Forum Discussion

Brass Contributor

Nov 26, 2020

MEM Intune Endpoint Security Bitlocker troubleshooting

Hi, trying to figure out why I keep seeing the following when trying to encrypt my devices with endpoint security. What does not applicable mean? Is there any logs I can check or event viewer ent...

Intune

Stephane Lalancette

Brass Contributor

Jan 05, 2021

Moe_Kinani

Yes that's one the main place I look for logs.

Here's what we're getting so far:

The error we are getting is :

Failed to enable Silent Encryption

Error: a required privilege is not held by the client

And we also get:

Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'secureboot' could not be read
Error: a required privilege is not held by the client

We also on HP 840 with TPM 1.2 (not supported to uprgade to 2.0), get the bitlocker 3rd party drive encryption, even if the MDM policy is set to block on the device.

Seems like it's not honoring this setting for some reason.

On that device, we get Bitlocker cannot use secure boot for integrity because the expected tcg log entry for variable 'secureboot' is missing or invalid

Stephane Lalancette

Brass Contributor

Jan 05, 2021

I've requested a newer laptop with TPM 2.0 to see if it'll change anything.

Moe_Kinani
Bronze Contributor
Jan 05, 2021
Can you make sure Allowing Standard User to enable encryption during Azure AD join is checked?
- Stephane Lalancette
  Brass Contributor
  Jan 06, 2021
  Moe_Kinani Yes it is checked as I saw it was a pre-req for the block 3rd party encryption setting..
  
  I've also verified that it's really applied on the device itself.
  - lalanc01
    Iron Contributor
    Jan 14, 2021
    Stephane Lalancette just found this while searching for ideas:
    The silent enable portion is half azz · Issue #255 · MicrosoftDocs/memdocs · GitHub
    
    It seems like it might not be supported to do HAAD silent encryption with MEM.
    
    I have a support call opened to verify this and will post findings here.