Once in a while, I get the question from a community member why their devices are not automatically starting the encryption of the operating system drive. They configure some BitLocker settings in Microsoft Intune and deploy these to their devices. But the encryption isn`t automatically started and different sorts of error messages are seen on the device.
Where it is no problem to respond to each person separate, I thought let`s share the configuration which works for me to auto start BitLocker encryption.
Before we move over to the settings itself, some ‘notes from the field‘, otherwise your below setup might not work and you still see errors like described in this previous post:
- Outdated BIOS and TPM firmware/ drivers might cause issues. So updates these drivers.
- Make sure Secure Boot is turned on!
- And while testing, use real hardware and no virtual machines.
Below settings do work for Azure AD and Hybrid Azure AD joined devices. But there is a big difference. On AAD joined devices encryption starts already during Autopilot enrollment, where encryption on HAADJ devices starts as soon as the first user signs in.
Let`s move over to the configuration part.
Configure Endpoint Protection profile
At the moment of writing, I still use an Endpoint Protection profile in Microsoft Intune to configure encryption settings as I haven`t tested the BitLocker settings yet which are found on the Endpoint Security tab.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configuration Profiles tab click +Create profile
- Choose Windows 10 and later as Platform
- Choose Endpoint Protection as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click Next
Under Windows Encryption it is important to at least configure these settings for silent encryption to work for the OS drive. Key in this is to allow standard users to enable encryption and to only allow (require) TPM startup (and block the other options):
BitLocker base settings
- Encrypt Devices – Require
- Warning for other disk encryption – Block
- Allow standard users to enable encryption during Azure AD Join – Allow
- Configure encryption methods – Enable
- Encryption for operating system drives – Choose your preferred algorith
BitLocker OS drive settings
- Additional authentication at startup – Require
- BitLocker with non-compatible TPM chip – Block
- Compatible TPM startup – Require TPM
- Other Compatible TPM options – Do Not allow
Additional settings to configure, related to BitLocker recovery information.
This should do the trick. If needed you can also configure the settings related to fixed drive and removable data-drive, but it`s not needed for the OS drive.
Thank for reading and let me know when you have any questions related to this post.