Hello,

Our organization had been using Autopilot V1 for a few years and switched to Autopilot V2 near the first half of this year. We created separate policies for each profile.

Starting around the beginning of August, our fleet of APV1-joined devices started what I affectionately call "brick"locking, where random devices began to randomly lock themselves via bitlocker after a windows update (after either a BSOD saying "INVALID_BOOT_DEVICE" or if the user just restarted their device) and there was no way to recover as all recovery options required a local admin account which did not exist.

This was happening to our Windows 10 Dell devices. We began upgrading them to Windows 11 thinking it would fix it, but it did not. (one support documented suggested it was an issue with TXT in the bios but TXT was disabled in all our machines). It also affected our Hyper-V machines running Windows 10.

I spent countless hours with 365 support which was largely unhelpful as they kept asking for information that we could not provide because we had no access to the drives until I finally got one locally and extracted logs after decrypting the drive. I utilized Copilot to help analyze the logs and the policies we had configured in our tenant. 

We noticed none of our APV2 devices doing this and realized that their bitlocker + tpm policies were different in that APV1 did not allow startup PIN with TPM. Copilot mentioned that this was likely the culprit.

I changed our AVP1 policies to match with our APV2 policies and it seems the "bricklocking" has ceased, but the nature of this problem was odd as we were working fine for years before this.

Not only that, but a number of our APV1-joined devices are still randomly having boot problems where they will boot into Automatic Recovery and the only way to correct the issue is to reset Windows.

Any thoughts on why this was happening and why it started happening in August?