question

Sim1S-3143 avatar image
1 Vote"
Sim1S-3143 asked Sim1S-3143 edited

BitLocker silent encryption status

Hello everyone,

I've been trying to apply BitLocker to an Azure AD joined device (InTune enrolled) via a custom profile from Endpoint Manager -> Endpoint security -> Disk encryption.
I couldn't understand very clearly what was stated in this article about the startup password and/or PIN requirements, so this is how I set them in the encryption profile:

122032-image.png

The documentation states that startup PIN and password must not be set to "Required", thus I enabled them and set "Allowed" just in case.
The profile rules get applied smoothly (in fact, you can see that the BitLocker policy is deployed succesfully):

122015-image.png

However, if I run the command "manage-dbe -status" on cmd, it can't find the BitLocker version, encryption percentage is at 0%, there is no protection whatsoever.
Basically, it looks like the rules (which seem applied correctly from the Endpoint security profile), fail to be applied on the device.
I have tried with another user and the hard drive got encrypted succesfully.

My question is: how can I see where the rules get blocked? The encryption report is not helping since it isn't that verbose, and the profile (from the InTune interface) seems to have no problems.

Thank you very much.

A kind regard,
Sim


mem-intune-generalmem-intune-device-configurations
image.png (17.2 KiB)
image.png (36.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered Sim1S-3143 commented

See if you can refer the Bitlocker event logs in eventvwr. Most likely there is an issue on the device with either hardware pre-reqs missing or dma classes not whitelisted.

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RahulJindal-2267,

Thank you very much for your reply.
The logs in event viewer didn't help me very much, it was just stated that InTune failed to apply a configuration policy, nothing more. Maybe I checked the wrong ones? Which one am I supossed to check?
I excluded the possibility of a pre-req isssue, the device is ready to be encrypted according to the encryption report. (I read on a Microsoft Doc that "Ready" means it passed all the pre-reqs hardware checks).
What about the dma classes? What are those and how can I check them?

0 Votes 0 ·

I blogged in relation to this a while back. Have a look.
intune-bitlocker-silent-and-automatic.html


1 Vote 1 ·

Thank you very much @RahulJindal-2267, I'm going to check it right away.
Just to be sure, can you confirm that you can't create a Device configuration profile and set "Endpoint protection" -> "Windows Encryption" anymore, rather you have to configure the "Disk encryption" profile under the "Endpoint security" blade on InTune?

0 Votes 0 ·
Show more comments
yannara avatar image
0 Votes"
yannara answered Sim1S-3143 commented

I started to have a massive problem, where bitlocker silent encryption does not work anymore. I will post my own thread, but just for your information. Could be a massive thing...

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @yannara and thank you very much for your reply.
I'll definitely keep this in mind, since I'm having quite a few problems lately with BitLocker.

0 Votes 0 ·

@Sim1S-3143 sorry, it seems like it has been my own fault. Secure boot is required for silent automate and another change I did that I didn't require TPM, but allowed it, it helped. I also found out that not all event viewer Bitlocker-API events matter. I have lot of 812 and 813, but still everything is working normal again. What problems you still have?

0 Votes 0 ·

@yannara thank you for your clarification.
I'd like to know the type of error too, because there doesn't seem to be one! Event Viewer is clear, there are no logs since yesterday morning, and under "System Information" the device states to be ready for encryption.

InTune-wise, the profile has no problems when applying to the device, and the Encryption report says the machine is ready to be encrypted.

Everything's ready... but BitLocker is still off on the device.

0 Votes 0 ·
Show more comments
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered Sim1S-3143 edited

The issue could be with how you are configuring bitlocker policies or some pre-reqs still missing. However, can you confirm that there is a user session detected on the device and that you are not checking remotely? Also, which model is this?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The pre-reqs should all be fine, but I'll give it a quick check just in case. The laptop belongs to an actual person who uses it every day. I do use a remote session to check the encryption status, but it always happens when the primary user is connected to the laptop. Model is HP EliteDesk 800 G4 DM 35W.

As for the other prerequisites:

  • The end user is a user, and the OS version is 10.0.1904.* (thus it is later than 1809 as requested here)

  • The device was enrolled via InTune (thus it is Azure AD joined)

  • The device has TPM 2.0

  • BIOS mode is UEFI

I'll check the BIOS mode as soon as I can. But for now, can you confirm that these specs match the pre-reqs? Thank you very much.

EDIT: I checked the BIOS mode and it is, indeed, UEFI. I'll ad it to the list.







0 Votes 0 ·