Tenant setup 14 — Automatic BitLocker

Settings keep coming. Today: BitLocker — Microsoft's well-built disk encryption tool. We'll roll it out via Intune so disk theft and clone attacks become non-issues.

We're slowly getting to device hardening. Almost anything you can imagine can be configured here, and even that is an understatement. Want to control what happens when a laptop closes? It's here. Want to block the dinosaur game in Chrome? Also here. A small disclaimer up front: the policies we'll go through in the next few articles aren't anything close to "everything you can do" — they're the ones that we, in practice, need on every PC.

Today: BitLocker, Microsoft's disk-encryption tool. BitLocker protects you against disk theft and PC cloning, and it's one of Windows's better pieces. Yes, it can be turned on manually and ships on by default in many machines — but you definitely shouldn't rely on that.

Open Intune → Endpoint Security → Disk Encryption → Create Policy. Platform Windows, profile BitLocker. Name the policy.

Under BitLocker: Require Device Encryption → Enabled; Allow Warning For Other Disk Encryption → Disabled; Allow Standard User Encryption → Enabled; Configure Recovery Password Rotation → Not configured.

Under BitLocker Drive Encryption: Enabled for the dropdown; XTS-AES 256-bit for fixed, OS, and removable drives.

Under Operating System Drives: enforce Full encryption, Allow TPM startup, no extra PIN (most people just want it to work). Save BitLocker recovery info to AD DS / Entra ID, don't enable BitLocker until recovery info is stored, omit recovery options from the setup wizard. Under Fixed Data Drives: same recovery story (256-bit key, 48-digit password, store in AD/Entra). Removable drive encryption — I leave it off. That's it. Target the policy at your device group.