Overview
The Devicie BitLocker template provides a starting point for organisations to begin their device encryption journey. It is focused on enabling (and enforcing) BitLocker as well as requiring Trusted Platform Module (TPM) on devices.
Intune Description:
Inspired by CIS 3.0 requirements global disk encryption policy, while not enforcing removable storage device encryption. TPM is required.
Scope:
This baseline should be applied to Windows devices.
Policy Impact Areas:
When deployed, this policy will impact:
-
Enforcing BitLocker
Deployment Notes
-
Pre-Deployment Considerations:
-
Ensuring all devices have TPM
-
-
Post-Deployment Validation:
-
Verify BitLocker enforcement on the device
-
Configuration Settings
|
Name |
Value |
|
Administrative Templates |
|
|
Fixed Data Drives |
|
|
Enforce drive encryption type on fixed data drives |
Enabled |
|
Select the encryption type: (Device) |
Used Space Only encryption |
|
Choose how BitLocker-protected fixed drives can be recovered |
Enabled |
|
|
Allow 256-bit recovery key |
|
Configure user storage of BitLocker recovery information:
|
Allow 48-digit recovery password |
|
Allow data recovery agent |
False |
|
Configure storage of BitLocker recovery information to AD DS: |
Backup recovery passwords and key packages |
|
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives |
True |
|
Omit recovery options from the BitLocker setup wizard |
False |
|
Save BitLocker recovery information to AD DS for fixed data drives |
True |
|
Operating System Drives |
|
|
Enforce drive encryption type on operating system drives |
Enabled |
|
Select the encryption type: (Device) |
Used Space Only encryption |
|
Require additional authentication at startup |
Enabled |
|
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) |
False |
|
Configure TPM startup key and PIN: |
Do not allow startup key and PIN with TPM |
|
Configure TPM startup key: |
Do not allow startup key with TPM |
|
Configure TPM startup PIN: |
Do not allow startup PIN with TPM |
|
Configure TPM startup: |
Require TPM |
|
Configure minimum PIN length for startup |
Disabled |
|
Disallow standard users from changing the PIN or password |
Enabled |
|
Choose how BitLocker-protected operating system drives can be recovered |
Enabled |
|
|
Allow 256-bit recovery key |
|
Configure user storage of BitLocker recovery information:
|
Allow 48-digit recovery password |
|
Allow data recovery agent |
False |
|
Configure storage of BitLocker recovery information to AD DS: |
Store recovery passwords and key packages |
|
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives |
True |
|
Omit recovery options from the BitLocker setup wizard |
True |
|
Save BitLocker recovery information to AD DS for operating system drives |
True |
|
Allow enhanced PINs for startup |
Enabled |
|
BitLocker Drive Encryption |
|
|
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) |
Enabled |
|
Select the encryption method for fixed data drives: |
XTS-AES 128-bit (default) |
|
Select the encryption method for operating system drives: |
XTS-AES 128-bit (default) |
|
Select the encryption method for removable data drives: |
AES-CBC 256-bit |
|
BitLocker |
|
|
Require Device Encryption |
Enabled |
|
Allow Warning For Other Disk Encryption |
Disabled |
|
Allow Standard User Encryption |
Enabled |
|
Configure Recovery Password Rotation |
Refresh on for both Azure AD-joined and hybrid-joined devices |
|
Devicie Template Name |
BitLocker |
|
Default Intune Deployed Name |
DEVICIE-PROD-BitLocker |
|
Version |
062025 |
|
Template Last Updated |
Nov 18, 2024 |
|
Document Last Updated: |
June 02, 2025 |