Forum Discussion
Bitlocker Enryption - Protection Status Off
I have created the disk encryption policy in Bitlocker. Unfortunately it is not encrypting it. The protection status is off. Conversion Status shows - Used Space Only Encrypted.
Is this something to do with the following below as that is what the error I am getting under
DeviceManagement-Enterprise Diagnostics-Provider/Admin
RequireDeviceEncryption
:heavy_check_mark: Device :cross_mark: User | :cross_mark: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
Sample value for this node to enable this policy: 1
Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
Note
Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on SystemDrivesEncryptionType and FixedDrivesEncryptionType configured on the device.
The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value EncryptionMethodByDriveType policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable:
- It must not be a dynamic volume.
- It must not be a recovery partition.
- It must not be a hidden volume.
- It must not be a system partition.
- It must not be backed by virtual storage.
- It must not have a reference in the BCD store.
Description framework properties:
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. |
1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). |
- rahuljindal-MVPBronze ContributorThis looks like duplicate post of https://techcommunity.microsoft.com/t5/microsoft-intune/bitlocker-protection-status-off/m-p/3772999/emcs_t/S2h8ZW1haWx8bWVudGlvbl9zdWJzY3JpcHRpb258TEZHWlUyREpRWEFTTkF8Mzc3Mjk5OXxBVF9NRU5USU9OU3xoSw#M14187. Here is what I will do -
1. Ensure there are no BitLocker policies applying from GPO.
2. Checking BitLocker API eventvwr logs for any other errors to see why silent encryption isn't working. Are there any DMA busses that are not whitelisted?