Forum Discussion
BitLocker Silent Encryption not enabling for standard user
Hello Intune Community, I'm looking for some assistance with our Intune/Autopilot configuration please. For the life of me, I can't get BitLocker Silent Encryption to enable for a standard user d...
Hello All,
Apologies for disappearing, only to return. I have finally gotten around to doing some more testing. By enabling some additional logging (via the excellent AutopilotOOBE project), I have seen multiple entries similar to the following in the logs:
08/24/2021 15:43:07 ERROR:404 MDM ConfigurationManager: Command failure status. Configuration Source ID: (B4265C48-4F41-414D-AF5F-686CBF866DC0), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation), Result: (The request is not supported.).
Any ideas?
Apologies for disappearing, only to return. I have finally gotten around to doing some more testing. By enabling some additional logging (via the excellent AutopilotOOBE project), I have seen multiple entries similar to the following in the logs:
08/24/2021 15:43:07 ERROR:404 MDM ConfigurationManager: Command failure status. Configuration Source ID: (B4265C48-4F41-414D-AF5F-686CBF866DC0), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation), Result: (The request is not supported.).
Any ideas?
- This specific error is related to key the key rotation setting. I would disable that in your encryption policy and try again.
- Thanks for your reply and suggestion Nathan. I've now tried with:
Configure client-driven recovery password rotation: Not configured
Compatible TPM startup: Allowed
Compatible TPM startup PIN: Allowed
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Recovery key file creation: Allowed
Require device to back up recovery information to Azure AD: Yes
Recovery password creation: Allowed
Enable BitLocker after recovery information to store: Yes
Block the use of certificate-based data recovery agent (DRA): Not configured
With still the same symptoms - no automatic BitLocker enablement when using Whiteglove and signing in as a Standard User UNTIL I then switch user to an Admin- Hi did you take a look at the pm I sended some time ago ? To try it with a powershell script/win32 app instead of a device configuration policy? I know it's better to use a device configuration profile... but maybe it can help you to rule some stuff out
