diff --git a/server/fleet/service.go b/server/fleet/service.go
index 765b44ae8484..cb6344b79e62 100644
--- a/server/fleet/service.go
+++ b/server/fleet/service.go
@@ -1063,7 +1063,7 @@ type Service interface {
 	// supported Linux hosts in the specified team (or, if no team is specified, each host that is not assigned to any team).
 
 	// TODO - custom return type, or just use relevant fields?
-	GetLinuxDiskEncryptionSummary(ctx context.Context, teamId *uint) (*MDMLinuxDiskEncryptionSummary, error)
+	GetLinuxDiskEncryptionSummary(ctx context.Context, teamId *uint) (MDMLinuxDiskEncryptionSummary, error)
 
 	///////////////////////////////////////////////////////////////////////////////
 	// Common MDM
diff --git a/server/service/linux_mdm.go b/server/service/linux_mdm.go
index fddf2820fc87..0a439b7856d4 100644
--- a/server/service/linux_mdm.go
+++ b/server/service/linux_mdm.go
@@ -44,19 +44,19 @@ func (svc *Service) LinuxHostDiskEncryptionStatus(ctx context.Context, host flee
 	}, nil
 }
 
-func (svc *Service) GetLinuxDiskEncryptionSummary(ctx context.Context, teamId *uint) (*fleet.MDMLinuxDiskEncryptionSummary, error) {
+func (svc *Service) GetLinuxDiskEncryptionSummary(ctx context.Context, teamId *uint) (fleet.MDMLinuxDiskEncryptionSummary, error) {
 	if err := svc.authz.Authorize(ctx, fleet.MDMConfigProfileAuthz{TeamID: teamId}, fleet.ActionRead); err != nil {
-		return nil, ctxerr.Wrap(ctx, err)
+		return fleet.MDMLinuxDiskEncryptionSummary{}, ctxerr.Wrap(ctx, err)
 	}
 
 	if svc.config.Server.PrivateKey == "" {
-		return nil, ctxerr.New(ctx, "Missing required private key. Learn how to configure the private key here: https://fleetdm.com/learn-more-about/fleet-server-private-key")
+		return fleet.MDMLinuxDiskEncryptionSummary{}, ctxerr.New(ctx, "Missing required private key. Learn how to configure the private key here: https://fleetdm.com/learn-more-about/fleet-server-private-key")
 	}
 
 	ps, err := svc.ds.GetLinuxDiskEncryptionSummary(ctx, teamId)
 	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err)
+		return fleet.MDMLinuxDiskEncryptionSummary{}, ctxerr.Wrap(ctx, err)
 	}
 
-	return &ps, nil
+	return ps, nil
 }
diff --git a/server/service/mdm.go b/server/service/mdm.go
index a2f083b865f6..a23f8cccfa13 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -936,9 +936,17 @@ func getMDMProfilesSummaryEndpoint(ctx context.Context, request interface{}, svc
 		return &getMDMProfilesSummaryResponse{Err: err}, nil
 	}
 
-	lx, err := svc.GetLinuxDiskEncryptionSummary(ctx, req.TeamID)
-	if err != nil {
-		return &getMDMProfilesSummaryResponse{Err: err}, nil
+	var lx fleet.MDMLinuxDiskEncryptionSummary
+	// since this endpoint is available for Free users as well, check license here to include Linux
+	// disk encryption counts which is a premium feature. Similar to
+	// `ds.GetMDMWindowsProfilesSummary`'s `includeBitLocker` check, except that Linux hosts don't
+	// have any non-premium data to contribute here, so we can check higher up.
+	license, _ := license.FromContext(ctx)
+	if license.IsPremium() {
+		lx, err = svc.GetLinuxDiskEncryptionSummary(ctx, req.TeamID)
+		if err != nil {
+			return &getMDMProfilesSummaryResponse{Err: err}, nil
+		}
 	}
 
 	res.Verified = as.Verified + ws.Verified + lx.Verified