Autopilot User-driven mode with Hybrid Join and Silently Enabling Bitlocker

Iron Contributor

I'm building Windows 10 22H2 Enterprise machines using user-driven Autopilot and AzureAD Hyrid join. We require hybrid join for a very specific reason so AzureAD join is not an option. We also wish to enable Bitlocker with the recovery keys stored in AzureAD. 

In this scenario is silent enablement of Bitlocker during Autopilot possible/supported? 

7 Replies

@shocko Please take a look at my blog post for more info to enable your wishes. The BitLocker HAADJ Nightmare (

Thanks for the info. I'm not sure I follow the thread though. We don't use GPO for our Intune enrolled machines. Is it possible to enable Bitlocker silently during user-driven autopilot with the recovery key stored in AzureAD?

For HAADJ devices you need to have a GPO with the settings that I mention in the blog post. Otherwise.. it will not work. Trust me.
Yes in understand that we can silently enable Bitlocker for Hybrid join machines using the settings you have indicated (including GPO) but my query is around doing this as part of Autoplilot

@shocko You can enable Bitlocker during Autopilot through a Endpoint Security -> Disk encyption policy.

But I don't know if this works wit HAADJ devices.



I think we can have the powershell script to encrypt the bitlocker for hybrid intune enrolled device
When though? I'm asking about dueing Autopilot for HAADJ (which requires line of sight to a DC).