Forum Discussion
AhmedSHMK
May 23, 2024Brass Contributor
Bitlocker D drive and Recovery after Restart
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive.
Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device.
I need some more understanding about the policy template settings to see what could be causing those behaviors.
Current policy settings for reference:
BitLocker
Require Device Encryption
Enabled
Allow Warning For Other Disk Encryption
Disabled
Allow Standard User Encryption
Enabled
Configure Recovery Password Rotation
Refresh on for both Azure AD-joined and hybrid-joined devices
Administrative Templates
Windows Components > BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Enabled
Select the encryption method for removable data drives:
AES-CBC 128-bit (default)
Select the encryption method for operating system drives:
XTS-AES 128-bit (default)
Select the encryption method for fixed data drives:
XTS-AES 128-bit (default)
Provide the unique identifiers for your organization
Not configured
Windows Components > BitLocker Drive Encryption > Operating System Drives
Enforce drive encryption type on operating system drives
Enabled
Select the encryption type: (Device)
Full encryption
Require additional authentication at startup
Disabled
Configure minimum PIN length for startup
Not configured
Allow enhanced PINs for startup
Not configured
Disallow standard users from changing the PIN or password
Not configured
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Not configured
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Not configured
Choose how BitLocker-protected operating system drives can be recovered
Enabled
Omit recovery options from the BitLocker setup wizard
False
Allow data recovery agent
False
Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS:
Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
True
Save BitLocker recovery information to AD DS for operating system drives
True
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password