Intune: Use PowerShell management extension to enable BitLocker on a modern managed Win10 device

I wrote a blog post back in April on “how to manage BitLocker on a Azure AD Joined Windows 10 Device managed by Intune”, where I also wrote a PowerShell script to automate the encryption process for the day that we would get PowerShell support in Intune. Well Microsoft announced in September the Management extension for Intune which basically lets you deploy PowerShell scripts via. Intune to Windows 10 devices. My co-worker Peter Daalmans wrote a great blog post about it right after, where he explained in more detail about the extension. I have a link for that post at the end of this page.

Now in this post I will show you have you can automate the BitLocker encryption process on Win10 devices and backup the protector to AAD Computer object that is managed by Intune, because there is no other way to automate the process for now. Remember to get this to work it is very important that your Disk Configuration layout properties and any other prerequisites is configured to get this to work. So I suggest, before you go any further that you read up on the following posts:

In order to do this, log on to and go to you Intune Blade. Then move over to Device configuration and PowerShell scripts. Click on Add Script.

Give the script a name, description and then browse for the script. We do not need any furter configuration for the script, but if you want to you can have it run using logged on credentials and you can enforce a script signature check. But, we will just go ahead an click create.

Next we need to assign the script to a user or computer group. I will assign it to a user group. When that is done click Save. And you are done.

Now, how will this actually look for the user? Well first and foremost the management extension will be installed shortly followed by the execution of the script itself! The encryption proccess will start immediately after.

 And the protector is safly stored on the computer Object in the cloud!

Here is the script:
Have a great December – a Merry Christmas and Happy New Year to you all!


By |2017-12-06T12:59:51+00:00December 6th, 2017|Automation, Powershell, Scripting, Uncategorized, Windows Client|3 Comments

About the Author:

Marius A. Skovli
Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway ( SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.


  1. Phil Jorgensen January 10, 2018 at 17:13 - Reply

    Hi Marius

    Great write-up! I’m testing this in my lab and noticed that the assignment fails on Instant-Go systems. According to MS documentation for these type systems, if they’re AAD joined during OOBE, BitLocker will encrypt automatically. So once the assignment tries to execute on the device, encryption will already be in progress. If I try to run the BackupToAAD-BitLockerKeyProtector command, I get this error:

    “The key protector specified cannot be used for this operation”

    As a workaround, I modified your script to check if encryption/volume status is in progress first. If encryption is already in progress, it will exit out and the monitoring node for the device in Intune will show “Succeeded”.

    The only other thing I noticed is that the encryption method on Instant-Go devices are set to XtsAes128.

  2. Mark Thomas February 28, 2018 at 0:01 - Reply

    Hi Phil / Marius,

    I took a slightly different approach as I also wanted to cater for the scenario where clients were pre-provisioned for Bitlocker through an MDT/SCCM task sequence. We are building an OSD solution to re-purpose existing hardware to AutoPilot/Intune (Install OS / Drivers / Bios to UEFI / Language Packs and Sysprep). During the task sequence we use Bitlocker pre-provisioning to reduce the encryption time when the user enrols.

    So rather than checking if encryption was in progress I just checked for two scenarios:

    1. Volume encrypted and Protection Off (Pre-Provisioning)


    2. Volume decrypted and Protection Off (not pre-provisioned or auto-encrypted)

    For 1. I just resume Bitlocker and add the recovery password protector and for 2. I do the encryption as per the original script. Btw.. I also added support for detecting and ejecting removable or CD drives to prevent that from stopping the encryption process.

  3. Melvin Batista July 17, 2018 at 19:48 - Reply

    can you provide example code please?

Leave A Comment