Skip to main content

Configuring BitLocker Encryption on Windows Devices

  • Updated

BitLocker is a Windows full-disk encryption feature that protects device data at rest. 

Mobile Guardian supports two methods for deploying BitLocker policy to enrolled Windows devices: a dashboard-based approach using Windows MDM Settings, and a custom OMA-URI approach for admins who need granular control over specific enforcement settings. Both methods push configuration through Microsoft Intune to enrolled devices.

What You Will Learn

  • How BitLocker encryption maps to Profiles in Mobile Guardian
  • How to configure BitLocker using the dashboard (Windows MDM Settings)
  • How to configure BitLocker using custom OMA-URI entries in Intune
  • How to verify encryption status on enrolled devices

Prerequisites

  • Windows 10/11 Pro or higher (BitLocker is not available on Windows Home editions)
  • Devices enrolled in Mobile Guardian via Microsoft Intune (see Windows OS Onboarding: Part 1)
  • Admin access to the Mobile Guardian Dashboard
  • Admin access to Microsoft Intune

How BitLocker Fits Into Mobile Guardian Profiles

BitLocker configuration in Mobile Guardian is applied at the profile level, not per-device. Encryption policy is defined once in a profile and pushed to all devices assigned to that profile.

Recommended profile structure for BitLocker:

Profile TypeUse Case
Baseline ProfileApply a standard encryption policy to all enrolled Windows devices as a default safety net
Conditional ProfileApply stricter or device-specific encryption requirements to a defined group (e.g., staff devices, lab devices) based on tags or device ownership

Note: All devices will have a baseline profile applied. Use a conditional profile when you need encryption settings that differ from the school-wide default — for example, enforcing TPM + PIN for staff devices while using TPM-only for student devices.

Method 1: Dashboard-Based Configuration (Windows MDM Settings)

This method uses the built-in Windows MDM settings in the Mobile Guardian dashboard. It is the recommended starting point for most schools.

Step 1: Access Windows MDM Settings

  1. Navigate to Settings in the left-hand menu
  2. Select Windows MDM Settings

Note: Windows MDM Settings are global and apply to all Windows devices enrolled in your school account. Profile-level overrides are configured within the Profiles section.

Step 2: Enable BitLocker

Under the Encryption section:

  1. Locate BitLocker Drive Encryption
  2. Toggle Enable BitLocker to On

Step 3: Configure Encryption Options

Configure the following settings based on your school's requirements:

Operating System Drive

  • Require device encryption: Set to Enabled
  • Encryption method: Select XTS-AES 128-bit (recommended) or XTS-AES 256-bit for higher security
  • Startup authentication: Choose the authentication method required at boot:
    • TPM only — Device unlocks automatically using the Trusted Platform Module chip (recommended for student devices)
    • TPM + PIN — Requires the user to enter a PIN at startup (recommended for staff or high-security devices)
    • TPM + Startup key — Requires a USB key at startup

Fixed Data Drives

  • Encrypt fixed data drives: Set to Enabled
  • Deny write access to fixed drives not protected by BitLocker: Set to Enabled (recommended)

Removable Data Drives

  • Deny write access to removable drives not protected by BitLocker: Set to Enabled or Disabled depending on your USB policy

Note: TPM only is the lowest-friction option for student devices as it does not require any additional action at startup. TPM + PIN is recommended for staff or admin devices that may leave school premises.

Step 4: Configure Recovery Key Storage

  • Store BitLocker recovery information in Azure AD: Set to Enabled
  • Recovery key storage: Select Recovery password and key package

Important: Ensure recovery keys are being escrowed to Azure AD before enforcing encryption. Without a recovery key, a device that fails to boot cannot be recovered without wiping.

Step 5: Save and Apply

  1. Click Save Changes at the bottom of the Windows MDM Settings page
  2. The policy will be pushed to enrolled devices on their next Intune sync (typically within 15 minutes)

Method 2: Custom OMA-URI Configuration (Advanced)

This method uses individual OMA-URI entries in Microsoft Intune's Custom profile type to enforce specific BitLocker settings at the CSP level. It is suited to admins who need precise control over enforcement behaviour, or who are deploying alongside an existing Intune setup.

Note: This method covers enforcement settings only. For full BitLocker policy configuration — encryption method (XTS-AES 128/256), startup authentication (TPM, TPM + PIN), and recovery key escrow — use Intune's Endpoint Security > Disk Encryption profile, which exposes those controls in a guided UI. See Step 2 below.

Step 1: OMA-URI Entries

The following BitLocker CSP nodes can be deployed as individual Custom OMA-URI entries in Intune. Each row is added as a separate entry.

OMA-URIData TypeValuePurpose
./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryptionInteger1Enforce BitLocker encryption on the device
./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryptionInteger0Suppress user prompt; enables silent encryption deployment
./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryptionInteger1Allow encryption to trigger without local admin rights on the device

Note: AllowStandardUserEncryption only takes effect when AllowWarningForOtherDiskEncryption is set to 0. Both must be deployed together for silent standard-user encryption to work.

Step 2: Configure Full Policy Settings via Endpoint Security

For encryption method, startup authentication, and recovery key options, use Intune's built-in BitLocker profile rather than custom OMA-URI entries:

  1. Sign in to the Microsoft Intune Admin Centre
  2. Navigate to Endpoint security > Disk encryption > Create Policy
  3. Platform: Windows 10 and later
  4. Profile: BitLocker
  5. Configure encryption method, startup authentication, and recovery key escrow settings as required
  6. Assign to the relevant group and click Create

Step 3: Deploy Custom OMA-URI Entries via Intune

  1. Sign in to the Microsoft Intune Admin Centre
  2. Navigate to Devices > Manage Devices > Configuration > Create > New Policy
  3. Platform: Windows 10 and later
  4. Profile type: Custom
  5. Click Create and enter a descriptive name (e.g. Mobile Guardian BitLocker Enforcement)
  6. Under OMA-URI Settings, click Add and enter each row from the table in Step 1 as a separate entry
  7. Assign to the relevant group (e.g. Students or Staff) and click Review + Create

Step 4: Link the Policy Back to Mobile Guardian Profiles

  1. Navigate to Profiles in the Mobile Guardian left-hand menu
  2. Select the Baseline Profile (for school-wide enforcement) or the relevant Conditional Profile
  3. Under the What section of the profile, confirm that Windows device settings are active for the assigned group
  4. The Intune policy will apply automatically to any device enrolled in the matching Azure AD group

Verifying Encryption Status

Once the policy has been pushed, you can verify encryption status from the Mobile Guardian dashboard, from the device directly, or from Microsoft Intune.

From the Mobile Guardian Dashboard

  1. Navigate to Devices in the left-hand menu
  2. Select All Devices and locate the Windows device
  3. Click the eye icon to open the Device Information view
  4. Under the Device Details section, check the Encryption Status field

Note: Encryption status may take up to 30 minutes to update in the dashboard after the policy is first applied, depending on drive size and device performance.

From the Device Directly

  1. Open File Explorer
  2. Right-click the C: drive
  3. A padlock icon on the drive indicates BitLocker is active
  4. Select Manage BitLocker to view encryption status and recovery key details

From Microsoft Intune

  1. Navigate to Devices > All Devices in the Intune Admin Centre
  2. Select the device
  3. Under Monitor, select Encryption report
  4. Confirm Encryption status shows Encrypted and Key escrow status shows Recovery key backed up

Troubleshooting

IssueLikely CauseResolution
Device not encrypting after policy pushTPM not present or not enabled in BIOSVerify TPM 2.0 is enabled in device firmware settings
Encryption status not updating in dashboardIntune sync delayTrigger a manual sync: Settings > Accounts > Access Work or School > Info > Sync
Recovery key not backed up to Azure ADAzure AD join not completed before policy appliedConfirm device is Azure AD joined, then re-trigger the policy
BitLocker prompt appearing for studentAllowWarningForOtherDiskEncryption not set to 0Set this CSP node to 0 to enforce silently

Please let us know if you found this helpful!

Thanks for reading!

Related articles