Forum Discussion

narayana6224's avatar
narayana6224
Copper Contributor
May 08, 2022

Intune BitLocker silent encryption not working on Hybrid Azure AD devices.

I have been facing an issue to implement Intune BitLocker silent encryption on Hybrid Azure AD joined devices. When logged into the device after Autopilot is completed (Account setup phase is skipped) I can see device is backing up recovery key to only AD but not to Azure AD for OS drive. Even BitLocker API log is not showing any failure log entry like that it is failed to back up recovery key to Azure AD. After a day it is giving Failed to enable silent encryption. Error: Access is denied in BitLocker API even though encryption is completed on the OS drive. I have seen sync as well and the device is syncing perfectly fine. 

 

 

After OS drive encryption is completed then only fixed drive encryption is starting and it started encryption after a day and it backed up the recovery key to Azure AD successfully and it didn't give any error.

 

If I implement Intune BitLocker with out Autopilot that is working fine but with with Autopilot it is giving issue like this.

 

 

Thank you in advance!

 

  • Hi as you are mentioning 3 things.. HAADJ and Bitlocker and Autopilot.

    1. What happens when NOT using HAADJ and autopilot. Does bitlocker error still occur?(so we can rule out gpos from your on premise domain messing things up... For now I will put my money on this issue :P)

     

    2. What happens when you just turn of the bitlocker enrollment in Intune (also to rule out other bitlocker configurations that could mess up things)


    3. Could you show us your Bitlocker settings? As mentioning here , when you don't configure the compatible tpm , silent encryption could fail
    https://call4cloud.nl/2021/02/b-for-bitlocker/

    • narayana6224's avatar
      narayana6224
      Copper Contributor

      Hello Rudy_Ooms_MVP 

       

      Thank you for your reply.


      1. I have tried applying BitLocker policies after Autopilot is completed and it worked fine. Recovery keys were backed up to Azure AD as well as AD.

      2. When I turn off BitLocker policies, encryption was not started on the machine.n

      3. I have tried decrypting drives and synced the policies again then it went fine. 

      4. Please find the below screenshots of Intune BitLocker settings

       

       

       

       

       

       

       

       

       

       

       

       

       

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP

        narayana6224 

         

        when looking at the screenshots from my iphone i cant spot any errors … (will take a better look when inam home)

         

        Just wondering but what happens when using the powershell option to deploy bitlocker as i also mentioned in that blog?

    • narayana6224's avatar
      narayana6224
      Copper Contributor

      DxR   

       

      Thank you for your response.

       

      Encryption starts after Autopilot is completed and it stuck at some point with backing up encryption key to AD (which is not needed for us). Some times it completes the encryption after a day or not at all completes the encryption and the encryption stuck at some point.

      In your reply you suggested to block start up pin but we need TPM + PIN configuration as per our policies. I will check only TPM configuration as well to see if it is working with that setting.

       

      Moe_Kinani 

       

      Thank you for your suggestion.

      Actually I am using MDM Wins over GP policy from Intune so on premises GPOs shouldn't be a problem. But I will check your suggestion as well to see whether the MDM wins over GP policy pushed from Intune is working or not.


      Rudy_Ooms_MVP 

      Thanks for your suggestion, I will check that PowerShell script as well and let you know the results.

       

       

       

       

       

       

      • narayana6224's avatar
        narayana6224
        Copper Contributor

        DxR Moe_Kinani Rudy_Ooms_MVP 

        Just to let you know how we are implementing Autopilot in our organization, please see the below points

         

        1. I connect to VPN at the windows logon screen manually during autopilot and the account setup phase is skipped.

        2. After connecting to VPN it takes around 1 to 1:30 hour to complete the hybrid join process in the background.

        3. BitLocker policies are applied after the autopilot is completed and the device is still not connected to Azure AD of my organization (Hybrid AD join process is still not completed).

        4. Encryption starts and backs up the recovery key to AD only (which is not needed)

        5. Encryption doesn't complete and stuck at some point or some times takes a day or so to complete the encryption.

         

        I have done below testing and found these things.

        1. I have tried to back up the recovery key to AAD manually but it didn't work (Hybrid AD join is not completed by that time). 

        2. After Hybrid join process is completed, I have tried to back up the recovery key to AAD and it worked. 

        3. After hybrid AD join process is completed I have decrypted the drives (encryption was stuck so decrypted) and ran the sync policies, this time recovery key backed up to Azure AD and AD as well. Encryption also completed in  a short period of time.

        4. It seems this issue is due to Hybrid AD join process is not completing by the time BitLocker policies are applied on the device. 

        Could you please provide a suggestion to apply Intune BitLocker policies only after Hybrid AD join process is completed on the device? 

         

         

Resources