Forum Discussion

neilcarden's avatar
neilcarden
Brass Contributor
Jun 07, 2019

AutoPilot silent encryption Surface Pro 6 failing

Hi, has anyone had any joy enrolling Surface Pros with Autopilot enabling bitlocker silently? I have the enrolment profile as the enrolee as a non-admin and bitlocker encryption allowed by non-admins...
BitLocker
Intune
mobile device management (mdm)
jarrydanderson's avatar
jarrydanderson
Copper Contributor
Jul 22, 2019

neilcarden 

 

I'm having this exact same error when trying to Autopilot with a standard user using a PIN. 

 

Did you ever come across a resolution?

neilcarden's avatar
neilcarden
Brass Contributor
Jul 23, 2019

jarrydanderson 

 

No! To be honest I have been busy with other things, but I hope to go back to it... Very frustrating. Do you get an error in the event logs about not finding a keyboard when it tries to encrypt?

  • neilcarden's avatar
    neilcarden
    Brass Contributor
    Jul 23, 2019
    jarrydanderson
    I must admit until I started testing AutoPilot I didnt really have any issues. Very new organisation, no on-prem infrastructure so to speak, pure AAD joined devices all of which Surface Pro’s.
    last time I tested it I added a PS script that changed some reg entries and then just enabled the BitLocker manually once it had enrolled. We set up devices for users so this wasn’t a massive problem (for us) just very annoying as there’s only me in the team and it was taking me away from my other jobs that needed doing. I will revisit though as I do need to setup a lot of devices.
  • jarrydanderson's avatar
    jarrydanderson
    Copper Contributor
    Jul 23, 2019

    neilcarden 

     

    Honestly, Intune has been an absolute disaster to implement. Something will work one time and then never again even though settings haven't changed. 

     

    I don't get a finding keyboard error probably because I'm not using Surface. I get the following, or combinations of the following:

     

    MDM ConfigurationManager: Command failure status. Configuraton Source ID: (6AAEC661-2BD6-4F50-A880-0A4634592183), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (BitLocker), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication).

     

    Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option..

     

      • Event ID 404:
        • MDM ConfigurationManager: Command failure status. Configuration Source ID: (6AAEC661-2BD6-4F50-A880-0A4634592183), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption), Result: (The operating system drive is not protected by BitLocker Drive Encryption.).
      • Event ID 809:
        •  MDM PolicyManager: Set policy int, Policy: (RequireDeviceEncryption), Area: (Security), EnrollmentID requesting set: (6AAEC661-2BD6-4F50-A880-0A4634592183), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption..
      • Event ID 820: 
        • MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireDeviceEncryption), int value: (0x1) Result:(0x80310020) The operating system drive is not protected by BitLocker Drive Encryption..

    Cannot use secure boot for integrity because the uefi variable pk is not present