Forum Discussion
Co-Management Bitlocker
I've jumped on the hype train and I'm working my way through some of the co-management capabilities, I've encountered an issue specific to Bitlocker, anyone else encountering this issue or have any input on it?
-Assigned a Bitlocker device configuration policy to my test group.
-Policy is picked up by the device and Bitlocker encryption attempts to start but fails.
-Upon looking at the event logs I've noticed the following "Failed to enable Silent Encryption.
Error: Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device. The user may not be able to provide required input to unlock the volume.." The device I've assigned the policy to is Surface Pro 6 which was under the control of MBAM prior to this so I know Bitlocker works, also the device has an onscreen keyboard which you can access during boot.
- Suggestions were to enable the following group policy "Enable use of Bitlocker authentication requiring preboot keyboard input on slates". I did this on my local Group Policy, which from the start I thought would not work because you would introduce a conflict and I was right "Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.."
So my question is, how do I get around this? I see no such equivalent CSP in Intune, can I can make it manually? If anyone has any input that would be awesome.
I can't not have the requirement of a PIN, this is in line with company policy so it has to work this way as it currently does with MBAM managed devices.
4 Replies
- Root cause: The setting in Intune for Bitlocker Encryption for the Require additional authentication at startup doesn't work. This setting needs to be disabled for the solution to work.
Solution: In a policy for Devices | Configuration, search for and enable Require additional authentication at startup. As this is a computer level setting in the policy, the computes need to be added to the security group as well as the users. Please know that you may need to verify the correct computer name by verifying the Device ID to the corresponding entry in Entra ID to ensure you add the correct system. I am looking to enable this feature as well. I was about to go through the Intune GPO options and see if I could do it that way. I would however prefer for this to be a toggle button under the BitLocker settings within Endpoint Protection
Myles Taylor It sounds like there still are Group Policies that conflict with your Bitlocker settings. what if you test with a clean machine that never had any group Policies applied?
Regards,
JörgenSweJorgenMVPI'm 99.9% confident it's not a GP conflict, what is interesting is I originally assigned the Bitlocker policy to a Surface Pro 6 running Windows 10 V1803, I noticed that one of the limitations of the policy on that version is that a standard user is prompted for admin rights when the Bitlocker configuration window starts, as my users do not have these rights (and never should!) I canned the idea. Doing some research it transpired that Window 10 V1809 supports encryption for standard users without any UAC prompts (winning!) however I can't get to the previous stage because this new issue has been introduced. Like I said I don't think it's a policy conflict I think it's just a lack of support within Intune for Bitlocker at this stage, I hope in the coming future they resolve this. Looking online there at multiple mentions of other users encountering this same behaviour for example, https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37175833-enable-use-of-bitlocker-authentication-requiring-p
