question

Eduards-6654 avatar image
0 Votes"
Eduards-6654 asked Crystal-MSFT edited

Microsoft Intune - Bitlocker encryption Co-managed devices (fixed data drive)

Hello,

We have enabled Co-management and all devices are hybrid Azure AD joined. I configured Windows 10 Device configuration (Endpoint Protection Profile).

I encrypted OS drive without any problems. After that i configured policy to encrypt fixed data drive, after that i receive such error in Event Viewer (Bitlocker-API)

851 Silently Enctryption failed, Access Denied
![71138-image.png][1]
71137-image.png
71059-image.png



This is my configuration. What could be the cause? Second partition is formatted and enabled. No additional CD/DVD drive or something like that.

windows-10-securitymem-intune-general
image.png (187.8 KiB)
image.png (165.7 KiB)
image.png (133.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@Eduards-6654, From your description, I know we get silently encryption failure when configure Bitlocker for fixed data drive on Windows 10 Device configuration policy. if there's any misunderstanding, feel free to let us know.

I know the devices are all Hybrid Azure AD joined. In fact, silently enable BitLocker on devices is only supported on Azure AD joined devices. As our devices are all Hybrid Azure AD joined, this may cause our issue.
71258-image.png
https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices#manage-bitlocker

Turn off bitlocker, Change "Allow standard users to enable encryption during Azure AD Join" to not configured, and then assign the policy again, Then the disks are encrypted correctly.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




image.png (27.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eduards-6654 avatar image
0 Votes"
Eduards-6654 answered Crystal-MSFT commented

Hello @Crystal-MSFT

Thank you for your answer.

But there should be a way to encrypt fixed data drive using Microsoft Intune on Hybrid Azure AD joined devices?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Eduards-6654 , Yes, we can change "Allow standard users to enable encryption during Azure AD Join" to not configured to see if the result will be different.

0 Votes 0 ·

@Eduards-6654 , How's everything going? Did we unset the setting "Allow standard users to enable encryption during Azure AD Join"? Was the encryption for fixed data derive continued? If there's any update, feel free to let us know.

Thanks and have a nice day!

0 Votes 0 ·
Eduards-6654 avatar image
0 Votes"
Eduards-6654 answered Crystal-MSFT commented

Hello @Crystal-MSFT - i turned off bitlocker on test laptop and then changed policy settings and deployed again.

And after that all 2 disks were encrypted.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Eduards-6654 , Thanks for the response. I am glad to hear that the disks are encrypted after we change the settings. Congratulations! If there's anything else we can help in the future , feel free to post in our Q&A.

Thanks for your time and have a nice day!

1 Vote 1 ·