Forum Discussion
Puzzling BitLocker Status
Hey there,
Recently began testing a BitLocker policy. I created the policy using the recommendations from this article: https://petri.com/best-practices-for-deploying-bitlocker-with-intune/
At this point, the policy has been deployed to 8 systems and all of them appear to have been properly configured. In my review of everything:
- The device now shows BitLocker is managed by a system admin.
- Running 'manage-bde -status C:' shows fully encrypted.
- There is now a recovery key listed in Azure AD for all 8 devices.
- The same recover key is visible under the device entry in the MEM portal, too.
However, when I look at the Device Status under the BitLocker policy in the MEM portal, all 8 of the devices show an Assignment Status of "Error". I've reviewed the logs on a couple of devices and I don't see anything that looks like a deployment failure. Any thoughts?
TIA
~DGM~
- Mmm, I would start to make sure those other compatible tpm startup are blocked as shown here
https://call4cloud.nl/2021/02/b-for-bitlocker/
- Hi... could you first show us your configuration and some screenshots of that error. Did you also looked at the modern device management logs etc to determine why that config could give you errors.
I spent a lot of time looking at logs, especially the Device Management logs in Event Viewer. In those logs I see a series of 3 events happening on the configured devices. I've included those events in the order they happen. I've also attached screenshots of the BitLocker settings.
Event Type: Warning
Event ID: 2900
Source: DeviceManagement-Enterprise-Diagnostics-Provider
Description:
BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV is not compliant with returned status 0x80
Event Type: Error
Event ID: 810
Source: DeviceManagement-Enterprise-Diagnostics-Provider
Description:
MDM PolicyManager: Set policy string, Policy: (SystemDrivesRequireStartupAuthentication), Area: (BitLocker), EnrollmentID requesting set: (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), Current User: (Device), String: (<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="false"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="0"/><data id="ConfigurePINUsageDropDown_Name" value="3"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="3"/><data id="ConfigureTPMUsageDropDown_Name" value="1"/>), Enrollment Type: (0x6), Scope: (0x0), Result:(0x8000FFFF) Catastrophic failure.
Event Type: Error
Event ID: 404
Source: DeviceManagement-Enterprise-Diagnostics-Provider
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication), Result: (Catastrophic failure).
- Mmm, I would start to make sure those other compatible tpm startup are blocked as shown here
https://call4cloud.nl/2021/02/b-for-bitlocker/
These articles suggest the "catastrophic failure" is a result of malformed XML or URLs too long within the XML. By any chance did you provide a long Recovery Key URL? It should've generated the XML for you in this case via the portal, but could possibly delete and recreate the policies to trigger a regeneration of new XML?
Auto Mount Team Sites with Intune
Another possibility from your information suggests it was failing to update the CSP setting. Is it possible you have a GPO or something else in place which defines the BitLocker policy which could be causing a conflict?
All that being said, if it is succeeding in getting all the recovery key info stored to Azure AD, you could possibly just ignore the error. I've seen the portal show this "stuck" error state because it couldn't properly apply on the first try, but even though it later succeeds, the state never updates. Possibly this is a portal bug.
Please like or mark this thread as answered if it's helpful, thanks!
