At minimum, we recommend storing all BitLocker Recovery keys in AD/Entra before encrypting OS Drives. These settings can be applied through Intune without turning encryption on or off on the device, but will take effect if/when drive encryption is turned on.

1. Log in to the Intune console at https://intune.microsoft.com.
2. Click on the Endpoint security tab on the left-hand side.
3. Click on Disk encryption.
4. Click + Create Policy. Alternatively, you can edit a current policy.
5. For Platform, select Windows, and for Profile, select BitLocker.
6. Click Create.
   
7. Give your new policy a Name and Description.
8. Click Next.
9. On the next page, there are many configuration options. If you do not change a setting, that setting will remain at the default, and the end user will be able to change it. We are only focusing on three settings in particular for this guide.
   1. Expand Operating System Drives.
   2. Change the Choose how BitLocker-protected operating system drives can be recovered setting to Enabled. This will open up additional options.
   3. Change the Do not enable BitLocker until recovery information is stored toggle to AD DS for operating system drives to True.
   4. Change the Save BitLocker recovery information to AD DS for operating system drives toggle to True.
      
10. Feel free to configure any additional settings as needed and click Next.
11. Assign scope tags on this page if you use this feature. Scope Tags are mainly organizational and purely optional in Intune. Click Next.
12. This is the assignments page. You can assign this policy to groups of Computers and/or Users or even All devices, which is recommended to ensure all devices are storing their keys in AD/Entra before encryption.
13. Click Next.
14. On the Review/Create page, verify what you have configured.
15. Click Save to deploy.