
    • Double-click a setting, choose Enabled/Disabled, and configure options as needed.

  5. Link the GPO to an Organizational Unit (OU)

    • In GPMC, right-click the target OU and select Link an Existing GPO.
    • Choose your GPO from the list.

  6. Force Group Policy Update (Optional)

    • Run gpupdate /force on target machines to apply changes immediately.

Tips for Effective Group Policy Use

  • Use Descriptive Names for GPOs to simplify management.
  • Document Changes for auditing and troubleshooting.
  • Test Policies in a staging OU before deploying to production.
  • Use Security Filtering to apply GPOs only to specific users or computers.

* Portions of this KB were generated using MS Copilot.

Print Article