How to Deploy BitLocker Encryption Across an Organisation
A complete guide to deploying BitLocker drive encryption across your business using Intune, Group Policy, or PowerShell — including Microsoft Entra ID key backup.
Overview
BitLocker is the built-in full-disk encryption feature in Windows Pro, Enterprise, and Education editions. Deploying it across your organisation protects data on lost or stolen laptops and is required by most compliance frameworks including CMMC, NIST 800-171, and Cyber Essentials.
This guide covers three deployment methods and how to ensure recovery keys are safely backed up to Microsoft Entra ID or on-premises Active Directory.
Prerequisites
- Windows 11 Pro, Enterprise, or Education (BitLocker is not available on Home)
- TPM 2.0 chip (standard on all modern hardware)
- For Intune: Devices enrolled in Microsoft Intune
- For Group Policy: Active Directory domain-joined devices
- Admin access to configure policies
Method 1: Microsoft Intune (Recommended for Cloud-Managed Devices)
Step 1 — Create an endpoint security policy
- Go to the Microsoft Intune admin centre (intune.microsoft.com) > Endpoint security > Disk encryption
- Click Create Policy
- Select Windows 10 and later > BitLocker
Step 2 — Configure BitLocker settings
| Setting | Recommended Value |
|---|---|
| Require device encryption | Yes |
| BitLocker OS drive encryption method | XTS-AES 256 |
| BitLocker fixed drive encryption method | XTS-AES 256 |
| Startup authentication | TPM only (or TPM + PIN for high-security) |
| Recovery key rotation | Enabled |
| Store recovery key in Microsoft Entra ID | Yes |
| Hide recovery key prompt from users | Yes |
Step 3 — Assign the policy
Assign to a device group. Start with a pilot group before rolling out to all devices.
Step 4 — Monitor encryption status
Go to Devices > Monitor > Encryption report to track which devices have been encrypted and which are pending.
Intune silently encrypts the OS drive without user interaction when the device has a TPM and meets all prerequisites. The user does not need to do anything.
Method 2: Group Policy (On-Premises AD)
Step 1 — Configure AD to store recovery keys
Before enabling BitLocker, configure AD to accept recovery key backups:
- Extend the AD schema for BitLocker (if not already done):
# Run on a Domain Controller
Import-Module ActiveDirectory
# Verify BitLocker schema extensions exist
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -Filter {Name -eq "ms-FVE-RecoveryPassword"}
- Set permissions on the OU so computer objects can write recovery keys
Step 2 — Create a Group Policy
Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Configure these settings:
| Setting | Value |
|---|---|
| Require additional authentication at startup | Enabled, Allow TPM, do not allow startup key |
| Choose drive encryption method (Windows 10 1511+) | XTS-AES 256-bit |
| Choose how BitLocker-protected OS drives can be recovered | Enabled, save to AD DS, do not enable BitLocker until key is stored |
Step 3 — Apply and verify
# Force group policy update
gpupdate /force
# Check BitLocker status
manage-bde -status C:
Method 3: PowerShell (Scripted Deployment)
For quick deployment or environments without Intune or GPO:
# Enable BitLocker with TPM protector and back up to Microsoft Entra ID
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector -SkipHardwareTest
# Add a recovery password protector
$recoveryPassword = Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Back up the recovery key to Microsoft Entra ID
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryPassword.KeyProtector[-1].KeyProtectorId
Always verify the recovery key has been backed up before considering the deployment complete. A BitLocker-encrypted drive without an accessible recovery key means permanent data loss if the TPM fails.
Recovery Key Management
Finding keys in Microsoft Entra ID
- Go to the Microsoft Entra admin center (entra.microsoft.com) > Devices > All devices > search for the device
- Click the device > BitLocker keys
- The recovery key ID and key are displayed
Finding keys via PowerShell
# For Microsoft Entra ID (requires Microsoft Graph module)
Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq 'DEVICE-ID'"
# For on-premises AD
Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase "OU=Workstations,DC=corp,DC=example,DC=com" -Properties msFVE-RecoveryPassword
Key rotation
After a recovery key is used, rotate it:
- Intune: Recovery key rotation happens automatically if configured in the policy
- Manual: Run
manage-bde -protectors -delete C: -Type RecoveryPasswordthen add a new one
Compliance Reporting
For compliance audits, generate a report of encryption status across all devices:
# Intune — export from the admin centre
# On-premises — scan via PowerShell
$computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=corp,DC=example,DC=com"
foreach ($pc in $computers) {
$status = Invoke-Command -ComputerName $pc.Name -ScriptBlock {
(Get-BitLockerVolume -MountPoint "C:").VolumeStatus
} -ErrorAction SilentlyContinue
[PSCustomObject]@{
Computer = $pc.Name
Status = if ($status) { $status } else { "Unreachable" }
}
} | Export-Csv -Path ".\BitLockerStatus.csv" -NoTypeInformation
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| "BitLocker cannot use TPM" | TPM not enabled in BIOS | Enter BIOS and enable TPM / Intel PTT |
| Encryption stuck at 0% | Disk errors preventing encryption | Run chkdsk C: /r and retry |
| Recovery key not in Microsoft Entra ID | Backup step failed silently | Run BackupToAAD-BitLockerKeyProtector manually |
| User prompted for recovery key at boot | TPM firmware update or BIOS change | Enter the recovery key, then suspend and resume BitLocker |
| "This device can't use a TPM" on Intune | Policy requires TPM but device lacks it | Allow password-based protector as fallback or exclude device |
Next Steps
- Combine BitLocker with Conditional Access to block unencrypted devices from accessing company data
- Set up BitLocker recovery key rotation in Intune
- Consider deploying Windows LAPS (built into Windows 11 23H2 and later) to manage local administrator passwords alongside BitLocker
- Document recovery key access procedures for your helpdesk team
Related Articles
Was this article helpful?