This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 38%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
Hi All,
Since +/- Friday 07-July-2023 we started noticing (so it might have started earlier) that only our HP ProBook 440 G5 laptops no longer automatically enabled BitLocker after it was installed with a new image (and because of that, they will not get compliant, so are of no use to our end users).
It seems the drive is still automatically encrypted, but the TMP protector has not been created and the recovery key is not uploaded to Azure.
(I'm not sure which one should go first, it could be that the TMP protector is not created because the recovery key has not yet been uploaded to Azure, or that the recovery key has not been uploaded to Azure because the TPM protector has not yet been created)
In event viewer we can see that the encryption has successfully finished, but the following error message shows when trying to upload the recovery key to Azure:
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
Error: Unknown Hresult Error code: 0x80072efe
Id: 846
(and it keeps trying here and there but keeps failing)
If I create the TPM protector via the following PowerShell command:
Add-BitLockerKeyProtector -MountPoint C: -TpmProtector
It is possible to activate BitLocker via the following PowerShell command:
Resume-BitLocker -MountPoint C:
And the laptop becomes compliant, but the recovery key has still not been uploaded to Azure (so this is still not a laptop which we want to provide to the end user).
If I try to upload the recovery key to Azure via the following PowerShell commands:
$bdeallsettings = Get-BitLockerVolume -MountPoint C: | select *
$bdeselectkey = $bdeallsettings.KeyProtector | where {$_.KeyProtectorType -eq 'RecoveryPassword'}
foreach ($key in $bdeselectkey) {
BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $key.KeyProtectorId
}
I get the following error message:
*BackupToAAD-BitLockerKeyProtector : Uitzondering van HRESULT: 0x80072EFE
+ BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtecto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector*
Which is kind of the same as the error in event viewer.
For what I could find, the error message indicates that there would be a connection (and/or DNS) error with Azure (or access issue), but if this would be the case, this would be an issue on all our laptops (and this is not the case, because the issue only occurs with the HP ProBook 440 G5).
When using "dsregcmd.exe /status", I also notice that the laptops with an issue have the following differences with laptops which don't have this issue (but could be a coincidence):
Tenant Details:
Working: JoinSrvVersion : 1.0
Not working: JoinSrvVersion : 2.0
(not sure what this does/means)
Diagnostic Data:
Working: Last HostName Update : SUCCESS
Server Message : The attribute 'hostnames' value(s) were successfully updated
Not Working: Last HostName Update : FAIL
Client ErrorCode : 0x80072ee7
And this error message also indicates connection and/or DNS issues.
Can anyone tell us what has changed and/or what is causing these issues?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 90%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have a ticket open for the same exact issue. Sharing this post with our assigned CSM now to hopefully help prioritize the escalation.
I have an update myself. :-)
It looks like it might be an issue with an old TPM firmware (but not confirmed yet, as I did not yet find an TPM firmware update which was new enough).
But there is also a workaround:
This seems to resolve the issue.
But we don't want to roll-out this change yet, as we are not sure yet what implications removing those signature suites from the registry might have on any other part of the laptop and/or communication with our other systems.
So if anyone can help out there, that would be great.
If I know more, I will let you know.
Update from MS:
We have identified this issue where some Windows clients with TPM 2.0 cannot handle some algorithms properly during client TLS when communicating with enterpriseregistration.windows.net.
The Product group is currently investigating and working to resolve this issue.
Unfortunately, no ETA yet.
(but if you can't wait, you can look into the above mentioned workarounds)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 86%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
I can confirm that George's workaround works properly.
I'm wondering if I could prevent this issue by not configuring encryption method.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 31%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Hi George Hollerman, Thanks for your post and workaround provided is working fine.
We have same issue with all HP EliteBook 830 G5 model, Post SCCM TS we can fix this issue by decrypt and enable bitlocker or registry key changes you have provided. We want SCCM task sequence to enable bitlocker protection during image process.
Any update provided by Microsoft?
SMSTS Log says Error: 80072EFE
OSDBitLocker is running on Windows 8 or higher. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
No reboot count provided. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Protection is OFF OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Volume is fully encrypted OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Creating key protectors OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is enabled OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is activated OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm is owned OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm ownership is allowed OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm has compatible SRK OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Tpm has EK pair OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Initial TPM state: 63 OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
TPM is already owned. OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Creating recovery password and escrowing to Active Directory OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE group policy registry keys to escrow recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE group policy registry key in Windows 7 OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Set FVE OSV group policy registry keys to escrow recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
Using random recovery password OSDBitLocker 7/27/2023 7:39:19 AM 2636 (0x0A4C)
uStatus == 0, HRESULT=80072efe (X:\bt\1216594\repo\src\Framework\TSCore\encryptablevolume.cpp,1294) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
'ProtectKeyWithNumericalPassword' failed (2147954430) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
m_pEncryptableVolume->ProtectKeyWithNumericalPassword( sRecoveryPwdId ), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,653) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker
Unknown error (Error: 80072EFE; Source: Unknown) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
CreateRecoveryPassword(), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,1353) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to CreateRecoveryPassword (0x80072EFE) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
hr, HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\bitlocker.cpp,1657) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Failed to configure key protection (0x80072EFE) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Rolling back ... OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait, argInfo.bFull, argInfo.dwEncryptMethod, argInfo.bIgnoreWhenTPMInvalid), HRESULT=80072efe (X:\bt\1216594\repo\src\client\OsDeployment\BitLocker\main.cpp,525) OSDBitLocker 7/27/2023 7:39:28 AM 2636 (0x0A4C)
Process completed with exit code 2147954430 TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
!--------------------------------------------------------------------------------------------! TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
Failed to run the action: Enable BitLocker Spec Version. Error -2147012866 TSManager 7/27/2023 7:39:28 AM 4692 (0x1254)
Event ID 846 says Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {3fff26d9-98da-40ab-a1a3-07224fe424be}
Error: Unknown HResult Error code: 0x80072efe
No update from MS yet, but for me it started working normally yesterday at the end of the day (so no more workaround or updated TPM firmware needed anymore).
Will do some more tests/checks today and ask MS what happened.
If that happens with that model only, how about to update the bios first, wipe the device and re-install it? Also as a test, can the bitlocker be enabled manually if you register the computer as home user with live account?
I use Disk Encryption in Intune Endpoint Security options to enable bitlocker and for compatibility issues, I always set every option to Allow instead of Required or Block.
You probably investigated this node already in Event Viewer?
Hi Pavel,
Thanks for your quick answer.
If it would be a BIOS issue, what would have changed then, as we did not change our BitLocker/intune settings and we did not change the BIOS versions.
We already updated 1 laptop to the latest BIOS version, but unfortunately that did not change anything.
We are able to enable Bitlocker Manually if we first create the TPM protector, but then we are still not able to upload the recovery key to Azure (so we don't have a backup of the recovery key and won't give the laptop to an enduser).
We also use intune for BitLocker (and as mentioned, we did not change these setting and it worked well in the past and still for the other laptop types), but because that did no longer work for this laptop type we tried with PowerShell scripts, but ran into kind of the same problem (not being able to upload the recovery key to Azure).
We have "Save BitLocker recovery information to Azure Active Directory" set to Enable.
We have "BitLocker recovery information stored to Azure Active Directory" set to "Backup recovery passwords only"
And we have "Store recovery information in Azure Active Directory before enabling BitLocker" set to Enable.
The first error message posted in my question comes from that specific part of eventviewer you mentioned.
Any other ideas?
If any help, here are my current Bitlocker settings,
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
For some reason this second image was not saved here yesterday so I am pasting it again:
Are you sure that your recovery key (of all freshly installed laptops) is uploaded to Azure?
As I see that you don't restrict that:
We do, and that's the reason why BiLocker isn't activated, as it does not manage to upload the recovery key to Azure.
(and we don't want any laptops which are encrypted without a recovery key available ;-) )
@George Hollerman yes, that option is only for legacy local Active Directory, that's why it is not configured.
Hello.
We're facing the same issue on 2 clients. Different tenants, different configurations, different laptops, but same issue.
We've updated windows & bios, started encryption manually (but still we cannot upload to bitlocker) and tried numerous solutions. nada.
Opened a ticket today and we're waiting.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 57.00000000000001%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E2%3C/text%3E%3C/svg%3E)
Hi, have the same situation in my company with HP PCs. Maybe do you have some update with this issue?
I also created a ticket with MS for this since thursday and provided the requested logs on friday.
They are looking into the logs, so waiting for their answer/reaction.
This is the reacton I got so far:
The error 0x80072EFE means WININET_E_CONNECTION_ABORTED (“The connection with the server was terminated abnormally”), 0x80072EE7 means WININET_E_NAME_NOT_RESOLVED (“The server name or address could not be resolved”), so I’m performing some analysis and engaging our NET Team.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 24%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
And the same problem here, my HP Probook x360 440G1 (latest BIOS) doesn't silently enable bitlocker anymore and thererefore there's no recoverykey uploaded. My Dell Latitude 5420 though are working fine.
Also the problem exists in two tenants and only with this HP Probooks, other HP Elitebooks in the other tenant are working fine.
Bingo, I have now same problem on HP Elitebook. This model worked before but after last Autopilot disk is not encrypted. I will check more for details, is this the same issoe or not.
Yes, I have the same symptomps now with 0x80072efe. I will post this in Twitter and Linkedin. I am sure something is broken globally.
Hi Pavel,
Please read my comment on my own post ;-) :
George Hollerman
Jul 26, 2023, 1:02 PM
Update from MS:
We have identified this issue where some Windows clients with TPM 2.0 cannot handle some algorithms properly during client TLS when communicating with enterpriseregistration.windows.net.
The Product group is currently investigating and working to resolve this issue.
Unfortunately, no ETA yet.
(but if you can't wait, you can look into the above mentioned workarounds)
This behavior seems to be random, few hours later I installed another model with TPM 2.0 as well and it got encrypted fine.
Finally, there must a change made by Microsoft because after almost two weeks of struggling with bitlocker, today it seems that my HP Probooks are encrypted again and the key is uploaded to AAD.
A few more tests are necessary but it seems okay.
Not for me, still failing with same error code. 80072efe
For me it also started working normally yesterday at the end of the day.
Will do some more tests/checks today and ask MS what happened.
same here
For me these are the working settings in Intune > Endpoint Security > (Created) BitlockerPolicy
After a few restarts the device is encrypted and then the key is uploaded to AAD