Forum Discussion
License Confusion for Managing BitLocker via Intune
Scenario:
We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses.
Confusion:
- Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker.
- However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider).
We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management.
I am providing reference Microsoft articles and screenshots to support this.
BitLocker Enablement:
https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#windows-edition-and-licensing-requirements
BitLocker Management:
https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#windows-edition-and-licensing-requirements
Encrypt Devices with Intune:
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys
"Information for BitLocker is obtained using the BitLocker configuration service provider (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11."
Contradictory Statement Document:
https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
i am your global administrator and your role can be RBAC you need extra role
Your confusion is understandable, as the documentation can sometimes seem contradictory. Here's a breakdown to clarify:
- Windows 10/11 Professional and BitLocker Management via Intune:
- Windows 10/11 Professional is sufficient for enabling and managing BitLocker through Intune. This includes deploying BitLocker policies and managing recovery keys.
- The BitLocker CSP (Configuration Service Provider) is supported on Windows 10 Pro version 1809 and later, as well as Windows 11.
- Windows 10/11 Enterprise and CSP-Based Management:
- Some advanced BitLocker management features via CSP may require Windows 10/11 Enterprise. For example, certain ADMX-backed policies or advanced configurations might necessitate Enterprise licensing.
In summary, for standard BitLocker management tasks (like enabling encryption and managing recovery keys) through Intune, Windows 10/11 Professional is sufficient. However, if your organization requires advanced CSP-based configurations, you might need Windows 10/11 Enterprise.
Please like if this helped.- Windows 10/11 Professional and BitLocker Management via Intune:
