Nov 26 2020 11:24 AM
Hi, trying to figure out why I keep seeing the following when trying to encrypt my devices with endpoint security.
What does not applicable mean? Is there any logs I can check or event viewer entries or other to help get to the bottom of this?
Setting
Enable full disk encryption for OS and fixed data drives
State
Error code
Not applicable
Source profiles
Not available
Thks in advance and don't hesitate if you have any questions
Jan 04 2021 05:57 PM
Did you ever find a solution? @Stephane Lalancette
Jan 05 2021 12:46 AM
Jan 05 2021 11:46 AM
@ErinMcD I still haven't found a solution. Still investigating and working with Fasttrack will probably create a support call soon
Jan 05 2021 11:47 AM
Yes that's one the main place I look for logs.
Here's what we're getting so far:
The error we are getting is :
Failed to enable Silent Encryption
Error: a required privilege is not held by the client
And we also get:
Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'secureboot' could not be read
Error: a required privilege is not held by the client
We also on HP 840 with TPM 1.2 (not supported to uprgade to 2.0), get the bitlocker 3rd party drive encryption, even if the MDM policy is set to block on the device.
Seems like it's not honoring this setting for some reason.
On that device, we get Bitlocker cannot use secure boot for integrity because the expected tcg log entry for variable 'secureboot' is missing or invalid
Jan 05 2021 11:47 AM
Jan 05 2021 02:55 PM
Jan 05 2021 05:11 PM
@Moe_Kinani Yes it is checked as I saw it was a pre-req for the block 3rd party encryption setting..
I've also verified that it's really applied on the device itself.
Jan 07 2021 06:48 AM
And no other backup/imaging tools installed on the device itself or other weird settings definied in
Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights
Jan 14 2021 11:31 AM
@Stephane Lalancette just found this while searching for ideas:
The silent enable portion is half azz · Issue #255 · MicrosoftDocs/memdocs · GitHub
It seems like it might not be supported to do HAAD silent encryption with MEM.
I have a support call opened to verify this and will post findings here.
Jan 15 2021 01:24 AM
Feb 08 2021 01:13 AM
@Thijs Lecomte We have been trying to do this for Azure AD joined devices and are not able to make it work reliably.
Currently MS "Premier Support" have had the ticket for over 3 months and they still can't make it work.
Rapidly loosing ANY faith in Intune managed BitLocker. It just seems that it is far too flaky for Enterprise use.
Feb 08 2021 05:14 AM
@Thijs Lecomte while working with MS support they've told us that HAAD silent bitlocker is really supported.
Still working with them to understand how. Currently the only way to make it work is to not set the user as admin.
For unknown reasons, when the user is admin we get a permission issue. MS support is not able to reproduce the issue at the moment, so the investigation is ongoing.