How to Ensure BitLocker Encryption with Intune During Device Handovers?

One effective approach is to use Intune's device configuration profile to enforce BitLocker with a startup PIN. Combine this with an Enrollment Status Page policy, which ensures that devices cannot be fully used until the encryption process kicks in during provisioning. You should also check that the recovery key is automatically stored to Entra ID once the policy is applied, so you can confirm everything is secure before handing the device over.

In my experience, once a PC is enrolled in Intune, encryption is done automatically without user intervention. For high-risk devices, I manually assign them to a special group that applies a modified policy with additional scripts to enforce specific methods for generating startup PINs. While I aim to keep the use of startup PINs minimal because they can complicate updates, automating most of the process works well for the general rollout.

When handling BitLocker through Intune, make sure you utilize the Endpoint Security > Disk Encryption blade rather than the older Device Configuration path. For the startup PIN requirement, set the 'Configure TPM startup PIN' to Required in the BitLocker settings. To enforce encryption before a device leaves, keep a compliance policy that marks unencrypted devices as non-compliant, which can restrict their access to company resources and prompt techs to complete the process quickly.

If you can limit device access based on compliance, that's key. While you cannot force encryption before a device leaves, compliance policies can be set to classify unencrypted devices as non-compliant, which blocks access to essential company resources. Techs usually want to avoid getting stuck, so this can be an effective motivator.