Disclaimer: This content is not affiliated with, endorsed by, or produced in collaboration with the National Cyber Security Centre (NCSC).
BitLocker remains one of the most effective security controls for protecting Windows devices against data theft following loss, theft, or unauthorized access. For organisations following guidance aligned with the UK National Cyber Security Centre (NCSC), correctly configuring BitLocker is a critical part of endpoint hardening.
Many organisations deploy BitLocker using Microsoft Intune. However, not every environment uses mobile device management (MDM). Traditional Active Directory environments, air-gapped networks, regulated systems, and hybrid infrastructures often rely on Group Policy instead.
This guide explains how to configure NCSC-aligned BitLocker Group Policies without Intune, using Active Directory Group Policy (GPMC).
The configuration in this guide is based on a BitLocker security policy equivalent to the 2025-NCSC-BitLocker baseline, translated from Microsoft Endpoint Manager settings into standard Windows Group Policy.
What This BitLocker Configuration Achieves
This configuration is designed to:
- Require BitLocker encryption on Windows devices
- Enforce XTS-AES encryption
- Require TPM + PIN startup protection
- Set a minimum PIN length of six digits
- Require recovery information backup before encryption
- Rotate BitLocker recovery passwords where supported
- Encrypt removable and fixed drives
- Reduce recovery information exposure to end users
The configuration prioritises security while remaining manageable for enterprise environments.
Prerequisites Before Configuring BitLocker
Before deploying Group Policies, confirm the following prerequisites are met:
1. TPM Requirements
Devices should have:
- TPM 2.0 preferred
- Secure Boot enabled
- UEFI firmware enabled where possible
To verify TPM status:
- Press Windows + R
- Type:
tpm.msc - Confirm TPM is present and ready.
2. Active Directory Requirements
If using domain Group Policy:
- Devices should be domain joined
- Recovery key storage in Active Directory should be configured
3. Windows Edition Requirements
BitLocker requires:
- Windows 10/11 Pro
- Windows 10/11 Enterprise
BitLocker is not fully manageable through Group Policy on Windows Home editions.
Step-by-Step: Configure NCSC BitLocker Group Policies
Open the Group Policy Management Console (GPMC):
- Open Server Manager
- Select Tools
- Open Group Policy Management
- Create a new GPO:
NCSC BitLocker Policy - Right-click the GPO and choose Edit
Navigate to:
Computer Configuration → Policies → Administrative Templates → Windows Components → BitLocker Drive Encryption
You will configure the following settings.
1. Require Device Encryption
The Intune setting Require Device Encryption does not have a direct Group Policy equivalent.
2. Configure Encryption Method (XTS-AES)
Policy Path
Computer Configuration → Policies → Administrative Templates → Windows Components → BitLocker Drive Encryption → Choose drive encryption method and cipher strength
Configuration
Set:
Enabled
Configure:
| Drive Type | Recommended Setting |
|---|---|
| Operating System Drives | XTS-AES 256-bit |
| Fixed Data Drives | XTS-AES 256-bit |
| Removable Drives | AES-CBC 128-bit |
Why this matters:
- XTS-AES 256 provides stronger encryption for internal drives.
- Removable media often uses lower compatibility settings to avoid interoperability problems.
Click Apply and OK.
3. Allow Standard Users to Encrypt
The Intune setting Allow Standard User Encryption does not have an equivalent Group Policy setting.
4. Configure BitLocker Recovery Password Rotation
There is no direct legacy Group Policy equivalent to modern Intune recovery password rotation.
BitLocker recovery password rotation is primarily available through:
- Microsoft Intune
- Microsoft Entra ID recovery workflows
- Newer Windows management APIs
For on-premises environments using Group Policy, organisations typically rely on:
- Active Directory recovery key escrow
- Recovery password regeneration after incidents
- Helpdesk-controlled recovery procedures
5. Require Additional Authentication at Startup (TPM + PIN)
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup
Configuration
Set policy to:
Enabled
Configure the following:
| Setting | Value |
|---|---|
| Allow BitLocker without TPM | Disabled |
| Configure TPM startup | Require TPM |
| Configure TPM startup PIN | Require startup PIN with TPM |
| Configure TPM startup key | Do not allow |
| Configure TPM startup key and PIN | Do not allow |
This enforces TPM + PIN authentication.
Why this matters:
TPM-only BitLocker protects against offline disk attacks, but TPM + PIN adds protection against device theft and physical compromise.
6. Configure Minimum PIN Length
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Configure minimum PIN length for startup
Configuration
Set:
Enabled
Minimum PIN length:
6
A six-digit minimum aligns with stronger authentication practices while remaining usable for end users.
7. Configure Recovery Options
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Choose how BitLocker-protected operating system drives can be recovered
Configuration
Set:
Enabled
Configure:
| Option | Recommended Value |
|---|---|
| Save BitLocker recovery information to AD DS | Enabled |
| Do not enable BitLocker until recovery information stored | Enabled |
| Recovery password | Allow 48-digit recovery password |
| Recovery key | Do not allow |
| Omit recovery options from setup wizard | Enabled |
| Allow Data Recovery Agent | Disabled |
Why this matters:
This ensures:
- Recovery passwords are centrally escrowed
- Encryption cannot start before backup succeeds
- Users cannot bypass recovery safeguards
- USB recovery keys are avoided
8. Require Encryption for Removable Drives
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives → Control use of BitLocker on removable drives
Configuration
Set:
Enabled
Configure:
Require users to apply BitLocker protection on removable data drives
This helps protect USB drives and removable storage.
9. Require Encryption for Fixed Data Drives
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Fixed Data Drives → Deny write access to fixed drives not protected by BitLocker
Configuration
Set:
Enabled
This prevents unencrypted fixed drives from being written to.
10. Configure Operating System Drive Encryption Type
Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Enforce drive encryption type on operating system drives
Configuration
Set:
Used Space Only Encryption
This reduces deployment time while still protecting newly written data.
For new deployments, used-space-only encryption is generally sufficient and significantly faster than full disk encryption.
Force Group Policy Update
After configuring the GPO:
Run:
gpupdate /forceThen reboot the device.
Verify BitLocker status:
manage-bde -statusYou can also check:
Control Panel → BitLocker Drive Encryption
Common Mistakes to Avoid
Using TPM Only
- TPM-only protection is weaker than TPM + PIN.
- If devices are lost or stolen, a startup PIN provides additional protection.
Not Escrowing Recovery Keys
- Never deploy BitLocker without recovery key backup.
- Losing recovery information can permanently lock users out of systems.
Allowing USB Recovery Keys
- USB recovery keys introduce operational risk and physical handling issues.
- Recovery passwords stored centrally are generally easier to manage.
Forgetting BIOS Configuration
BitLocker can fail silently if:
- TPM is disabled
- Secure Boot is disabled
- UEFI settings are incorrect
Verifying Policy Application
Use:
gpresult /h report.htmlOpen the report and confirm BitLocker settings are applied.
You can also verify encryption status:
Get-BitLockerVolumeFinal Thoughts
Organisations that do not use Intune can still deploy a secure, centrally managed BitLocker configuration using traditional Group Policy.
An NCSC-aligned configuration should focus on:
- TPM + PIN authentication
- Strong XTS-AES encryption
- Recovery password escrow
- Enforced encryption on removable and fixed drives
- Reduced user bypass opportunities
When implemented correctly, BitLocker provides strong protection against device theft, credential compromise, and offline attacks.
