Which Windows Licenses are required to manage BitLocker through Intune
License Confusion for Managing BitLocker via Intune Scenario: We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses. Confusion: Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker. However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider). We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management. I am providing reference Microsoft articles and screenshots to support this. BitLocker Enablement: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#windows-edition-and-licensing-requirements BitLocker Management: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#windows-edition-and-licensing-requirements Encrypt Devices with Intune: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys You can find this paragraph in above document. "Information for BitLocker is obtained using the (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11." Contradictory Statement Document: https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
Bitlocker Recovery Key Sync Issue in Intune
Hello All, We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigned to the Bitlocker policy are encrypting successfully, but the recovery keys are not syncing to Intune/Entra. Below are the relevant event logs from the affected devices: - Event ID: 846 - Failed to backup Bitlocker Drive Encryption recovery information for volume C: to your Azure AD. - TraceId: (xxxx) - Error: JSON value not found. - Event ID: 875 - Server reported a failure while attempting to retrieve recovery password information from AAD. - Error: Unknown HResult Error code: 0x80190000 - HTTP Status Code: 0 - RetryRequest: false - DidSetRetryHint: false - RetryHintSeconds: 0 - Event ID: 868 - Failed while attempting to get Bitlocker Drive Encryption recovery information from Azure AD. - Error Code: Unauthorized (401) If anyone has encountered similar issues, your guidance on troubleshooting would be greatly appreciated. Thanks,
Bitlocker pushed via Intune does not work
Hello, I'm trying to set up silent bitlocker deployment via Intune->Endpoint Security -> Disk Encryption. I have assigned a testing machine to it but it doesn't seems to enable bitlocker at all on the machine. I am attaching the configuration. We are in hybrid scenario and the computer is hybrid joined... Now... I can see the policy SUCCEEDED in intune... also "Per setting status" report shows all successful the laptop has only one drive - OS drive - and it is not encrypted in Event Viewer, I see "Bitlocker CSP: OS Drive not protected" before, I saw also "encryption type not supported" when I had "Full encryption" enabled. After changing it to "Used data only" this warning does not appear anymore I have forced sync from the laptop.. also restarted few times already... but the drive still does not have bitlocker turned on. Btw, it is a fresh new laptop Any advise? Am I missing anything here? UPDATE: I see one more warning in Event Viewer that is related to Bitlocker: "BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV is not compliant with returned status 0x106" Regards, MichalMicrosoft Entra ID Bitlocker Key Packages location
Hello, According to info provided in Intune, key packages can be now saved in Entra ID (so it means that KPs can be saved in cloud-ony environment Entra ID right?) I would like to know how to download those key packages or where can I find them? Best regards,
BitLocker backup into Entra ID
We are in the process of setting up Hybrid Join. When I try to backup the bitlocker key to Entra ID I get the following error in the event viewer Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. TraceId: ***************************** Error: Unknown HResult Error code: 0x80072efe. When I run the backup powershell script on the computer i get the following error: I have logged in with my FQDN on the computer. I show the computer is compliant and CO-Managed. I have also blocked the GPO that was handling the bitlocker from being pushed to the computer. I have restarted and ran gpupdate /force multiple time. Any assistance would be helpfull. I am unable to find anything online to resolve this issue.HAADJ with Intune Co-Management
Hello, -I have HAADJ tenant with Intune Co-Management. -AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated). -Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO. -They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed. -Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. https://www.burgerhout.org/the-bitlocker-haadj-nightmare/ Question(s): 1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested. 2-After testing Recovery key is stored in Intune but not stored in the below location https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials) 3-Devies in Azure under the following URL https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId/Devices -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?Bitlocker D drive and Recovery after Restart
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive. Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device. I need some more understanding about the policy template settings to see what could be causing those behaviors. Current policy settings for reference: BitLocker Require Device Encryption Enabled Allow Warning For Other Disk Encryption Disabled Allow Standard User Encryption Enabled Configure Recovery Password Rotation Refresh on for both Azure AD-joined and hybrid-joined devices Administrative Templates Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Enabled Select the encryption method for removable data drives: AES-CBC 128-bit (default) Select the encryption method for operating system drives: XTS-AES 128-bit (default) Select the encryption method for fixed data drives: XTS-AES 128-bit (default) Provide the unique identifiers for your organization Not configured Windows Components > BitLocker Drive Encryption > Operating System Drives Enforce drive encryption type on operating system drives Enabled Select the encryption type: (Device) Full encryption Require additional authentication at startup Disabled Configure minimum PIN length for startup Not configured Allow enhanced PINs for startup Not configured Disallow standard users from changing the PIN or password Not configured Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Not configured Enable use of BitLocker authentication requiring preboot keyboard input on slates Not configured Choose how BitLocker-protected operating system drives can be recovered Enabled Omit recovery options from the BitLocker setup wizard False Allow data recovery agent False Allow 256-bit recovery key Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives True Save BitLocker recovery information to AD DS for operating system drives True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Configure pre-boot recovery message and URL Enabled Select an option for the pre-boot recovery message: Use default recovery message and URL Custom recovery URL option: Custom recovery message option: Windows Components > BitLocker Drive Encryption > Fixed Data Drives Enforce drive encryption type on fixed data drives Enabled Select the encryption type: (Device) Full encryption Choose how BitLocker-protected fixed drives can be recovered Enabled Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives True Allow data recovery agent True Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Allow 256-bit recovery key Save BitLocker recovery information to AD DS for fixed data drives True Omit recovery options from the BitLocker setup wizard True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Deny write access to fixed drives not protected by BitLocker Not configured Windows Components > BitLocker Drive Encryption > Removable Data Drives Control use of BitLocker on removable drives Not configured Deny write access to removable drives not protected by BitLocker Not configured Review + saveConfigure Bitlocker via Endpoint Security
Dear all, I have a question about automatically quietly configuring Bitlocker on managed devices via Intune Endpoint Security. In our default configuration, we always configure in Endpoint security policy > Disk encryption: Require Device Encryption: Enabled Enforce drive encryption type on operating system drives: Enabled (Full encryption) This has always worked without any problems so far. In an implementation late last year Bitlocker was not automatically enabled with this policy, despite the policy being successfully deployed. For this I had filed an incident with Microsoft Support. They indicated that there is currently a problem with the Endpoint Security Bitlocker configuration and that for now it should be achieved via a Configuration profile with the Endpoint Protection template. Now I am working on a new implementation and trying again via Endpoint security however this still does not work. So I wonder if more people experience problems with this? Or if someone has found a solution?
