Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Manage BitLocker

More and more we have clients who are getting all they need from Office 365 services. They no longer need servers or Active Directory. We often see the need to deploy BitLocker to these machines, which is currently a fairly manual process. I'd like InTune Standalone to be able to deploy and manage BitLocker without Active Directory or an Enterprise Agreement. Even if we had to pay a couple extra bucks per user, it would be 100% worth it. The other supposed cloud-based full disk encryption products are not very good, so I think it's a big opportunity to make a big change in the security world.

540 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Justin Clay shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • Stefan Peters commented  ·   ·  Flag as inappropriate

        Please let Intune fully manage bitlocker, and allow Intune Admins to enforce Bitlocker instead of giving suggestions to end users to enable bitlocker. End user actions for this is undesired. It will cause a lot of service desk calls.
        Also please allow Intune Admins to enable bitlocker on AzureAD joined devices where end-users are not admin.

      • Georg commented  ·   ·  Flag as inappropriate

        Thanks @Cathy Moya.

        The new Endpoint Protection settings look promising, however, it seems like these only work for Windows 10 Enterprise and not Pro (feedback from Intune Support team, after months of trying to get to work and numerous escalations).

        Do we know if and when this will be resolved and made available for Windows 10 Pro devices?

      • Ronan Moriarty commented  ·   ·  Flag as inappropriate

        Bitlocker CSP does not fully automate Bitlocker Setup - Customers are looking for a method that will automatically enable Bitlocker on non Connected Standby / Instant Go devices. The Redstone 2 CSP .. almost automates Bitlocker setup via MDM but, falls short from complete automation.

        CSP Documentation:

        1. no way to automatically initiate Bitlocker setup using MDM OMA-URI. user must take action on Toast "Encryption Needed"
        2. no way to set the value for "Choose which encryption mode to use"
        3. no way to start the encryption

      • Ronan Moriarty commented  ·   ·  Flag as inappropriate

        Need Ability to specify encryption method for Bitlocker with Azure AD Join - When using Azure AD Join with Connected Standby / Instant Go devices Bitlocker is automatically initiated and key escrowed to Azure AD. While this is a great feature, the encryption method used is XTS-AES 128, customers would like to have the stronger encryption standard (256)

      • Anonymous commented  ·   ·  Flag as inappropriate

        Totally agree. This is critical piece of requirement considering enterprise security when managing devices via Intune. Appreciate if MS can hasten some work in this area

      • Jordan commented  ·   ·  Flag as inappropriate

        Yes! We have a cloud first model, and integrating MBAM features with Intune/Azure would be excellent.

        Whole disk encryption is very high on our list of requirements for endpoint compliance, and with no way to accomplish this with Intune we are forced to look elsewhere for the time being.

      • Chris Moore commented  ·   ·  Flag as inappropriate

        Agreed... Merging the functionality of MBAM into Intune with AAD would be perfect for this.

      • Dmitry Gladyshev commented  ·   ·  Flag as inappropriate

        Hi Alan.
        Thanks for posting a link, really cool solution.
        Do you have any progress with packing to MSI?
        If yes - please share how to, would be very appreciated.

      • Alan Dooley commented  ·   ·  Flag as inappropriate

        Appalling that this is not possible now. Even though manage-bde cannot write to AAD it wouldn't be that hard for the Intune agent to gather the recovery key and store it somewhere. I'd like to move to MDM for about 1,000 laptops but without this I cannot do it. Barely any devices support instant go and I'm struggling to understand why it is a pre-req.

      • Anthony commented  ·   ·  Flag as inappropriate

        We need both the manage-bde or other ways to enable bitlocker when we join aad and intune if we do nto have intstantgo

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is much needed, both to enforce bitlocker and monitor compliance of all PCs. That's really feel strange when we can do it for non-microsoft mobile devices but not with their own OS.

      • Gert commented  ·   ·  Flag as inappropriate

        We've implemented Azure AD Join with automatic BitLocker encryption. This automatically writes the recovery key into Azure AD for the user. Unfortunately this is only possible for at least "InstantGo" devices.
        The manage-bde.exe (which is the command line utility for BitLocker management) has no option to write the Recovery key to Azure AD, otherwise we were able to do this for non-InstantGo devices also.

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is a feature we are after too. We are comparing InTune with Meraki who offers this service for FileValt and we love it. I would like to see InTune step up and at least provide encryption support through Bitlocker. I would also like FileValt but that may be another thread.

      • JakeH commented  ·   ·  Flag as inappropriate

        We currently have MBAM for key management but it would be extremely nice to support this for off-site clients.

      • Aaron Houdeshell commented  ·   ·  Flag as inappropriate

        We have a requirement that all of our laptops have bitlocker encryption turned on. It would be nice if Intune could report to us which devices for some reason have it turned off, without the device having to be enrolled into Intune as mobile device. Bitlocker is a Microsoft product, why cant the Intune client already installed on the devices report this? This would make Intune the one stop application for us. Thanks

      • Marc V commented  ·   ·  Flag as inappropriate

        We are in Trial using Intune and so far we are liking the product as well as support but this is the first major drawback we hope gets added in.

        We currently use SCCM/AD to monitor and mange bitlocker. We use AD to store our bitlocker keys but we use SCCM to create custom collections/reports to monitor and act on managed devices that are compliant or non-compliant.

        We are a smaller organization so we are trying to just use Intune standalone by itself to manage our devices without a SCCM hybrid solution and a bitlocker management feature would greatly help in doing that.

        We hope it gets added!


      • Ryan Sheldon commented  ·   ·  Flag as inappropriate

        While we currently utilize BitLocker with Active Directory, being able to lessen our dependence on the on-premises servers and move these features to the cloud would help. Having BitLocker integration with Intune would allow us to maintain encryption on our remote endpoints without worrying about key storage/recovery or encryption compliance.

      ← Previous 1

      Feedback and Knowledge Base