Disk Encryption (BitLocker)
Understanding the Concept
BitLocker disk encryption in Intune can be configured silently without user interaction. Silent encryption requires TPM 2.0 and Azure AD joined or hybrid Azure AD joined devices. Intune manages recovery key escrow to Azure AD automatically.
Endpoint security disk encryption policies configure BitLocker settings: encryption method (XTS-AES 256-bit recommended), OS drive encryption, fixed data drive encryption, removable drive encryption, and recovery key rotation.
BitLocker recovery keys are stored in Azure AD and accessible from the Intune admin center. Key rotation can be configured to automatically generate new recovery keys after use, maintaining security after recovery events.
Key Points
- Silent BitLocker encryption: no user interaction required
- Requires TPM 2.0 for silent encryption
- Recovery keys automatically escrowed to Azure AD
- Configure encryption method, drive types, and startup authentication
- Recovery key rotation after use for continued security
- Monitor encryption status from Intune admin center
Why This Matters in Real Organizations
Disk encryption is essential for protecting data on lost or stolen devices. Silent BitLocker deployment through Intune ensures all devices are encrypted without relying on user action, meeting compliance requirements for data protection.
Common Mistakes to Avoid
Interview Tips
- Explain silent BitLocker deployment through Intune
- Discuss recovery key management and rotation
- Describe how you handle BitLocker on existing unencrypted devices
Exam Tips (MD-102)
- Know silent encryption requirements (TPM 2.0, Azure AD join)
- Understand recovery key escrow and rotation
- Know BitLocker encryption methods and their differences
Course Complete!
You've finished all lessons