BitLocker Recommendation

© 2023 CDW LLC. Designed by CDW Amplified for Education
  1. CDW Amplified for Education Help Center
  2. Microsoft
  3. User & Device Onboarding

BitLocker Recommendation

At minimum, we recommend storing all BitLocker recovery keys in the appropriate directory based on device join type:

  • Microsoft Entra ID (recommended for cloud-managed devices)
  • Active Directory (AD DS) for domain-joined devices

Future Alignment & Modernization: Microsoft continues to move toward cloud-first security models, making Entra ID-based key storage the recommended long-term approach for all modern endpoints.

Know Your Device Type  

Before configuring your policies, it is essential to understand how your devices are managed, as this explains why settings behave differently and helps reduce confusion for IT admins:

  • Entra ID joined: Utilizes Entra key storage.
  • Hybrid Azure AD joined: Utilizes both Entra + AD DS key storage.
  • AD only (On-Premises): Utilizes AD DS key storage.

Caution: This policy ensures recovery keys are stored safely, but does not enable BitLocker encryption by itself. These settings can be applied through Intune without turning encryption on or off on the device, but will take effect if/when drive encryption is turned on. Clarifying this upfront prevents "Why didn't encryption start?" support tickets.

Modern Deployment Integration: These settings are fully optimized to align with how districts actually deploy devices today. Specifically, they support:

  • Silent BitLocker enablement
  • Windows Autopilot deployments
  • Zero-touch device security

Step-by-Step Configuration

Minimum Required Settings Summary

To complete this deployment successfully, you will be configuring three critical pillars:

  • Enable recovery configuration (opens up necessary recovery options).
  • Require key escrow (blocks encryption until the key is safely backed up).
  • Configure storage location (targets AD DS, Entra ID, or both based on your environment).

Note: BitLocker policies can be configured in Intune using either the Settings Catalog (a modern, granular option) or via Endpoint Security (recommended for most standard scenarios to simplify management). This guide walks through the Endpoint Security path.

Warning: Avoid configuring BitLocker in multiple policy types (Endpoint Security, Settings Catalog, or Security Baselines) simultaneously. Doing so is one of the top real-world issues in school districts and can cause policy conflicts that prevent successful encryption deployment.

  1. Log in to the Intune console at https://intune.microsoft.com.
  2. Click on the Endpoint security tab on the left-hand side.
  3. Click on Disk encryption.
  4. Click + Create Policy. Alternatively, you can edit a current policy.
  5. For Platform, select Windows, and for Profile, select BitLocker.
  6. Click Create.
    Create-a-Profile-Panel.png
  7. Give your new policy a Name and Description.
  8. Click Next.
  9. On the next page, there are many configuration options. If you do not change a setting, that setting will remain at the default, and the end user will be able to change it. We are only focusing on three settings in particular for this guide.
    • Expand Operating System Drives.
    • Change the Choose how BitLocker-protected operating system drives can be recovered setting to Enabled. This will open up additional options.
    • Change the Do not enable BitLocker until recovery information is stored toggle to AD DS for operating system drives to True. Set to True to prevent encryption from starting until recovery keys are successfully backed up. This is a critical protection step that prevents unrecoverable devices.

    • Change the Save BitLocker recovery information to AD DS for operating system drives toggle to True.
      Configuration-option-list.png

      Note: For Entra ID joined devices, ensure BitLocker recovery keys are automatically backed up to Microsoft Entra ID. Most districts are now cloud-managed or hybrid; ensuring this configuration prevents major recovery failures in modern deployments.

    • Understanding Screenshot Settings:
      • 48-digit recovery password = Standard helpdesk recovery method.
      • Key packages = Optional and used for advanced recovery scenarios.  
  10. Feel free to configure any additional settings as needed and click Next.
  11. Assign scope tags on this page if you use this feature. Scope Tags are mainly organizational and purely optional in Intune. Click Next.
  12. This is the assignments page. Assign to:
    • A pilot device group first.
    • Then, gradually expand to all devices.
    • Always use device-based groups (not user groups).
  13. Click Next.
  14. On the Review/Create page, verify what you have configured.
  15. Click Save to deploy. 

Helpdesk & Recovery Operations

Configuring the policy is only half the battle; it must connect directly to real district workflows. Ensure that your frontline support and helpdesk teams are trained, have the appropriate administrative permissions, and are fully capable of retrieving these escrowed recovery keys when a user is locked out. Depending on your environment, they must know how to pull keys from:

  • Microsoft Entra ID (for cloud-managed and modern hybrid endpoints).
  • Active Directory (AD DS) (for traditional domain-joined endpoints).

Comments

0 comments

Article is closed for comments.

Articles in this section