📚🪟💻Compliance - Device Health - Bitlocker
What this policy is about 🔍
BitLocker. Your data's silent guardian.
This compliance policy checks whether BitLocker encryption is active on the device. No BitLocker? No compliance. Simple as that.
BitLocker ensures your data stays encrypted at rest. Even if a device goes missing, the data remains unreadable without the proper keys.
How it works 🛠️
This policy uses Windows Device Health Attestation to verify BitLocker status.
- TPM chip reports status — The Trusted Platform Module cryptographically confirms BitLocker is enabled
- Windows Health Attestation Service — Microsoft verifies the report
- Intune receives the result — Compliant or non-compliant
This is hardware-backed attestation. Not just a registry check that could be spoofed.
🛠️ Compliance Settings
Platform
- Windows 10 and later
Profile Type
- Windows 10/11 compliance policy
Device Health
| Setting | Value |
|---|---|
| Require BitLocker | Required |
⚙️ Actions for Non-Compliance
| Action | Schedule | Message Template | Additional Recipients |
|---|---|---|---|
| Mark device non-compliant | 0.5 Days (12 hours) | (none) | None selected |
👥 Group Assignments
✅ Included groups:
All Devices