Forum Discussion

jdseymour1978's avatar
jdseymour1978
Brass Contributor
Aug 04, 2021

BitLocker Silent Encryption not enabling for standard user

Hello Intune Community, I'm looking for some assistance with our Intune/Autopilot configuration please.   For the life of me, I can't get BitLocker Silent Encryption to enable for a standard user d...
BitLocker
Intune
Oktay Sari's avatar
Oktay Sari
Iron Contributor
Sep 07, 2021
I'm wondering if you fixed this issue or not. I can read you've already had lot's of great feedback and suggestions so hope my take on this adds value. You've already mentioned that some devices configure encryption during OOBE. I'm trying to find out if you can pinpoint a device that did not use default encryption during OOBE.

- Try to boot the (Autopilot) device from a fresh install (OOBE)
- Hit Shift+F10 during OOBE to start a command prompt
- type manage-bde -status
look at the output. The "Conversion status" should be "Fully decrypted" and "Protection status" should be "Protection Off"

If this is the case. I would expect your policy to work (but it seems not to). But if this is not the case, (bitlocker default encryption enabled) then I'm starting to think your policy conflicts with the default encryption setting which is XTS- AES 128-bit. I read that you've set this to 256. Try to use the default value of XTS- AES 128-bit and see it that works.
jdseymour1978's avatar
jdseymour1978
Brass Contributor
Sep 09, 2021

Oktay Sari 

 

Hello, yes, I have had some very helpful replies to assist with my troubleshooting of this issue, but sadly none have provided a solution.

 

As per one of my previous posts, here is the current situation:

 

- Sometimes - not consistently - BitLocker will enable during OOBE during the Get-AutoPilotInfo -Assign stage - i.e. before the White Glove profile is assigned to the device. This is in AES-128 Used-Space only mode. Reading some information on the Microsoft site, this can occur during OOBE when a user signs in with a Microsoft or Azure account. The only way to stop this is to add the following lines to the autounattend.xml file on the USB stick:

 

<settings pass="oobeSystem">
<component name="Microsoft-Windows-SecureStartup-FilterDriver" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PreventDeviceEncryption>true</PreventDeviceEncryption>
</component>
</settings>

 

This is apparently the 'automatic device encryption' setting (https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker) that occurs when someone signs in with a AAD or Microsoft Account. The problem is, as I describe above, it is doing so too early - before the enrolment part of the Intune Whiteglove procedure has been completed - i.e. before the profile is applied to the device (5x Win key etc)

 

Consistently the autopilot procedure will complete, signing in as a Standard User without enabling BitLocker. As soon as I Switch User to an account with Admin rights, automatic encryption begins, in the correct AES-XTS 256 Full Disk mode. 

- I see multiple entries in logs for the following:

08/24/2021 15:43:07 ERROR:404 MDM ConfigurationManager: Command failure status. Configuration Source ID: (B4265C48-4F41-414D-AF5F-686CBF866DC0), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation), Result: (The request is not supported.).

I have tried various settings around the Key Rotation Settings as suggested but this has not changed the situation

Resources