How to Encrypt Windows 10 Devices with Microsoft Intune

In this blog post, I will show you how I enable and configure BitLocker Encryption on a joined Azure AD device with Microsoft Intune using a configuration policy.

Device Encryption can add an extra data protection capability to any organization regardless of the data type stored on the disk.

About BitLocker

BitLocker Drive Encryption is used to encrypt NTFS volumes on a Windows Device and protect the device from data theft if the device is comprised.

Specifically, it’s good in cases where the disk drive is removed from a stolen machine and connected to another machine.

BitLocker is using a TPM hardware chip that detects if the disk was tampered while offline.


BitLocker is not available on Windows 10 Home edition so make sure your machine is running Pro or enterprise edition.

Configuration Policy

Below, I will start the process of creating a configuration policy that will enable BitLocker by going to Intune -> Configuration Policy – > Create Policy

I will select Endpoint protection -> Windows Encryption, As you can see below Intune offers 37 settings option for BitLocker

Below, I will switch on the needed options

Assignment Policy

After setting the policy, I will go ahead and assign the policy to my Pilot group for testing

Encryption in Action

After login to my Windows 10 machine, Windows will display the message below telling me that I need to encrypt my device

I will answer the questions and click next

Windows now will start the encryption process

Microsoft Intune

Intune is a cloud-based Mobile Device Management solution from Microsoft that allows us to protect and manage mobile devices as a full corporate device or as BYOD devices.

Microsoft Intune is also part of Microsoft’s Enterprise Mobility + Security (EMS) suite that includes Azure Active Directory and Azure Active Directory Information Protection.