Forum Discussion
MEM Intune Endpoint Security Bitlocker troubleshooting
I would check the event viewer under here for more info-
logs\Microsoft\Windows\BitLocker-API.
I recommend upgrading BIOS version, enable Secure Boot and update to TPM 2.0.
Here is a good guide to enable Silent encryption-
https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/
Hope this helps!
Moe
Yes that's one the main place I look for logs.
Here's what we're getting so far:
The error we are getting is :
Failed to enable Silent Encryption
Error: a required privilege is not held by the client
And we also get:
Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'secureboot' could not be read
Error: a required privilege is not held by the client
We also on HP 840 with TPM 1.2 (not supported to uprgade to 2.0), get the bitlocker 3rd party drive encryption, even if the MDM policy is set to block on the device.
Seems like it's not honoring this setting for some reason.
On that device, we get Bitlocker cannot use secure boot for integrity because the expected tcg log entry for variable 'secureboot' is missing or invalid
- I've requested a newer laptop with TPM 2.0 to see if it'll change anything.
- Can you make sure Allowing Standard User to enable encryption during Azure AD join is checked?
Moe_Kinani Yes it is checked as I saw it was a pre-req for the block 3rd party encryption setting..
I've also verified that it's really applied on the device itself.