Forum Discussion

Brass Contributor

Jun 07, 2019

AutoPilot silent encryption Surface Pro 6 failing

Hi, has anyone had any joy enrolling Surface Pros with Autopilot enabling bitlocker silently? I have the enrolment profile as the enrolee as a non-admin and bitlocker encryption allowed by non-admins...

BitLocker

Intune

mobile device management (mdm)

neilcarden

Brass Contributor

Jun 09, 2019

It varies... have tried Pro and Enterprise both 1803 and 1809. Also tried a Surface straight out of the box and OS installed from USB media... and lots of resets!!

dotjesper

MVP

Jun 10, 2019

Hi neilcarden,

Sounds strange - I do not have access to a Surface Pro 6, so I am not able to replicate. However I am aware of an issue with the 1809 RTM media was causing the disk layout to be wrongly configured causing BitLocker to fail encryption as part of the AAD join. The issue is fixed with the most recent Windows 10 1809 ISO (January 2019). Any chance you are reusing the disk layout from a Windows 10 1809 RTM version?

--Jesper

neilcarden
Brass Contributor
Jun 10, 2019
dotjesper
Hi, I will try and find out. I may try it with 1903, then at least that rules out AutoPilot/InTune config if it works...
Thanks for the responses so far.
- neilcarden
  Brass Contributor
  Jun 17, 2019
  So I tried with a fresh 1903 version and getting this issue in event viewer:
  
  "Failed to automatically enable device encryption.
  Error message: Group policy does not permit the use of TPM-only at startup. Please choose a different bitlocker option."
  
  The thing is its not set to TPM-only, its set to Startup PIN with TPM.
  - jarrydanderson
    Copper Contributor
    Jul 22, 2019
    neilcarden
    
    I'm having this exact same error when trying to Autopilot with a standard user using a PIN.
    
    Did you ever come across a resolution?