Forum Discussion

DGMalcolm's avatar
DGMalcolm
Iron Contributor
Aug 20, 2022
Solved

Puzzling BitLocker Status

Hey there,   Recently began testing a BitLocker policy. I created the policy using the recommendations from this article: https://petri.com/best-practices-for-deploying-bitlocker-with-intune/   A...
Intune
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Aug 21, 2022
Hi... could you first show us your configuration and some screenshots of that error. Did you also looked at the modern device management logs etc to determine why that config could give you errors.
DGMalcolm's avatar
DGMalcolm
Iron Contributor
Aug 22, 2022

Rudy_Ooms_MVP 

I spent a lot of time looking at logs, especially the Device Management logs in Event Viewer. In those logs I see a series of 3 events happening on the configured devices. I've included those events in the order they happen. I've also attached screenshots of the BitLocker settings.

 

Event Type: Warning

Event ID: 2900

Source: DeviceManagement-Enterprise-Diagnostics-Provider

Description:

BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV is not compliant with returned status 0x80

 

Event Type: Error

Event ID: 810

Source: DeviceManagement-Enterprise-Diagnostics-Provider

Description:

MDM PolicyManager: Set policy string, Policy: (SystemDrivesRequireStartupAuthentication), Area: (BitLocker), EnrollmentID requesting set: (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), Current User: (Device), String: (<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="false"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="0"/><data id="ConfigurePINUsageDropDown_Name" value="3"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="3"/><data id="ConfigureTPMUsageDropDown_Name" value="1"/>), Enrollment Type: (0x6), Scope: (0x0), Result:(0x8000FFFF) Catastrophic failure.

 

Event Type: Error

Event ID: 404

Source: DeviceManagement-Enterprise-Diagnostics-Provider

Description:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication), Result: (Catastrophic failure).

 

 

    • DGMalcolm's avatar
      DGMalcolm
      Iron Contributor
      Aug 23, 2022

      Once againRudy_Ooms_MVP to the rescue! I changed the 3 settings that you pointed out and the devices all changed to "Succeeded" after a bit.  Thank you!!

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        Aug 23, 2022
        🙂 nice to hear!! Glad its working! Those 3 settings are easily forgotten… not configured doesnt mean its disabled 🙂

        I guess i need to add a button to my website: “buy me a beer” 😛
    • DGMalcolm's avatar
      DGMalcolm
      Iron Contributor
      Aug 22, 2022
      What, if any, impact will there be to the devices that already have the policy if I change it from 'Not Configured' to 'Blocked'?

Resources