Back to blog
ChiffrementPublished on June 11, 20266 min read

How to enable BitLocker on every Windows PC (and back up the keys)

Enable BitLocker remotely across the fleet, force encryption at startup and store recovery keys in Entra ID — without touching each device.

A stolen laptop without encryption is a guaranteed data breach — and a GDPR violation to report. BitLocker solves it, but enabling it device by device doesn't scale. Intune lets you deploy it across the fleet in a single policy.

What a good BitLocker policy enforces

  • System-drive encryption at startup (silent for the user).
  • XTS-AES 256-bit method for fixed drives.
  • Automatic recovery-key backup to Entra ID.
  • Encryption required for removable media (BitLocker To Go).
Encryption at startup, transparent to the user.

The commonly missed point: without a recovery-key backup, a reset TPM makes the device inaccessible. The key must be stored in Entra ID, recoverable by an administrator.

Deploy it cleanly

In AuPoint, 'Disk encryption' is a ready-made control: it configures BitLocker, the encryption method and key escrow to Entra, then assigns it to the group of your choice. You preview the affected devices before applying.

Connect your tenant and enable encryption across your whole fleet in minutes.

Secure your tenant in 15 minutes

Free trial