Bitlocker configured through Drive Encryption in Intune and Errors out. Not sure where it is going w

Iron Contributor

We have setup Bitlocker through Intune Disk Encryption. I get the following error on the device. Dell Optiplex 7000

 

Under the Event Viewer - Microsoft\Windows\Bitlocker-API\Management

 

Error

Failed to enable Silent Encryption

Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.

Event ID: 851

 

I ran few commands based on the article below and I saw WARNING messages

 

Powershell command, I ran

 

Confirm-SeucreBootUEFI

Returned True

 

Warning: In Event Viewer Microsoft\Windows\Bitlocker-API\Management

 

Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not read.

Error Messages: A required privilege is not held by the client

 

 

When I checked the BIOS settings everything looks good

 

BIOS Mode: UEFI

Secure Boot State: On

 

 

 

 

In the output, locate the Windows Boot Loader section that includes the line identifier={current}. In that section, locate the recoverysequence attribute. The value of this attribute should be a GUID value, not a string of zeros.

Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The event information will be similar to the following error message:

Failed to enable Silent Encryption.

Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.

Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.

Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions

To verify the BIOS mode, use the System Information application by following these steps:

  1. Select Start, and enter msinfo32 in the Search box.

  2. Verify that the BIOS Mode setting is UEFI and not Legacy.

     

     

  3. If the BIOS Mode setting is Legacy, the UEFI firmware needs to be switched to UEFI or EFI mode. The steps for switching to UEFI or EFI mode are specific to the device.

     Note

    If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.

Error message: The UEFI variable 'SecureBoot' could not be read

An error message similar to the following error message is displayed:

Error: BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.

Cause of Error message: The UEFI variable 'SecureBoot' could not be read

A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.

Resolution for Error message: The UEFI variable 'SecureBoot' could not be read

This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:

Step 1: Verify the PCR validation profile of the TPM

To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:

Windows Command PromptCopy

 
Manage-bde.exe -protectors -get %systemdrive%

In the TPM section of the output of this command, verify whether the PCR Validation Profile setting includes 7, as follows:

 

 

If PCR Validation Profile doesn't include 7 (for example, the values include 024, and 11, but not 7), then secure boot isn't turned on.

 

 

2: Verify the secure boot state

To verify the secure boot state, use the System Information application by following these steps:

  1. Select Start, and enter msinfo32 in the Search box.

  2. Verify that the Secure Boot State setting is On, as follows:

     

     

  3. If the Secure Boot State setting is Unsupported, Silent BitLocker Encryption can't be used on the device.

     

     

 Note

The Confirm-SecureBootUEFI PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:

PowerShellCopy

 
Confirm-SecureBootUEFI

If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."

If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."

If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."

7 Replies
Don't know if you still have the issue, but if they are HAADJ devices, check my blog post https://www.burgerhout.org/the-bitlocker-haadj-nightmare/.
Read your blog.

Does this mean that we need to create local GPO on top of the Intune BitLocker policy that was already successfully push to the device?

Facing the issue in HAADJ environment. Intune BitLocker policy is in the device, but it is not encrypting.

@JoonChuanI have the same issue. Did you find a solution? I would like to only save the keys to AAD and not AD

I faced similar issues when using the new BitLocker encryption profile in Endpoint security. Luckily I had also created a BitLocker policy using the older template couple of months back for a different rollout involving Entra ID devices, so without wasting anymore time I duplicated the policy and modified the new policy to include Hybrid joined devices. Worked like a charm.

@rahuljindal-MVP Ok thanks. I just solved it in two customer environments by creating a Configuration Profile for encryption, instead of a profile in Endpoint security. All test devices are now silently encrypted :)

@Tps1990 

Did you manage to figure this out? Having exactly same problem and would like to move all settings from on-prem (GPO) to Intune, saving BitLocker recovery to EntraID only if possible.

@CrazyGonzo 

I don't remember exactly all the problems and the troubleshooting I did, but all I wanted was a silent BitLocker with recovery key only in EntraID. I normally do Intune rollouts for non-hybrid environments, then I just configure Bitlocker from Endpoint Security. For this hybrid rollout I ended up configuring a Device Configuration profile for Endpoint protection with the settings in the attached image.

In a different tenant/environment I used a powershell script that I created as a win32app and deployed it to the device with success. This is working 100% of the times as silent on Win10/Win11 devices with/without TPM 2.0. Also, because it was deployed as an application it was possible to make sure the device was encrypted before the user was able to use the device by enforcing the app in the ESP profile.

Link to PowerShell script:
https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-us...