BitLocker status "Waiting on activation" on HP ProBook 440 G5 laptops.

Hi All,

Since +/- Friday 07-July-2023 we started noticing (so it might have started earlier) that only our HP ProBook 440 G5 laptops no longer automatically enabled BitLocker after it was installed with a new image (and because of that, they will not get compliant, so are of no use to our end users).

It seems the drive is still automatically encrypted, but the TMP protector has not been created and the recovery key is not uploaded to Azure.
(I'm not sure which one should go first, it could be that the TMP protector is not created because the recovery key has not yet been uploaded to Azure, or that the recovery key has not been uploaded to Azure because the TPM protector has not yet been created)

In event viewer we can see that the encryption has successfully finished, but the following error message shows when trying to upload the recovery key to Azure:

Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.

Error: Unknown Hresult Error code: 0x80072efe

Id: 846

(and it keeps trying here and there but keeps failing)

If I create the TPM protector via the following PowerShell command:

Add-BitLockerKeyProtector -MountPoint C: -TpmProtector

It is possible to activate BitLocker via the following PowerShell command:

Resume-BitLocker -MountPoint C:

And the laptop becomes compliant, but the recovery key has still not been uploaded to Azure (so this is still not a laptop which we want to provide to the end user).

If I try to upload the recovery key to Azure via the following PowerShell commands:

$bdeallsettings = Get-BitLockerVolume -MountPoint C: | select *

$bdeselectkey = $bdeallsettings.KeyProtector | where {$_.KeyProtectorType -eq 'RecoveryPassword'}

foreach ($key in $bdeselectkey) {

BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $key.KeyProtectorId

}

I get the following error message:

BackupToAAD-BitLockerKeyProtector : Uitzondering van HRESULT: 0x80072EFE

+         BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtecto ...

+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException

    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,BackupToAAD-BitLockerKeyProtector

Which is kind of the same as the error in event viewer.

For what I could find, the error message indicates that there would be a connection (and/or DNS) error with Azure (or access issue), but if this would be the case, this would be an issue on all our laptops (and this is not the case, because the issue only occurs with the HP ProBook 440 G5).

When using "dsregcmd.exe /status", I also notice that the laptops with an issue have the following differences with laptops which don't have this issue (but could be a coincidence):

Tenant Details:

Working:        JoinSrvVersion : 1.0

Not working: JoinSrvVersion : 2.0

(not sure what this does/means)

Diagnostic Data:

Working:              Last HostName Update : SUCCESS

Server Message : The attribute 'hostnames' value(s) were successfully updated

Not Working: Last HostName Update : FAIL

Client ErrorCode : 0x80072ee7

And this error message also indicates connection and/or DNS issues.

Can anyone tell us what has changed and/or what is causing these issues?