Forum Discussion
Tomnibus_MedOne
Jan 13, 2021Brass Contributor
Bitlocker Failing to encrypt Error: -2016346112 (No Error Code)
I'm just learning Intune and I'm setting up everything for the first time. I setup BitLocker I have my settings below. On my Virtual machine that I connected with Autopilot, Bitlocker encrypted the d...
DavidStewart-Palapanou
Jan 16, 2021Copper Contributor
I had this myself, it's because for some reason the Standard AAD user account doesn't have permissions to perform silent encryption during Autopilot enrolment, despite being specified with the setting. It seemed to be a known issue that Microsoft were or are working on. I did this like 3 days ago so it's very recent, and it worked for me just fine.
In the end I created two separate settings, some in Endpoint security and some in Device configuration profiles.
I created the below settings in Devices > configuration profiles (Endpoint protection).
Encrypt devices
Require
Warning for other disk encryption
Block
Allow standard users to enable encryption during Azure AD Join
Allow
Configure encryption methods
Enable
Encryption for operating system drives
XTS-AES 256-bit
Encryption for fixed data-drives
XTS-AES 256-bit
Encryption for removable data-drives
AES-CBC 256-bit
I also created these settings in Endpoint security > Disk encryption.
Base:
Enable full disk encryption for OS and fixed data drives
- Yes
Require storage cards to be encrypted (mobile only)
- Not configured
Hide prompt about third-party encryption
- Yes
Allow standard users to enable encryption during Autopilot
- Yes
Configure client-driven recovery password rotation
- Not configured
Fixed drive:
BitLocker fixed drive policy
- Configure
Fixed drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Block write access to fixed data-drives not protected by BitLocker
- Yes
Configure encryption method for fixed data-drives
- AES 256bit XTS
OS drive:
BitLocker system drive policy
- Configure
Startup authentication required
- Yes
Compatible TPM startup
- Required
Compatible TPM startup PIN
- Blocked
Compatible TPM startup key
- Blocked
Compatible TPM startup key and PIN
- Blocked
Disable BitLocker on devices where TPM is incompatible
- Yes
Enable preboot recovery message and url
- Not configured
System drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Minimum PIN length
- Empty
Configure encryption method for Operating System drives
- AES 256bit XTS
Removable drive:
BitLocker removable drive policy
- Configure
Configure encryption method for removable data-drives
- AES 256bit CBC
Block write access to removable data-drives not protected by BitLocker
- Yes
Block write access to devices configured in another organization
- Not configured
The encryption will succeed silently and automatically, even for standard users, during the enrolment status page (ESP) and once the user signs into their device for the first time. If you haven't enabled ESP, then it won't work during Autopilot provisioning, so make sure it's been configured. The portal will display an error until it applies and starts to encrypt, which will be during the final phase in ESP. Plus, make sure any existing encryption is disabled before doing this. It can take about 20 minutes after entering the final phase in ESP for the Endpoint manager admin portal to report the profile succeeded.
Also, even though the windows event logs don't have anything, this happened to me too. I did notice that there was some information in the Windows System Information app. Scroll down until you see an entry related to encryption, that's where I found an encryption error. Although it can present strange errors so be cautious before following what it says! Mine told me to sort out the TPM but it was fine in the end.
Hope it helps.
In the end I created two separate settings, some in Endpoint security and some in Device configuration profiles.
I created the below settings in Devices > configuration profiles (Endpoint protection).
Encrypt devices
Require
Warning for other disk encryption
Block
Allow standard users to enable encryption during Azure AD Join
Allow
Configure encryption methods
Enable
Encryption for operating system drives
XTS-AES 256-bit
Encryption for fixed data-drives
XTS-AES 256-bit
Encryption for removable data-drives
AES-CBC 256-bit
I also created these settings in Endpoint security > Disk encryption.
Base:
Enable full disk encryption for OS and fixed data drives
- Yes
Require storage cards to be encrypted (mobile only)
- Not configured
Hide prompt about third-party encryption
- Yes
Allow standard users to enable encryption during Autopilot
- Yes
Configure client-driven recovery password rotation
- Not configured
Fixed drive:
BitLocker fixed drive policy
- Configure
Fixed drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Block write access to fixed data-drives not protected by BitLocker
- Yes
Configure encryption method for fixed data-drives
- AES 256bit XTS
OS drive:
BitLocker system drive policy
- Configure
Startup authentication required
- Yes
Compatible TPM startup
- Required
Compatible TPM startup PIN
- Blocked
Compatible TPM startup key
- Blocked
Compatible TPM startup key and PIN
- Blocked
Disable BitLocker on devices where TPM is incompatible
- Yes
Enable preboot recovery message and url
- Not configured
System drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Minimum PIN length
- Empty
Configure encryption method for Operating System drives
- AES 256bit XTS
Removable drive:
BitLocker removable drive policy
- Configure
Configure encryption method for removable data-drives
- AES 256bit CBC
Block write access to removable data-drives not protected by BitLocker
- Yes
Block write access to devices configured in another organization
- Not configured
The encryption will succeed silently and automatically, even for standard users, during the enrolment status page (ESP) and once the user signs into their device for the first time. If you haven't enabled ESP, then it won't work during Autopilot provisioning, so make sure it's been configured. The portal will display an error until it applies and starts to encrypt, which will be during the final phase in ESP. Plus, make sure any existing encryption is disabled before doing this. It can take about 20 minutes after entering the final phase in ESP for the Endpoint manager admin portal to report the profile succeeded.
Also, even though the windows event logs don't have anything, this happened to me too. I did notice that there was some information in the Windows System Information app. Scroll down until you see an entry related to encryption, that's where I found an encryption error. Although it can present strange errors so be cautious before following what it says! Mine told me to sort out the TPM but it was fine in the end.
Hope it helps.
- shaunyshowOct 09, 2021Copper ContributorThis was the most helpful reply. I was getting error for "Startup authentication required", what I'd forgot to do was set these (I had left them as "Not Configured"):
Compatible TPM startup PIN
- Blocked
Compatible TPM startup key
- Blocked
Compatible TPM startup key and PIN
- Blocked- Matthew TandyJun 02, 2022Copper ContributorThis helped me get rid of the error for a device which had been enrolled and built prior to the policy being enabled
- Tomnibus_MedOneJan 18, 2021Brass Contributor
DavidStewart-Palapanou So on this. Do I disable the settings I had setup under Configuration Profiles other than the few you have at the top? Reason I ask is now I get error messages of "Conflict" and it says the encryption, etc is Not applicable. Presumably because the settings are already set under configuration profiles.
- DavidStewart-PalapanouJan 18, 2021Copper Contributor
Tomnibus_MedOne- Yes that's right, you should set all settings outside of the ones I've advised to "Not configured". There shouldn't be any conflicts once you're done.
- Tomnibus_MedOneJan 19, 2021Brass Contributor
DavidStewart-Palapanou Well, darn. I went ahead and did that and it doesn't work. It still says there is a conflict.
I am going to double-check all the settings, I guess.