Revisions to add endpoint security policies settings details

Brenduns · Brenduns · commit e87dd4872a7c · 2022-01-20T09:49:41.000-08:00
diff --git a/memdocs/intune/protect/encrypt-devices.md b/memdocs/intune/protect/encrypt-devices.md
@@ -118,34 +118,62 @@ To view information about devices that receive BitLocker policy, see [Monitor di
 
 ### Silently enable BitLocker on devices
 
-You can use an *Endpoint protection* template as part of a *device configuration* profile to configure a BitLocker policy that automatically and silently enables BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device.
+You can configure a BitLocker policy to automatically and silently enable BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device. You can use either the BitLocker profile from an endpoint security disk encryption policy, or the endpoint protection template from a device configuration policy.
 
-**Device Prerequisites**:
+Devices must meet the following prerequisites, receive applicable settings to silently enable BitLocker, and not have incompatible settings for TPM startup PIN or key.
+
+> [!NOTE]
+> Silent enablement of BitLocker will encrypt used disk space only.
+
+#### Device Prerequisites
 
 A device must meet the following conditions to be eligible for silently enabling BitLocker:
 
-- If end users log in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
-- If end users log in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
+- If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
+- If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
 - The device must be Azure AD Joined or Hybrid Azure AD Joined.
 - Device must contain at least TPM (Trusted Platform Module) 1.2.
-- The BIOS mode must be set to Native UEFI only. 
+- The BIOS mode must be set to Native UEFI only.
+
+#### Required settings to silently enable BitLocker
 
-**BitLocker policy configuration**:
+Depending on the type of policy that you use to silently enable BitLocker, configure the following settings.
 
-The following two settings for *BitLocker base settings* must be configured in the BitLocker policy of a device configuration profile:
+**Endpoint security disk encryption policy** - Configure the following settings in the BitLocker profile:
+
+- **Hide prompt about third-party encryption** = *Yes*
+- **Alow standard users to enable encryption during Autopilot** = *Yes*
+
+**Device configuration policy** - Configure the following settings in the *Endpoint protection* template or a *custom settings* profile:
 
 - **Warning for other disk encryption** = *Block*.
 - **Allow standard users to enable encryption during Azure AD Join** = *Allow*
 
-The BitLocker policy **must not require** use of a startup PIN or startup key. When a TPM startup PIN or startup key is *required*, BitLocker can't silently enable and requires interaction from the end user.  This requirement is met through the following four *BitLocker OS drive settings* in the same policy:
 
-- **Compatible TPM startup** must be set to *Allowed* or *Required*
-- **Compatible TPM startup PIN** must not be set to *Require startup PIN with TPM*
-- **Compatible TPM startup key** must not be set to *Require startup key with TPM*
-- **Compatible TPM startup key and PIN** must not be set to *Require startup key and PIN with TPM*
+> [!TIP]
+> While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
 
-> [!NOTE]
-> Silent enablement of BitLocker will encrypt used disk space only.
+#### TPM startup PIN or key
+
+A device **must not require** use of a startup PIN or startup key.
+
+When a TPM startup PIN or startup key is required on a device, BitLocker can't silently enable on the device and instead requires interaction from the end user. Settings to configure the TPM startup PIN or key are available in both the endpoint protection template and the BitLocker policy. By default, these policies do not configure these settings.
+
+Following are the relevant settings for each profile type:
+
+**Endpoint security disk encryption policy** - In the BitLocker profile you'll find the following settings in the *BitLocker - OS Drive Settings* category when *BitLocker system drive policy* is set to *Configure*, and then *Startup authentication required* is set to *Yes*.
+
+- **Compatible TPM startup** - Configure this as *Allowed* or *Required*
+- **Compatible TPM startup PIN** - This setting must not be set to *Required*
+- **Compatible TPM startup key** - This setting must not be set to *Required*
+- **Compatible TPM startup key and PIN** - This setting must not be set to *Required*
+
+**Device configuration policy** - In the endpoint protection template you'l find the following settings in the *Windows Encryption* category:
+
+- **Compatible TPM startup** - Configure this as *Allowed* or *Required*
+- **Compatible TPM startup PIN** - This setting must not be set to *Require startup PIN with TPM*
+- **Compatible TPM startup key** - This setting must not be set to *Require startup key with TPM*
+- **Compatible TPM startup key and PIN** - This setting must not be set to *Require startup key and PIN with TPM*
 
 ### View details for recovery keys
 
@@ -181,11 +209,10 @@ All BitLocker recovery key accesses are audited. For more information on Audit L
 
 When you’ve configured the tenant attach scenario, Microsoft Endpoint Manager can display recovery key data for tenant attached devices.
 
-- To support the display of recovery keys for tenant attached devices, your Configuration Manager sites must run version 2107 or later. For sites that run 2107, you must install an update rollup to support Azure AD joined devices:. See [KB11121541](/mem/configmgr/hotfix/2107/11121541).
+- To support the display of recovery keys for tenant attached devices, your Configuration Manager sites must run version 2107 or later. For sites that run 2107, you must install an update rollup to support Azure AD joined devices: See [KB11121541](/mem/configmgr/hotfix/2107/11121541).
 
 - To view the recovery keys, your Intune account must have the Intune RBAC permissions to view BitLocker keys, and must be associated with an on-premises user that has the related permissions for Configuration Manager of Collection Role, with Read Permission > Read BitLocker Recovery Key Permission. For more information, see [Configure role-based administration for Configuration Manager](/configmgr/core/servers/deploy/configure/configure-role-based-administration).
 
-
 ### Rotate BitLocker recovery keys
 
 You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later, and Windows 11.
