Forum Discussion
Bitlocker configured through Drive Encryption in Intune and Errors out. Not sure where it is going w
We have setup Bitlocker through Intune Disk Encryption. I get the following error on the device. Dell Optiplex 7000 Under the Event Viewer - Microsoft\Windows\Bitlocker-API\Management Error ...
Don't know if you still have the issue, but if they are HAADJ devices, check my blog post https://www.burgerhout.org/the-bitlocker-haadj-nightmare/.
Read your blog.
Does this mean that we need to create local GPO on top of the Intune BitLocker policy that was already successfully push to the device?
Facing the issue in HAADJ environment. Intune BitLocker policy is in the device, but it is not encrypting.
Does this mean that we need to create local GPO on top of the Intune BitLocker policy that was already successfully push to the device?
Facing the issue in HAADJ environment. Intune BitLocker policy is in the device, but it is not encrypting.
JoonChuanI have the same issue. Did you find a solution? I would like to only save the keys to AAD and not AD
Did you manage to figure this out? Having exactly same problem and would like to move all settings from on-prem (GPO) to Intune, saving BitLocker recovery to EntraID only if possible.
I don't remember exactly all the problems and the troubleshooting I did, but all I wanted was a silent BitLocker with recovery key only in EntraID. I normally do Intune rollouts for non-hybrid environments, then I just configure Bitlocker from Endpoint Security. For this hybrid rollout I ended up configuring a Device Configuration profile for Endpoint protection with the settings in the attached image.
In a different tenant/environment I used a powershell script that I created as a win32app and deployed it to the device with success. This is working 100% of the times as silent on Win10/Win11 devices with/without TPM 2.0. Also, because it was deployed as an application it was possible to make sure the device was encrypted before the user was able to use the device by enforcing the app in the ESP profile.
Link to PowerShell script:
https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/
- I faced similar issues when using the new BitLocker encryption profile in Endpoint security. Luckily I had also created a BitLocker policy using the older template couple of months back for a different rollout involving Entra ID devices, so without wasting anymore time I duplicated the policy and modified the new policy to include Hybrid joined devices. Worked like a charm.
rahuljindal-MVP Ok thanks. I just solved it in two customer environments by creating a Configuration Profile for encryption, instead of a profile in Endpoint security. All test devices are now silently encrypted 🙂
