Forum Discussion

oryxway's avatar
oryxway
Iron Contributor
Mar 20, 2023

Bitlocker Enryption - Protection Status Off

I have created the disk encryption policy in Bitlocker. Unfortunately it is not encrypting it. The protection status is off.  Conversion Status shows - Used Space Only Encrypted. 

 

Is this something to do with the following below as that is what the error I am getting under 

 

DeviceManagement-Enterprise Diagnostics-Provider/Admin

 

Event ID:      404
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
 
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (EC122BD9-5FD5-4690-8263-93A7832EFBC8), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption), Result: (The operating system drive is not protected by BitLocker Drive Encryption.).
 
Log Name:      Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source:        Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Event ID:      820
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Description:
MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireDeviceEncryption), int value: (0x1) Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption..
 
Event ID:      404
Task Category: None
Level:         Error
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (EC122BD9-5FD5-4690-8263-93A7832EFBC8), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
 

 

 

 

 

RequireDeviceEncryption

Scope Editions Applicable OS
:heavy_check_mark: Device
:cross_mark: User
:cross_mark: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE
:heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later
DeviceCopy
 
./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption

Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.

Sample value for this node to enable this policy: 1

Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.

 Note

Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on SystemDrivesEncryptionType and FixedDrivesEncryptionType configured on the device.

The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value EncryptionMethodByDriveType policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.

Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable:

  • It must not be a dynamic volume.
  • It must not be a recovery partition.
  • It must not be a hidden volume.
  • It must not be a system partition.
  • It must not be backed by virtual storage.
  • It must not have a reference in the BCD store.

Description framework properties:

Property name Property value
Formatint
Access TypeAdd, Delete, Get, Replace
Default Value0

Allowed values:

Value Description
0 (Default)Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
1Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy).

Resources