@Dilan Nanayakkara Thanks for posting in our Q&A.
I noticed that we are deploying BitLocker silently, A device must meet the following conditions to be eligible for silently enabling BitLocker:
If end users log in to the devices as Administrators, the device must run Windows 10 version 1803 or later.
If end users log in to the the devices as Standard Users, the device must run Windows 10 version 1809 or later.
The device must be Azure AD Joined or Hybrid Azure AD Joined.
Device must contain TPM (Trusted Platform Module) 2.0
The BIOS mode must be set to Native UEFI only.
For more points to note, please refer to https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices
Regarding the several options you mentioned. 1 and 2 are built-in functions, and 2 (Disk encryption profile) is more recommended for simplicity and efficiency, and 3 and 4 are not recommended.
1, endpoint protection policy: BitLocker settings are one of the available settings categories for Windows 10 endpoint protection.
2, Disk encryption profile: The BitLocker profile in Endpoint security is a focused group of settings that is dedicated to configuring BitLocker.
3, Security baseline: It can be achieved but not recommended, and Microsoft doesn't recommend using preview versions of security baselines in a production environment.
4, CSPs: BitLocker CSP is supported on Windows 10 version 1703 and later, and for Windows 10 Pro version 1809 and later.
Can I configured BitLocker either Hybrid or AAD standalone joined devices? Yes, both are OK.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.