Mar 17 2023 05:18 AM
We have setup Bitlocker through Intune Disk Encryption. I get the following error on the device. Dell Optiplex 7000
Under the Event Viewer - Microsoft\Windows\Bitlocker-API\Management
Error
Failed to enable Silent Encryption
Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.
Event ID: 851
I ran few commands based on the article below and I saw WARNING messages
Powershell command, I ran
Confirm-SeucreBootUEFI
Returned True
Warning: In Event Viewer Microsoft\Windows\Bitlocker-API\Management
Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not read.
Error Messages: A required privilege is not held by the client
When I checked the BIOS settings everything looks good
BIOS Mode: UEFI
Secure Boot State: On
In the output, locate the Windows Boot Loader section that includes the line identifier={current}. In that section, locate the recoverysequence attribute. The value of this attribute should be a GUID value, not a string of zeros.
Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The event information will be similar to the following error message:
Failed to enable Silent Encryption.
Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.
Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions
To verify the BIOS mode, use the System Information application by following these steps:
Select Start, and enter msinfo32 in the Search box.
Verify that the BIOS Mode setting is UEFI and not Legacy.
If the BIOS Mode setting is Legacy, the UEFI firmware needs to be switched to UEFI or EFI mode. The steps for switching to UEFI or EFI mode are specific to the device.
Note
If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
Error message: The UEFI variable 'SecureBoot' could not be read
An error message similar to the following error message is displayed:
Error: BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
Cause of Error message: The UEFI variable 'SecureBoot' could not be read
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
Resolution for Error message: The UEFI variable 'SecureBoot' could not be read
This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
Windows Command PromptCopy
Manage-bde.exe -protectors -get %systemdrive%
In the TPM section of the output of this command, verify whether the PCR Validation Profile setting includes 7, as follows:
If PCR Validation Profile doesn't include 7 (for example, the values include 0, 2, 4, and 11, but not 7), then secure boot isn't turned on.
To verify the secure boot state, use the System Information application by following these steps:
Select Start, and enter msinfo32 in the Search box.
Verify that the Secure Boot State setting is On, as follows:
If the Secure Boot State setting is Unsupported, Silent BitLocker Encryption can't be used on the device.
Note
The Confirm-SecureBootUEFI PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
PowerShellCopy
Confirm-SecureBootUEFI
If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
Aug 30 2023 12:36 AM
Oct 10 2023 09:48 PM
Dec 07 2023 02:25 AM
@JoonChuanI have the same issue. Did you find a solution? I would like to only save the keys to AAD and not AD
Dec 07 2023 03:23 AM
Dec 07 2023 05:56 AM
@rahuljindal-MVP Ok thanks. I just solved it in two customer environments by creating a Configuration Profile for encryption, instead of a profile in Endpoint security. All test devices are now silently encrypted 🙂
Mar 12 2024 08:03 AM
Did you manage to figure this out? Having exactly same problem and would like to move all settings from on-prem (GPO) to Intune, saving BitLocker recovery to EntraID only if possible.
Apr 09 2024 08:11 AM
I don't remember exactly all the problems and the troubleshooting I did, but all I wanted was a silent BitLocker with recovery key only in EntraID. I normally do Intune rollouts for non-hybrid environments, then I just configure Bitlocker from Endpoint Security. For this hybrid rollout I ended up configuring a Device Configuration profile for Endpoint protection with the settings in the attached image.
In a different tenant/environment I used a powershell script that I created as a win32app and deployed it to the device with success. This is working 100% of the times as silent on Win10/Win11 devices with/without TPM 2.0. Also, because it was deployed as an application it was possible to make sure the device was encrypted before the user was able to use the device by enforcing the app in the ESP profile.
Link to PowerShell script:
https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-us...