Forum Discussion
Bitlocker Failing to encrypt Error: -2016346112 (No Error Code)
In the end I created two separate settings, some in Endpoint security and some in Device configuration profiles.
I created the below settings in Devices > configuration profiles (Endpoint protection).
Encrypt devices
Require
Warning for other disk encryption
Block
Allow standard users to enable encryption during Azure AD Join
Allow
Configure encryption methods
Enable
Encryption for operating system drives
XTS-AES 256-bit
Encryption for fixed data-drives
XTS-AES 256-bit
Encryption for removable data-drives
AES-CBC 256-bit
I also created these settings in Endpoint security > Disk encryption.
Base:
Enable full disk encryption for OS and fixed data drives
- Yes
Require storage cards to be encrypted (mobile only)
- Not configured
Hide prompt about third-party encryption
- Yes
Allow standard users to enable encryption during Autopilot
- Yes
Configure client-driven recovery password rotation
- Not configured
Fixed drive:
BitLocker fixed drive policy
- Configure
Fixed drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Block write access to fixed data-drives not protected by BitLocker
- Yes
Configure encryption method for fixed data-drives
- AES 256bit XTS
OS drive:
BitLocker system drive policy
- Configure
Startup authentication required
- Yes
Compatible TPM startup
- Required
Compatible TPM startup PIN
- Blocked
Compatible TPM startup key
- Blocked
Compatible TPM startup key and PIN
- Blocked
Disable BitLocker on devices where TPM is incompatible
- Yes
Enable preboot recovery message and url
- Not configured
System drive recovery
- Configure
Recovery key file creation
- Allowed
Configure BitLocker recovery package
- Password and key
Require device to back up recovery information to Azure AD
- Yes
Recovery password creation
- Required
Hide recovery options during BitLocker setup
- Yes
Enable BitLocker after recovery information to store
- Yes
Block the use of certificate-based data recovery agent (DRA)
- Not configured
Minimum PIN length
- Empty
Configure encryption method for Operating System drives
- AES 256bit XTS
Removable drive:
BitLocker removable drive policy
- Configure
Configure encryption method for removable data-drives
- AES 256bit CBC
Block write access to removable data-drives not protected by BitLocker
- Yes
Block write access to devices configured in another organization
- Not configured
The encryption will succeed silently and automatically, even for standard users, during the enrolment status page (ESP) and once the user signs into their device for the first time. If you haven't enabled ESP, then it won't work during Autopilot provisioning, so make sure it's been configured. The portal will display an error until it applies and starts to encrypt, which will be during the final phase in ESP. Plus, make sure any existing encryption is disabled before doing this. It can take about 20 minutes after entering the final phase in ESP for the Endpoint manager admin portal to report the profile succeeded.
Also, even though the windows event logs don't have anything, this happened to me too. I did notice that there was some information in the Windows System Information app. Scroll down until you see an entry related to encryption, that's where I found an encryption error. Although it can present strange errors so be cautious before following what it says! Mine told me to sort out the TPM but it was fine in the end.
Hope it helps.
DavidStewart-Palapanou So on this. Do I disable the settings I had setup under Configuration Profiles other than the few you have at the top? Reason I ask is now I get error messages of "Conflict" and it says the encryption, etc is Not applicable. Presumably because the settings are already set under configuration profiles.
Tomnibus_MedOne- Yes that's right, you should set all settings outside of the ones I've advised to "Not configured". There shouldn't be any conflicts once you're done.
DavidStewart-Palapanou Well, darn. I went ahead and did that and it doesn't work. It still says there is a conflict.
I am going to double-check all the settings, I guess.
Tomnibus_MedOne- You should be able to verify the conflicting setting by going to the device that has the conflict, selecting the setting under configuration profiles, and it should list where the setting has come from and the names of the profiles that are causing the conflict. Check the endpoint security section within the device blade as well. If you're using Microsoft Defender ATP security baseline, I think the built-in template defaults to a different level of encryption for removable media so you might find there's a conflict in there.