Intune leverages BitLocker, Microsoft’s Windows encryption utility, to protect its Windows endpoints. All Windows devices enrolled in Intune must be encrypted, including desktops, laptops, and tablets. This is enforced to maintain compliance with UVM security policy and industry best practices.
BitLocker leverages the Trusted Platform Module (TPM) hardware chip to encrypt devices. If a device does not have a TPM, a pin will be required to encrypt the device. Users with devices that fail to encrypt due to not having a TPM should contact the Tech Team for assistance.
Verify Encryption Status
The easiest method to verify BitLocker status on a Windows device is to look at the status of the C: drive in This PC.
Windows 10
To check in Windows 10:
- Open File Explorer
- Click on This PC in the left hand navigation
- Select the C: Drive
- Click on the View tab in the ribbon and then click on Details pane
- You will see the BitLocker status on the right side (off in this example)
Windows 11
To check in Windows 11:
- Open File Explorer
- Click on This PC in the left hand navigation
- Select the C: Drive and then click the Details button in the top right.
- You will see the BitLocker status on the right side (on in this example)
Key Recovery
If something goes wrong with the computer, BitLocker may prompt for a recovery key in order to unlock the drive prior to the computer booting into Windows. If this happens, users need to reach out to the Tech Team to request a recovery key.