MEM Intune Endpoint Security Bitlocker troubleshooting

Brass Contributor

Hi, trying to figure out why I keep seeing the following when trying to encrypt my devices with endpoint security.

 

What does not applicable mean? Is there any logs I can check or event viewer entries or other to help get to the bottom of this?

 

Setting
Enable full disk encryption for OS and fixed data drives

State
Error code
Not applicable

Source profiles
Not available

 

Thks in advance and don't hesitate if you have any questions

12 Replies

Did you ever find a solution?  @Stephane Lalancette 

Hi Stephanie,

I would check the event viewer under here for more info-

logs\Microsoft\Windows\BitLocker-API.

I recommend upgrading BIOS version, enable Secure Boot and update to TPM 2.0.

Here is a good guide to enable Silent encryption-

https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/

Hope this helps!
Moe

@ErinMcD I still haven't found a solution. Still investigating and working with Fasttrack will probably create a support call soon

@Moe_Kinani 

Yes that's one the main place I look for logs.

 

Here's what we're getting so far:

 

The error we are getting is :

Failed to enable Silent Encryption

Error: a required privilege is not held by the client

 

And we also get:

Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'secureboot' could not be read
Error: a required privilege is not held by the client

We also on HP 840 with TPM 1.2 (not supported to uprgade to 2.0), get the bitlocker 3rd party drive encryption, even if the MDM policy is set to block on the device.

Seems like it's not honoring this setting for some reason.

On that device, we get Bitlocker cannot use secure boot for integrity because the expected tcg log entry for variable 'secureboot' is missing or invalid

I've requested a newer laptop with TPM 2.0 to see if it'll change anything.
Can you make sure Allowing Standard User to enable encryption during Azure AD join is checked?

@Moe_Kinani  Yes it is checked as I saw it was a pre-req for the block 3rd party encryption setting..

 

I've also verified that it's really applied on the device itself.

@Stephane Lalancette 

 

And no other backup/imaging tools installed on the device itself or other weird settings definied in
Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights

@Stephane Lalancette just found this while searching for ideas:

The silent enable portion is half azz · Issue #255 · MicrosoftDocs/memdocs · GitHub

 

It seems like it might not be supported to do HAAD silent encryption with MEM.

 

I have a support call opened to verify this and will post findings here.

Just confirming that this is indeed not possible on Hybrid devices.
You need to enable it another way (for example SCCM or Powershell)

@Thijs Lecomte We have been trying to do this for Azure AD joined devices and are not able to make it work reliably. 
Currently MS "Premier Support" have had the ticket for over 3 months and they still can't make it work.


Rapidly loosing ANY faith in Intune managed BitLocker.  It just seems that it is far too flaky for Enterprise use.

@Thijs Lecomte while working with MS support they've told us that HAAD silent bitlocker is really supported.

Still working with them to understand how. Currently the only way to make it work is to not set the user as admin.

 

For unknown reasons, when the user is admin we get a permission issue. MS support is not able to reproduce the issue at the moment, so the investigation is ongoing.