@Thijs Lecomte I did search on the Application and Security logs and found nothing.  Under the "Applications and Services Logs" -> Microsoft -> Windows ->Bitlocker-API and Bitlocker-DrivePreperationTool there is nothing. The latter is completely blank and the former has only informational logs saying this:

The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:

ISA Bridge:
PCI\VEN_8086&DEV_0697 (Intel(R) LPC Controller (W480) - 0697)

PCI-to-PCI Bridge:
PCI\VEN_8086&DEV_1901 (Intel(R) PCIe Controller (x16) - 1901)

So, Did I just find something? Is that my issue?

@DavidStewart-Palapanou So on this. Do I disable the settings I had setup under Configuration Profiles other than the few you have at the top? Reason I ask is now I get error messages of "Conflict" and it says the encryption, etc is Not applicable. Presumably because the settings are already set under configuration profiles.

@Tomnibus_MedOne- Yes that's right, you should set all settings outside of the ones I've advised to "Not configured". There shouldn't be any conflicts once you're done.

@DavidStewart-Palapanou Well, darn. I went ahead and did that and it doesn't work. It still says there is a conflict.

I am going to double-check all the settings, I guess.

@Tomnibus_MedOne- You should be able to verify the conflicting setting by going to the device that has the conflict, selecting the setting under configuration profiles, and it should list where the setting has come from and the names of the profiles that are causing the conflict. Check the endpoint security section within the device blade as well. If you're using Microsoft Defender ATP security baseline, I think the built-in template defaults to a different level of encryption for removable media so you might find there's a conflict in there.

@DavidStewart-Palapanou Okay, I double-checked. I had to re-enable some of the settings under Configuration Profiles and then set the sub-settings to not configured, then set the main settings to not configured.

However, after doing that, I still get the same -2016346112 error with the error code 0x87d10000

Perhaps the above event viewer message about auto encryption is just that, it won't do auto encryption.

Oh, also, I'm a global admin and testing on a machine I am an administrator for. So the standard user thing isn't an issue for me (yet).

@Tomnibus_MedOne- Did you reset the device so that it goes through OOBE with Autopilot again after making changes? Any changes you apply won't retrospectively apply, you'll need to reset it. When your device goes through OOBE, use manage-bde -status to verify that encryption is in progress once you've logged into the device with the standard user account after setup completes all thre stages. The next time the device checks in after signing in, its status should sort itself out. It might still show that error code until OOBE has finished and the device checks in so give it ~15 minutes or so after signing in before checking.

Also you'll need to ensure that the device has been decrypted first.

@DavidStewart-Palapanou I did not because I'm attempting to install it on my Desktop machine that I have customized a lot. :) I'll see what happens with some test machines.

@Tomnibus_MedOne- That makes sense. In that case, yes that'll be why there's no changes to the value you're getting in Intune. Try and build a Hyper-V Gen2 VM to test it. You'll need to ensure you have sorted the prerequisites, such as secure boot and TPM. Also, make sure there's no ISO mounted as a DVD.

Something like this will help:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm

@DavidStewart-Palapanou  So we have had the same issues as above, bur can i just change/move my settings to endpoint security without direct impact on currently active PCs and users? This changes will hit first after reset and OOB? 

Thanks!

@PerkarlLindb Any changes you want to apply will apply to the assigned users/devices at anytime, even if they have already completed OOBE. I would recommend isolating the changes to a single device/user if you are transitioning from one set of settings to another. If you are like-for-like transitioning, then theoretically, it should just work and it will take effect on existing PCs already enrolled, and new enrolments which undergo OOBE.