BitLocker Policy Creation

This guide will provide background information on creating a disk encryption enforcement for macOS or Windows Intune registered devices.

BitLocker Encryption

Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.

Role Requirements

Procedure Scope: Administrators

Required Group Membership: Admin.Security

Handbook Reference

Package: TBD

Domain: TBD

Modifies: TBD

Creating a Device BitLocker Policy

1. Navigate to Disk Encryption – Intune, select Create Policy. Specify the OS platform you wish to configure the policy for, either BitLocker for Windows or FileVault for Mac. Select Create to proceed.
   
2. Supply a name and description for the policy you are configuring. Select Next to continue.
   
3. All the BitLocker related settings will be generated, configure them accordingly to your needs. Select Next to proceed.
   
4. Scope tag selection can be made, it is mainly leveraged with RBAC. Select Next to continue.
   
5. Next will be assignments and exclusions, these can either be configured for all onboarded devices, all users registered in AD, or specific groups. Select Next to proceed to revisions.
   
6. The final step will be to review all the configured items to check for discrepancies, if any are detected make note of the section, they are in select the Previous button to remediate the misconfiguration. If the settings are suitable, select Create to finalize the policy creation process.
   
7. Upon successful creation the newly created policy will generate in the list of all existing policies.