question

Andreas-9700 avatar image
0 Votes"
Andreas-9700 asked Crystal-MSFT answered

Bitlocker hybrid unknown error

Hi,

Trying to apply bitlocker from Intune with our Hybrid Azure machines.

Machine info:
Windows 10.0.19042.804
Secure Boot State On
TPM 2.0
OS Name Microsoft Windows 10 Business
BIOS Mode UEFI
PCR7 Configuration Binding Possible

If I go to Monitor>Encryption report> It say that the device Encryption readiness=ready


I checked one of the machines that have been successful and have bitlocker enabled, I can see from the logs that the machine have PCR7 Configuration Bound, and as you can see from the machine that has problems it have PCR7 Configuration Binding Possible... could that be a cause to why not Bitlocker is getting enabled ?
Updated As you can see from the xls sheet the green are ok, the yellow will these become ok if we configure PCR7 to Bound ? and the red I am not sure about, since it does not support secure boot i guess a silent bitlocker is not an option, but bitlocker could be installed manually ?

76011-5.png

Any suggestions on where to start from this ?

75856-bitlocker.png
75839-1.png75847-2.png75809-3.png75855-4.png


mem-intune-generalmem-intune-device-configurations
bitlocker.png (38.8 KiB)
1.png (20.8 KiB)
2.png (23.7 KiB)
3.png (36.9 KiB)
4.png (11.9 KiB)
5.png (101.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered

@Andreas-9700, For silently enable Bitlocker on devices, the following settings are needed to configure:
--Warning for other disk encryption = Block.
--Allow standard users to enable encryption during Azure AD Join = Allow

We can see more detaisls in the following link:
https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices

For the devices which are nor support silently Bitlocker, we can change the setting "Allow standard users to enable encryption during Azure AD Join" to Not configured to manually enable Bitlocker.
76019-image.png

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (47.6 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.