I wrote a blog post back in April on “how to manage BitLocker on a Azure AD Joined Windows 10 Device managed by Intune”, where I also wrote a PowerShell script to automate the encryption process for the day that we would get PowerShell support in Intune. Well Microsoft announced in September the Management extension for Intune which basically lets you deploy PowerShell scripts via. Intune to Windows 10 devices. My co-worker Peter Daalmans wrote a great blog post about it right after, where he explained in more detail about the extension. I have a link for that post at the end of this page.

Now in this post I will show you have you can automate the BitLocker encryption process on Win10 devices and backup the protector to AAD Computer object that is managed by Intune, because there is no other way to automate the process for now. Remember to get this to work it is very important that your Disk Configuration layout properties and any other prerequisites is configured to get this to work. So I suggest, before you go any further that you read up on the following posts:

In order to do this, log on to https://portal.azure.com and go to you Intune Blade. Then move over to Device configuration and PowerShell scripts. Click on Add Script.

Give the script a name, description and then browse for the script. We do not need any furter configuration for the script, but if you want to you can have it run using logged on credentials and you can enforce a script signature check. But, we will just go ahead an click create.

Next we need to assign the script to a user or computer group. I will assign it to a user group. When that is done click Save. And you are done.

Now, how will this actually look for the user? Well first and foremost the management extension will be installed shortly followed by the execution of the script itself! The encryption proccess will start immediately after.

 And the protector is safly stored on the computer Object in the cloud!

Here is the script:
Have a great December – a Merry Christmas and Happy New Year to you all!

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId