Categories
Intune Tips & Tricks

Silent Bitlocker in Windows Autopilot

When enrolling devices through Windows Autopilot and using Intune enabling Bitlocker without user interaction can be a little bit of a hassle since the default behavior is to ask the end-user to encrypt the device in runtime.

This pop-up can easily confuse end-users and the device is not really “ready to use” once the Enrollment Status Page (ESP) has closed.

There are several different solutions for this, where running a PowerShell-scrip as a Win32 app during enrollment is the most common one.

BUT I’ve found a way to skip this, but it does have some distinct limitations (except for all other Bitlocker requirements):

  • Use Intune for device management
  • Device can only be joined to the Azure AD
  • Running Windows 10 1809 or later
  • No third-party disk encryption services can be used

So how do you configure this?

In Microsoft Intune, go to Endpoint Security > Disk encryption and create a new profile:

Select “Windows 10 and later” as platform and choose the Bitlocker profile, then click create. Give your profile a name based on your naming convention and click next.

To enforce Bitlocker during enrollment, you need to

  • Set “Enable full disk encryption for OS and fixed drives” to Yes
  • Set “Hide prompt about third-party encryption” to Yes
  • Set “Allow standard users to enable encryption during Autopilot” to Yes

A heads up on these settings though, if you are using any third-party encryption, you might break the machine and you will have to re-install the machine. So be careful if applying to existing machines.

Then set your preferred settings for Bitlocker on OS and fixed drives, this is what I am running in this lab setup. One good setting to use is “Require device to back up recovery information to Azure AD” to ensure that you have the recovery information available for the machine. These settings might vary based on your organizational needs and requirements.

Click next until you end up on “Assignments” and select your targeted device group.

Click next and review your settings before hitting “Create” on the Review + Create page.

And that’s it! Your devices will now silently encrypt using Bitlocker during Autopilot enrollment.