This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We're in a pilot to set up Bitlocker on all of our Entra-joined Windows 10 and 11 clients. We'd like the deployment to occur silently. One of the Windows 11 22H2 that is getting the policy shows the end user a toast notification saying "Encryption needed. Your work or school requires this device to be encrypted. Select this notification to encrypt this device."
I've followed the article "Manage Disk Encryption policy for Windows devices with Intune" and see that my device is meeting requirements. The Intune device configuration settings are set for:
Encrypt device: Require
Warning for other disk encryption: Block
Allow standard users to enable encryption during Microsoft Entra join: Allow
User creation of recovery password: Allow 48-digit recovery password
User creation of recovery key: Allow 256-bit recovery key
The device is Entra-joined, has a TPM 2.0, and is booting via UEFI. I see in Settings that it is getting the Bitlocker policy. In Intune it says that the policy was successful. Everything looks good but the device keeps informing the end user that they need to do something to encrypt the disk. I'd like to enforce, not give the end-user an option, the Bitlocker encryption. What do I do next?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@David Dawson 100 Thanks for posting in our Q&A.
For this issue, we appreciate your help to collect some information:
1.Based on my research, I find someone said configuring any of the other compatible TPM settings as required will cause silent encryption to fail! so make sure you configure those Compatible TPM Startup PIN and Key Settings to blocked.
For more details, please refer to the following link:
https://call4cloud.nl/bitlocker-remediations-recovery-escrow/#part1
Note: Non-Microsoft link, just for the reference.
2.Please check if you configure a TPM startup PIN or startup key on a device, BitLocker can't silently enable on the device, and instead requires interaction from the end user.
Meanwhile, some versions of the security baseline for Microsoft Defender for Endpoint will configure both Compatible TPM startup PIN and Compatible TPM startup key by default. These configurations might block silent enablement of BitLocker. Please check if you deployed such security baseline policy.
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#tpm-startup-pin-or-key
If there is anything update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks, Xenia. That's what we already have. We're using device configuration instead of doing it through Endpoint Security but I think that should provide the same outcome. I haven't made any changes and here's a screenshot.
@David Dawson 100 Thanks for your update.
Settings you configured is normal. It seems needed to check some logs on your device to find the root cause. With Q&A limitation, Q&A is not a good channel for such log analysis issue. Given this situation, we suggest creating an online support ticket to do the troubleshooting. Here is a link with the steps to do:
https://learn.microsoft.com/en-us/mem/get-support
Thanks for your understanding and hope everything goes well with you.