Merge pull request #6583 from Brenduns/silently-enable-bitlocker-update

Revisions to add endpoint security policies settings details

Author: rjagiewich

memdocs/intune/protect/encrypt-devices.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/06/2021
+ms.date: 02/02/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -31,7 +31,7 @@ Use Intune to configure BitLocker Drive Encryption on devices that run Windows 1
 
 BitLocker is available on devices that run Windows 10/11. Some settings for BitLocker require the device have a supported TPM.
 
-Use one of the following policy types to configure BitLocker on your managed devices
+Use one of the following policy types to configure BitLocker on your managed devices:
 
 - **[Endpoint security disk encryption policy for BitLocker](#create-an-endpoint-security-policy-for-bitlocker)**. The BitLocker profile in *Endpoint security* is a focused group of settings that is dedicated to configuring BitLocker.
 
@@ -118,34 +118,63 @@ To view information about devices that receive BitLocker policy, see [Monitor di
 
 ### Silently enable BitLocker on devices
 
-You can use an *Endpoint protection* template as part of a *device configuration* profile to configure a BitLocker policy that automatically and silently enables BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device.
+You can configure a BitLocker policy to automatically and silently enable BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device. You can use either the BitLocker profile from an endpoint security disk encryption policy, or the endpoint protection template from a device configuration policy.
 
-**Device Prerequisites**:
+Devices must meet the following prerequisites, receive applicable settings to silently enable BitLocker, and not have incompatible settings for TPM startup PIN or key.
+
+#### Device Prerequisites
 
 A device must meet the following conditions to be eligible for silently enabling BitLocker:
 
-- If end users log in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
-- If end users log in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
+- If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
+- If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
 - The device must be Azure AD Joined or Hybrid Azure AD Joined.
 - Device must contain at least TPM (Trusted Platform Module) 1.2.
-- The BIOS mode must be set to Native UEFI only. 
+- The BIOS mode must be set to Native UEFI only.
+
+#### Required settings to silently enable BitLocker
+
+Depending on the type of policy that you use to silently enable BitLocker, configure the following settings.
+
+**Endpoint security disk encryption policy** - Configure the following settings in the BitLocker profile:
 
-**BitLocker policy configuration**:
+- **Hide prompt about third-party encryption** = *Yes*
+- **Alow standard users to enable encryption during Autopilot** = *Yes*
 
-The following two settings for *BitLocker base settings* must be configured in the BitLocker policy of a device configuration profile:
+**Device configuration policy** - Configure the following settings in the *Endpoint protection* template or a *custom settings* profile:
 
 - **Warning for other disk encryption** = *Block*.
 - **Allow standard users to enable encryption during Azure AD Join** = *Allow*
 
-The BitLocker policy **must not require** use of a startup PIN or startup key. When a TPM startup PIN or startup key is *required*, BitLocker can't silently enable and requires interaction from the end user.  This requirement is met through the following four *BitLocker OS drive settings* in the same policy:
+> [!TIP]  
+> While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
 
-- **Compatible TPM startup** must be set to *Allowed* or *Required*
-- **Compatible TPM startup PIN** must not be set to *Require startup PIN with TPM*
-- **Compatible TPM startup key** must not be set to *Require startup key with TPM*
-- **Compatible TPM startup key and PIN** must not be set to *Require startup key and PIN with TPM*
+#### TPM startup PIN or key
 
-> [!NOTE]
-> Silent enablement of BitLocker will encrypt used disk space only.
+A device **must not require** use of a startup PIN or startup key.
+
+When a TPM startup PIN or startup key is required on a device, BitLocker can't silently enable on the device and instead requires interaction from the end user. Settings to configure the TPM startup PIN or key are available in both the endpoint protection template and the BitLocker policy. By default, these policies do not configure these settings.
+
+Following are the relevant settings for each profile type:
+
+**Endpoint security disk encryption policy** - In the BitLocker profile you'll find the following settings in the *BitLocker - OS Drive Settings* category when *BitLocker system drive policy* is set to *Configure*, and then *Startup authentication required* is set to *Yes*.
+
+- **Compatible TPM startup** - Configure this as *Allowed* or *Required*
+- **Compatible TPM startup PIN** - Configure this as *Blocked*
+- **Compatible TPM startup key** - Configure this as *Blocked*
+- **Compatible TPM startup key and PIN** - Configure this as *Blocked*
+
+**Device configuration policy** - In the endpoint protection template you'l find the following settings in the *Windows Encryption* category:
+
+- **Compatible TPM startup** - Configure this as *Allow TPM* or *Require TPM*
+- **Compatible TPM startup PIN** - Configure this as *Do not allow startup PIN with TPM*
+- **Compatible TPM startup key** - Configure this as *Do not allow startup Key with TPM*
+- **Compatible TPM startup key and PIN** - Configure this as *Do not allow startup Key and PIN with TPM*
+
+> [!WARNING]  
+> While neither the endpoint security or device configuration policies configure the TPM settings by default, some versions of the [security baseline for Microsoft Defender for Endpoint](../protect/security-baselines.md#available-security-baselines) will configure both *Compatible TPM startup PIN* and *Compatible TPM startup key* by default. These configurations might block silent enablement of BitLocker.
+>
+> If you deploy this baseline to devices on which you want to silently enable BitLocker, review your baseline configurations for possible conflicts. To remove conflicts, either reconfigure the settings in the baselines to remove the conflict, or remove applicable devices from receiving the baseline instances that configure TPM settings that block silent enablement of BitLocker.
 
 ### View details for recovery keys
 
@@ -184,11 +213,10 @@ All BitLocker recovery key accesses are audited. For more information on Audit L
 
 When you’ve configured the tenant attach scenario, Microsoft Endpoint Manager can display recovery key data for tenant attached devices.
 
-- To support the display of recovery keys for tenant attached devices, your Configuration Manager sites must run version 2107 or later. For sites that run 2107, you must install an update rollup to support Azure AD joined devices:. See [KB11121541](../../configmgr/hotfix/2107/11121541.md).
+- To support the display of recovery keys for tenant attached devices, your Configuration Manager sites must run version 2107 or later. For sites that run 2107, you must install an update rollup to support Azure AD joined devices: See [KB11121541](/mem/configmgr/hotfix/2107/11121541).
 
 - To view the recovery keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related permissions for Configuration Manager of Collection Role, with Read Permission > Read BitLocker Recovery Key Permission. For more information, see [Configure role-based administration for Configuration Manager](/configmgr/core/servers/deploy/configure/configure-role-based-administration).
 
-
 ### Rotate BitLocker recovery keys
 
 You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later, and Windows 11.