Jan 13 2021 08:30 AM - edited Jan 13 2021 09:15 AM
Jan 13 2021 08:30 AM - edited Jan 13 2021 09:15 AM
I'm just learning Intune and I'm setting up everything for the first time. I setup BitLocker I have my settings below. On my Virtual machine that I connected with Autopilot, Bitlocker encrypted the drive just fine (even though I get the same error code above). What I mean is, I can look in the Virtual Machine and it shows the drive is encrypted fine.
For my desktop/Physical machine, however, it is not encrypted and I get the same error. If I go into the Device information and click on the properties all the settings are successful except for "Encrypt Devices" and that has a state details of: -2016346112 (No Error Code) If I click on that line the sidebar comes out and it says error code: 0x87d10000
Searching on the Internet reveals ZERO answers. I'm not sure what is going on here. Can anyone shed some light on this?
Edit: I should mention my desktop has two Hard Drives. I don't know if that matters.
Edit 2: I am running TPM 2.0 it is a new dell mfg'd in December.
Jan 15 2021 01:34 AM
Jan 15 2021 05:40 AM
@Thijs Lecomte I did search on the Application and Security logs and found nothing. Under the "Applications and Services Logs" -> Microsoft -> Windows ->Bitlocker-API and Bitlocker-DrivePreperationTool there is nothing. The latter is completely blank and the former has only informational logs saying this:
The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:
PCI\VEN_8086&DEV_0697 (Intel(R) LPC Controller (W480) - 0697)
PCI\VEN_8086&DEV_1901 (Intel(R) PCIe Controller (x16) - 1901)
So, Did I just find something? Is that my issue?
Jan 15 2021 03:30 PM
I am having the same issue. The "No error code" in Error Details is really helpful.
Did you happen to resolve it?
Jan 15 2021 05:01 PM
Jan 18 2021 06:17 AM
@DavidStewart-Palapanou So on this. Do I disable the settings I had setup under Configuration Profiles other than the few you have at the top? Reason I ask is now I get error messages of "Conflict" and it says the encryption, etc is Not applicable. Presumably because the settings are already set under configuration profiles.
Jan 18 2021 07:54 AM - edited Jan 18 2021 07:55 AM
@Tomnibus_MedOne- Yes that's right, you should set all settings outside of the ones I've advised to "Not configured". There shouldn't be any conflicts once you're done.
Jan 19 2021 08:40 AM
@DavidStewart-Palapanou Well, darn. I went ahead and did that and it doesn't work. It still says there is a conflict.
I am going to double-check all the settings, I guess.
Jan 19 2021 08:51 AM
@Tomnibus_MedOne- You should be able to verify the conflicting setting by going to the device that has the conflict, selecting the setting under configuration profiles, and it should list where the setting has come from and the names of the profiles that are causing the conflict. Check the endpoint security section within the device blade as well. If you're using Microsoft Defender ATP security baseline, I think the built-in template defaults to a different level of encryption for removable media so you might find there's a conflict in there.
Jan 19 2021 09:31 AM - edited Jan 19 2021 09:32 AM
@DavidStewart-Palapanou Okay, I double-checked. I had to re-enable some of the settings under Configuration Profiles and then set the sub-settings to not configured, then set the main settings to not configured.
However, after doing that, I still get the same -2016346112 error with the error code 0x87d10000
Perhaps the above event viewer message about auto encryption is just that, it won't do auto encryption.
Oh, also, I'm a global admin and testing on a machine I am an administrator for. So the standard user thing isn't an issue for me (yet).
Jan 19 2021 09:35 AM - edited Jan 19 2021 09:38 AM
@Tomnibus_MedOne- Did you reset the device so that it goes through OOBE with Autopilot again after making changes? Any changes you apply won't retrospectively apply, you'll need to reset it. When your device goes through OOBE, use manage-bde -status to verify that encryption is in progress once you've logged into the device with the standard user account after setup completes all thre stages. The next time the device checks in after signing in, its status should sort itself out. It might still show that error code until OOBE has finished and the device checks in so give it ~15 minutes or so after signing in before checking.
Also you'll need to ensure that the device has been decrypted first.
Jan 19 2021 09:37 AM
@DavidStewart-Palapanou I did not because I'm attempting to install it on my Desktop machine that I have customized a lot. :) I'll see what happens with some test machines.
Jan 19 2021 09:48 AM
@Tomnibus_MedOne- That makes sense. In that case, yes that'll be why there's no changes to the value you're getting in Intune. Try and build a Hyper-V Gen2 VM to test it. You'll need to ensure you have sorted the prerequisites, such as secure boot and TPM. Also, make sure there's no ISO mounted as a DVD.
Something like this will help: