Windows 10: Microsoft Intune: How to enable bitlocker silently - Got issue: Device Encryption...

Dear all, Previously, I created a policy to enable BitLocker on Windows devices, and it was working smoothly. However, about two weeks ago, when I enrolled devices with Company Portal, BitLocker did not encrypt automatically, and a notification always popped up in the bottom-right corner of the desktop with the name "Device Encryption your work or school requires...". This means that my clients had to manually select and take action to encrypt their devices, which is not our requirement. I do not know why this appeared. I have tried to find information on how to enable BitLocker silently an

:)

 

Need to enable startup pin along with silent bitlocker disk encryption. Which policy in Microsoft Intune can help to meet this requirement without admin privelage

Need to enable startup pin along with silent bitlocker disk encryption:

Silent drive encryption is working with the device configuration policy but not getting option to set up PIN. Please suggest.

 

Bitlocker configured through Drive Encryption in Intune and Errors out. Not sure where it is going wrong.

We have setup Bitlocker through Intune Disk Encryption. I get the following error on the device. Dell Optiplex 7000

Under the Event Viewer - Microsoft\Windows\Bitlocker-API\Management

Error

Failed to enable Silent Encryption

Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.

Event ID: 851

I ran few commands based on the article below and I saw WARNING messages

Powershell command, I ran

Confirm-SeucreBootUEFI

Returned True

Warning: In Event Viewer Microsoft\Windows\Bitlocker-API\Management

Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not read.

Error Messages: A required privilege is not held by the client

When I checked the BIOS settings everything looks good

BIOS Mode: UEFI

Secure Boot State: On

In the output, locate the Windows Boot Loader section that includes the line identifier={current}. In that section, locate the recoverysequence attribute. The value of this attribute should be a GUID value, not a string of zeros.

Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The event information will be similar to the following error message:

Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.

Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions

To verify the BIOS mode, use the System Information application by following these steps:

1. Select Start, and enter msinfo32 in the Search box.
   
2. Verify that the BIOS Mode setting is UEFI and not Legacy.
   
   
   
3. If the BIOS Mode setting is Legacy, the UEFI firmware needs to be switched to UEFI or EFI mode. The steps for switching to UEFI or EFI mode are specific to the device.
   
   Note
   
   If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
   

Error message: The UEFI variable 'SecureBoot' could not be read

An error message similar to the following error message is displayed:

Cause of Error message: The UEFI variable 'SecureBoot' could not be read

A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.

Resolution for Error message: The UEFI variable 'SecureBoot' could not be read

This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:

Step 1: Verify the PCR validation profile of the TPMTo verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:

Windows Command PromptCopy

In the TPM section of the output of this command, verify whether the PCR Validation Profile setting includes 7, as follows:



If PCR Validation Profile doesn't include 7 (for example, the values include 0, 2, 4, and 11, but not 7), then secure boot isn't turned on.



2: Verify the secure boot stateTo verify the secure boot state, use the System Information application by following these steps:

1. Select Start, and enter msinfo32 in the Search box.
   
2. Verify that the Secure Boot State setting is On, as follows:
   
   
   
3. If the Secure Boot State setting is Unsupported, Silent BitLocker Encryption can't be used on the device.
   
   
   

Note

The Confirm-SecureBootUEFI PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:

PowerShellCopy

If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."

If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."

If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."

 

Windows 10 BitLocker Drive Encryption AND Device Encryption enabled?

Recently I looked into enabling "BitLocker Drive Encryption" on Windows 10 Pro. After enabling it, I discovered that "Device Encryption" under Settings -> Update and Security -> Device Encryption was already enabled. This is a new Lenovo laptop from 12/2020,
bought from Lenovo with Windows 10 installed. I never enabled Device Encryption, so I'm guessing it was enabled by default. Does it matter if both "Device Encryption" AND "BitLocker Drive Protection" are BOTH enabled? Should I disable one of them?