Silently Encrypt Devices using MEM during Autopilot
If you go to the Microsoft Docs and look over which settings are required to silently encrypt devices, it may seem a bit confusing. The policy must not require the use of start PIN or key, but must have Compatible TPM startup set to Allowed or Required. But you can’t even set the Compatible TPM startup setting to required until you set Startup authentication required to Yes!
And when you do set Startup authentication required to Yes, it has Compatible TPM startup defaulted to Blocked:
Even I’m confused. So I tested the various settings, and here’s exactly what you need to configure to silently encrypt devices. First, create a Disk encryption profile by going to Microsoft Endpoint Manager > Endpoint Security > Disk encryption > + Create policy:
Give the profile a nice name. For the BitLocker – Base Settings, set Hide prompt about third-party encryption to Yes, and Allow standard users to enable encryption during Autopilot to Yes.
For BitLocker – OS Drive Settings, set Startup authentication required to Yes. Set Compatible TPM startup to Required. Then Compatible TPM startup PIN, Compatible TPM startup key, and Compatible TPM startup key and PIN to Blocked.
We also need to change the system drive recovery options under BitLocker OS Drive settings. Change the top level setting to Configure. Set Recovery key file creation to Blocked and Recovery password creation to Required. You could also set Require device to back up recovery information to Azure AD to Yes, but that isn’t required (it will back it up in AAD anyway, but this stops it from moving forward until that’s done).
If you don’t set the System drive recovery settings, you’ll end up with an error that your device can’t set up both a recovery key and password. Notice that the tooltips for both these settings reference they must be configured for silent encryption:
Quick note – by default, devices will attempt to auto-encrypt using AES-128 if they meet the Hardware Security Testability Interface (HSTI) test. If you want to use a different encryption algorithm, you can change the setting in the BitLocker OS Drive settings but make sure you target a device group:
This meets all of the policy settings that the Docs page requires (but don’t forget to look at the prerequisites listed on that page, like TPM and UEFI):
Once you have enabled all of the appropriate settings, target the profile to an appropriate group (in my case, I’m using my Autopilot devices group). If you’re performing the encryption during Autopilot, be sure to enable the Enrollment Status Page:
Once the device completes ESP, you can open the BitLocker control panel pane to see that the device is actively encrypting:
If you’re wondering, ESP only waits for the setting to be ingested, not for the device itself to finish encrypting.
But that’s it! Now we have a device silently encrypting – and since I used an Autopilot profile with it set to standard user, they’re not even an admin! And all this without prompting the user.
Happy encrypting! 🕵️♂️