diff --git a/changes/issue-10788-dont-allow-fde-disable b/changes/issue-10788-dont-allow-fde-disable
new file mode 100644
index 0000000000..77746c6a36
--- /dev/null
+++ b/changes/issue-10788-dont-allow-fde-disable
@@ -0,0 +1 @@
+- Updated FileVault configuration profile to disallow device user from disabling full-disk encryption. 
\ No newline at end of file
diff --git a/ee/server/service/mdm_profiles.go b/ee/server/service/mdm_profiles.go
index 09d7f4b332..6c7782fe29 100644
--- a/ee/server/service/mdm_profiles.go
+++ b/ee/server/service/mdm_profiles.go
@@ -63,6 +63,18 @@ var fileVaultProfileTemplate = template.Must(template.New("").Option("missingkey
 			<key>PayloadVersion</key>
 			<integer>1</integer>
 		</dict>
+		<dict>
+            <key>dontAllowFDEDisable</key>
+            <true/>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.MCX.62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadType</key>
+            <string>com.apple.MCX</string>
+            <key>PayloadUUID</key>
+            <string>62024f29-105E-497A-A724-1D5BA4D9E854</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
 	</array>
 	<key>PayloadDisplayName</key>
 	<string>Disk encryption</string>