Intune – BitLocker Policy

Setting up Bitlocker policy using Intune.

You can turn on the BitLocker policy in three different places in Intune, and by doing that you most likely are going to run into issues like Policy conflict and not compliant status on devices.

This post will cover how and where I turned the BitLocker policy on in Intune.

Microsoft documentation on how to set up disk encryption policy

Microsoft information about avoiding policy conflicts

Microsoft troubleshoot BitLocker policies in Intune

Where can you configure BitLocker settings in Intune?

This covers where you can find BitLocker settings that you can configure in Intune, configuring the settings in some locations might cause policy conflicts.

Security baselines

The Windows 10 Security Baseline contains configuration settings for BitLocker.
You can configure the setting BitLocker – Removable drive policy

Microsoft Defender for Endpoint baseline

Contains settings for BitLocker.
You can configure multiple BitLocker settings here.

Disk encryption Policy

You can configure multiple BitLocker settings here. (This is the one I recommend using at it is specifically only for BitLocker.

So where should you configure the BitLocker policy settings?

Only configure it in one place, this makes it is easier to manage and you will have fewer issues with conflicting policy, etc. My recommendation is to use the Disk encryption policy only, mainly because it contains all the settings the other policies have plus some extra. The policy also only affects BitLocker so if you need to make a change in how the BitLocker policy behavior then you only need to go to one place.

Conflicting policy and issues

Some examples that will cause policy conflict or give you an error when configuring BitLocker.

If you turn on the Microsoft Defender for Endpoint Baseline (version 6) and have a Disk encryption policy, then you are most likely to get conflicting policies. You will notice that even if the settings might be the same in your Disk encryption policy and your Microsoft Defender for Endpoint Baseline policy you still get the conflicting policy issue.

Why do I get conflicting policies?

It can be different reasons depending on how you configure each policy, in my case I had issues with the Startup authentication and the compatibility TPM settings.

In the Disk encryption policy, we have more options to select from when setting the Startup authentication, for some reason, this causes the conflicting issue, even though I do not have the settings available in my Microsoft Defender for Endpoint Baseline policy it would still give me a conflicting issue that I could not resolve because I cannot match the settings in both policies as they do not have the same selection of settings available.

Comparing the two we can see the different settings available in the Startup authentication part.

Disk Encryption Policy in Intune
Disk Encryption Policy – Startup authentication settings
BitLocker policy in Defender Baseline
Microsoft Defender for Endpoint Baseline – Startup authentication settings

Where should I configure the BitLocker policy?

Use the Disk Encryption policy to control your BitLocker settings, always configure the settings for something in one place, no need for policies with the same settings in different locations, this will only cause an issue in the future.

4 1 vote
Article Rating
Subscribe
Notify of
guest

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
JoeyPatootie
JoeyPatootie
1 year ago

This is an issue for me too, did you find any resolution to this? Microsoft support have been woeful.