Windows 10/11 Home support for MEM Compliance Encryption Requirement
If you’re using Compliance Policies in Microsoft Endpoint Manager for Windows devices, you’ll notice that you can require encryption two different ways. The first is to use the Require BitLocker setting, which evaluates whether BitLocker is enabled via the Windows Health Attestation Service (requiring a reboot). The second is the Require encryption of data storage on device, which checks for the presence of encryption (according to the Docs article). This second option poses an interesting question – can Windows 10/11 Home devices, which don’t have BitLocker, meet this compliance requirement?
The answer is Yes.
Windows 10 Home edition comes with support for “Device Encryption.” Device Encryption is unique in that it isn’t offered on every device, only those that meet HSTI specifications. HSTI spec can be complicated but suffice it to say that the OEM of your device needs to build in support for it, or you won’t meet it.
If your device is compatible, you can open System Information as an admin and you will see Meets requirements under Device Encryption:
An incompatible device, however, will show a list of reasons which may include Hardware Security Test Interface failed:
Presuming you have a compatible device then, when you go through OOBE and sign in with a Microsoft Account, under Settings > Update & Security, you will find a Device Encryption pane that will state Device encryption is on. Device encryption is automatically enabled once you sign in with a Microsoft Account and meet the HSTI requirements, encrypting the device with AES-128 and storing the key in your online account.
And just to provide more validation, here’s a screenshot showing the device is running Windows 10 Home:
If I go to account.microsoft.com, I can pull up the “BitLocker” key for this device.
If you’ve deployed corporate devices with Autopilot before, you may have run into this automated encryption before. That’s because the devices hit the same mechanism – they met HSTI requirements and were using an online (Azure AD) account that could store the key, so they were automatically encrypted. It was possible to change the algorithm by setting an encryption algorithm and targeting a device group, but devices would be encrypted nonetheless.
But the interesting thing is – Windows 10/11 Home don’t support BitLocker, so we can’t deploy those same profiles. We can ONLY use the Device Encryption feature which natively uses AES-128. Notice that Home is not supported for the BitLocker CSP used to configure encryption settings:
So back to the original question – if my device meets the Device Encryption requirements, what happens when I enroll it and have a Compliance Policy with Require encryption of data storage on device set to Require?
The device will report back as Compliant!
Here is the device in MEM and associated compliance policies:
One more check that it is running Windows 10 Home (also meaning it is Azure AD Registered/Workplace Joined, because AADJ doesn’t support Windows 10 Home):
And finally, here is the encryption setting that started it all, reporting as compliant:
So… if a device can meet the Require encryption of data storage on device setting, what about the actual Require BitLocker setting for Windows 10 Home?
Turns out, that will also report compliant!
Depending on the Docs article, it looks like Device Encryption can also be referred to as BitLocker Device Encryption. For example, in this article, under BitLocker Device Encryption it even mentions Windows Home:
“Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.”
So at the end of the day, the BitLocker support in Windows Pro and Enterprise seems to be the configurability of encryption. Windows Home devices that meet the appropriate spec and automatically encrypt will meet the compliance settings requirements of BitLocker encryption in Microsoft Endpoint Manager.
There we have it! A deep dive into a simple setting, allowing you to use that compliance policy setting for BYOD Windows Home devices. Happy encrypting! ?