Intune leverages BitLocker, Microsoft’s Windows encryption utility, to protect its Windows endpoints. All Windows devices enrolled in Intune must be encrypted, including desktops, laptops, and tablets. This is enforced to maintain compliance with UVM security policy and industry best practices.
BitLocker leverages the Trusted Platform Module (TPM) hardware chip to encrypt devices. If a device does not have a TPM, a pin will be required to encrypt the device. Users with devices that fail to encrypt due to not having a TPM should contact the Tech Team for assistance.
Verify Encryption Status
The easiest method to verify BitLocker status on a Windows device is to look at the status of the C: drive in This PC.
Windows 10
Windows 11
Key Recovery
If something goes wrong with the computer, BitLocker may prompt for a recovery key in order to unlock the drive prior to the computer booting into Windows. If this happens, users can either reach out to the Tech Team to request a recovery key, or users can go through self service recovery to get a key for computers assigned to them.
Self-Service Recovery
Microsoft provides a self-service recovery method for users needing a BitLocker recovery key. This key is needed if the drive cannot automatically decrypt at boot time. When this happens, BitLocker will show a screen prompting for a recovery key to continue booting. Users can access recovery keys associated with their devices by following these steps:
- Open a browser and go to https://myaccount.microsoft.com/. Use your UVM credentials when prompted to sign in.
- In your Account Dashboard, click on Manage Devices.
- You will see your list of devices, click on the device you need a recovery key for and then click “View Bitlocker Keys”
- In the bar that appears that shows your keys for your device, click “Show recovery key”
- A window will appear with your recovery key. You can copy it to your clickboard with the copy button. Do not share this key.
- Enter the key shown here into the prompt on your computer to decrypt the drive and continue the boot sequence.