This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 49%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
License Confusion for Managing BitLocker via Intune
License Confusion for Managing BitLocker via Intune
Scenario:
We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses.
Confusion:
Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker.
However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider).
We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management.
I am providing reference Microsoft articles and screenshots to support this.
BitLocker Enablement:
BitLocker Management:
Encrypt Devices with Intune:
Encrypt Windows devices with Intune - Microsoft Intune | Microsoft Learn
"Information for BitLocker is obtained using the BitLocker configuration service provider (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11."
Contradictory Statement Document:
BitLocker CSP | Microsoft Learn
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@SamarMumbai Hope the following suggestion can help. If the answer is helpful, please click "Accept Answer". Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp clearly states:
To manage BitLocker through CSP except to enable and disable it using the RequireDeviceEncryption policy, one of the following licenses must be assigned to your users regardless of your management platform:
I gather the confusion might result from the distinction between supportability of the Windows OS Editions and the license type assignment.
Btw. you should always verify the licensing requirements directly with your Microsoft account manager or Microsoft sales.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin