![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 72%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 33%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
Hi Emma Brooks,
To achieve silent BitLocker encryption during the Windows Autopilot provisioning phase for remote employees, you must configure a Microsoft Intune Endpoint Security disk encryption policy with three specific settings. First, enable Allow standard users to enable encryption during Autopilot to allow the process to run without requiring local administrative rights or triggering User Account Control prompts. Second, set Warning for other disk encryption to Block to suppress the native Windows dialog box and prevent the system from interrupting the setup wizard. These configurations interact directly with the underlying BitLocker Configuration Service Provider and the local registry to automate the encryption process and escrow recovery keys silently to Microsoft Entra ID.
The critical architectural requirement for this deployment is ensuring that the policy is targeted to a Device group rather than a User group. Assigning the policy to the hardware devices forces Microsoft Intune to process and enforce the encryption settings during the initial Device Setup phase of the Autopilot Enrollment Status Page. This ensures that the system drive is fully encrypted, secure, and compliant before the remote employee ever logs in or accesses the Windows desktop.
Domic