Aug 12 2021 01:47 AM
Hi all
i have around 100 new HP Elitebooks which i want to configure with Bitlocker. We would like to accomplish this in the Endpoint security section and created a Device encryption policy according to this article: Best Practices for Deploying BitLocker with Intune | Petri
I have the issue, that in Intune it shows that the policy has an error. When i click on the error, everything shows successful (see printscreen intune1)
When i check the report, i have as far as i can say everything correct there for my Test Device (see printscrren Intune2).
When i check on the device i see the only the used space is encrypted (see printscreen bitlocker).
Does anybody know how i could correct the error as well is that the recommended configuration to have only the used space encrypted?
Many thanks for your feedback
Best regards,
Marc
Aug 12 2021 05:27 AM
Aug 12 2021 05:37 AM
Aug 12 2021 05:48 AM
Aug 12 2021 06:25 AM
Aug 12 2021 06:49 AM
Aug 13 2021 02:23 AM
Hi @BilalelHadd
thanks for your update. I removed all Configuration Profiles and Compliance Profiles, even all Endpoint Security profiles i had in place and did a fresh start with my Test Device.
I recognized, that the error in the device encryption policy is already there even before the device has finished with the encryption of the drive.
You mentioned that you have almost the same settings for your devices. Can you let me know, which settings are different? I read also somewhere that when the setting "Hide prompt about third-party encryption" is set to yes, this means silent config, which uses "Used space only".
Many thanks for your feedback.
Best regards,
Marc
Aug 13 2021 04:18 AM - edited Aug 13 2021 04:18 AM
SolutionHi Marc,
Check if you can re-image the Windows 10 client to be sure.
Below the settings that difference from yours:
- BitLocker - Base Settings
Require storage cards to be encrypted (mobile only): Yes
Configure client-driven recovery password rotation: Azure AD-Joined devices only
BitLocker - Fixed Drive Settings
Enable BitLocker after recovery information to store: Not configured
BitLocker - OS Drive Settings
Compatible TPM startup : Allowed
Compatible TPM startup PIN: Blocked
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Enable BitLocker after recovery information to store: Not configured
Block the use of certificate-based data recovery agent (DRA): Yes
BitLocker - Removable Drive Settings
Block write access to removable data-drives not protected by BitLocker: Yes
Hope this helps, and keep me posted.
Regards, Bilal
Aug 13 2021 06:19 AM
Hi Bilal
many thanks for your details, i did a Fresh Start again and see now, that the policy has been successfully applied :-). The status in the cmd is a little slow still showing "Encryption in Progress" but i'm optimistic now, that this is better.
I will play around a little more after i see that everything is okey now to find the setting, which was causing that issue.
Thanks already for your help, much appreciated!
Best regards,
Marc
Aug 13 2021 04:18 AM - edited Aug 13 2021 04:18 AM
SolutionHi Marc,
Check if you can re-image the Windows 10 client to be sure.
Below the settings that difference from yours:
- BitLocker - Base Settings
Require storage cards to be encrypted (mobile only): Yes
Configure client-driven recovery password rotation: Azure AD-Joined devices only
BitLocker - Fixed Drive Settings
Enable BitLocker after recovery information to store: Not configured
BitLocker - OS Drive Settings
Compatible TPM startup : Allowed
Compatible TPM startup PIN: Blocked
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Enable BitLocker after recovery information to store: Not configured
Block the use of certificate-based data recovery agent (DRA): Yes
BitLocker - Removable Drive Settings
Block write access to removable data-drives not protected by BitLocker: Yes
Hope this helps, and keep me posted.
Regards, Bilal