AutoPilot silent encryption Surface Pro 6 failing

Brass Contributor
Hi, has anyone had any joy enrolling Surface Pros with Autopilot enabling bitlocker silently?
I have the enrolment profile as the enrolee as a non-admin and bitlocker encryption allowed by non-admins.
I have ‘allow TPM’ and ‘allow TPM and PIN’ (and have tried various different combinations) configured as we want to use a PIN on boot.
When it goes through the enrol it completes and loads Windows, and bitlocker is off. When I try to enable manually it fails due to group policy issue. The Event viewer says ‘cannot silently encrypt due to the lack of keyboard’. I have tried with keyboard disconnected, connected, external keyboard via Surface docker...
Am I missing something obvious? I can’t find any documentation or articles that offer any solutions...
Thanks in advance.
Neil
9 Replies

Hi @neilcarden,

Which version of Windows 10 are you using, and if installed from media, which media are you using?

It varies... have tried Pro and Enterprise both 1803 and 1809. Also tried a Surface straight out of the box and OS installed from USB media... and lots of resets!!

Hi @neilcarden,

Sounds strange - I do not have access to a Surface Pro 6, so I am not able to replicate. However I am aware of an issue with the 1809 RTM media was causing the disk layout to be wrongly configured causing BitLocker to fail encryption as part of the AAD join. The issue is fixed with the most recent Windows 10 1809 ISO (January 2019). Any chance you are reusing the disk layout from a Windows 10 1809 RTM version?

 

--Jesper

 

@dotjesper 

Hi, I will try and find out. I may try it with 1903, then at least that rules out AutoPilot/InTune config if it works...

Thanks for the responses so far.

So I tried with a fresh 1903 version and getting this issue in event viewer:

 

"Failed to automatically enable device encryption.

Error message: Group policy does not permit the use of TPM-only at startup. Please choose a different bitlocker option."

 

The thing is its not set to TPM-only, its set to Startup PIN with TPM.

@neilcarden 

 

I'm having this exact same error when trying to Autopilot with a standard user using a PIN. 

 

Did you ever come across a resolution?

@jarrydanderson 

 

No! To be honest I have been busy with other things, but I hope to go back to it... Very frustrating. Do you get an error in the event logs about not finding a keyboard when it tries to encrypt?

@neilcarden 

 

Honestly, Intune has been an absolute disaster to implement. Something will work one time and then never again even though settings haven't changed. 

 

I don't get a finding keyboard error probably because I'm not using Surface. I get the following, or combinations of the following:

 

MDM ConfigurationManager: Command failure status. Configuraton Source ID: (6AAEC661-2BD6-4F50-A880-0A4634592183), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (BitLocker), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication).

 

Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option..

 

    • Event ID 404:
      • MDM ConfigurationManager: Command failure status. Configuration Source ID: (6AAEC661-2BD6-4F50-A880-0A4634592183), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption), Result: (The operating system drive is not protected by BitLocker Drive Encryption.).
    • Event ID 809:
      •  MDM PolicyManager: Set policy int, Policy: (RequireDeviceEncryption), Area: (Security), EnrollmentID requesting set: (6AAEC661-2BD6-4F50-A880-0A4634592183), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption..
    • Event ID 820: 
      • MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireDeviceEncryption), int value: (0x1) Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption..

Cannot use secure boot for integrity because the uefi variable pk is not present

 

 

@jarrydanderson
I must admit until I started testing AutoPilot I didnt really have any issues. Very new organisation, no on-prem infrastructure so to speak, pure AAD joined devices all of which Surface Pro’s.
last time I tested it I added a PS script that changed some reg entries and then just enabled the BitLocker manually once it had enrolled. We set up devices for users so this wasn’t a massive problem (for us) just very annoying as there’s only me in the team and it was taking me away from my other jobs that needed doing. I will revisit though as I do need to setup a lot of devices.