This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKV%3C/text%3E%3C/svg%3E)
i'm trying to test/push bitlocker on autopilot hybrid join only devices somehow can't overcome from this error any suggestions?
Error Details on endpoint console:
Setting Details
SETTING
Require Device Encryption
STATE
Error
ERROR TYPE
2
ERROR CODE
65000
SOURCE PROFILES
| Source Profile |
Unluckily there is no errors on the machine event log.
Windows Components > BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Enabled
Select the encryption method for removable data drives:
AES-CBC 128-bit (default)
Select the encryption method for fixed data drives:
XTS-AES 128-bit (default)
Select the encryption method for operating system drives:
XTS-AES 128-bit (default)
Windows Components > BitLocker Drive Encryption > Operating System Drives
Enforce drive encryption type on operating system drives
Enabled
Select the encryption type: (Device)
Full encryption
Require additional authentication at startup
Enabled
Configure TPM startup key and PIN:
Allow startup key and PIN with TPM
Configure TPM startup:
Allow TPM
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
False
Configure TPM startup PIN:
Allow startup PIN with TPM
Configure TPM startup key:
Allow startup key with TPM
Configure minimum PIN length for startup
Enabled
Minimum characters:
6
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
Enforce drive encryption type on fixed data drives
Enabled
Select the encryption type: (Device)
Full encryption
Choose how BitLocker-protected fixed drives can be recovered
Enabled
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
True
Allow data recovery agent
True
Configure storage of BitLocker recovery information to AD DS:
Backup recovery passwords and key packages
Allow 256-bit recovery key
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Save BitLocker recovery information to AD DS for fixed data drives
True
Omit recovery options from the BitLocker setup wizard
Windows Components > BitLocker Drive Encryption > Removable Data Drives
Control use of BitLocker on removable drives
Enabled
Allow users to apply BitLocker protection on removable data drives (Device)
True
Enforce drive encryption type on removable data drives
Enabled
Select the encryption type: (Device)
Allow user to choose (default)
Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)
False
Deny write access to removable drives not protected by BitLocker
Enabled
Do not allow write access to devices configured in another organization
True
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi everyone,
I tried to change the "full encryption" to "Used space only encryption" and the 65000 error disppeared.
This doesn't solve the problem, but it is working while waiting for a concrete solution.
After some research (Thanks to @Crystal-MSFT ) it seems comes from the Microsoft root TPM Certificate Authority 2014. Follow this link : https://call4cloud.nl/2023/04/are-you-there-intune-its-me-hac/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 68%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
If the Microsoft intermediate or root certificate is causing the issue, it's something Microsoft should fix, is it not? It's not a misconfiguration on our end, is it?
There might be knowing issue going on now, because all of sudden, disk encryption stopped working for few enviroments I know. Go to event viewer, under Windows and Apps, look for Bitlocker-API node and look for the error code you see there. If it is about not to be able to upload keys to AzureAD, it might be it. I keep you posted.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Kannan Venkatachalam , Thanks for posting in Q&A. From the information you provided, it seems you configure BitLocker policy in Setting Catalog profile and the recovery key is stored in AD. But it is failed.
I notice you have checked machine event log. Could you confirm if we check the following event log?
Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
Applications and Service Logs > Microsoft > Windows > BitLocker-API
If there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Kannan Venkatachalam, Hope things are going well. If there's any update, feel free to let us know.
Hi,
I have the same problem, error 65000 type 2.
Here is my bitlocker policies trough Endpoint security :
After looking for error message in the event viewer, i found this :
CSP BitLocker : GetDeviceEncryptionComplianceStatus indique OSV n’est pas conforme à l’état renvoyé 0x10000 -> (BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV does not conform to the status returned 0x10000)
The encryption is correctly deploy like we can see when i check with manage-bde -status command :
I'm a newbie with Intune and i'm a little bit lost... If you have an idee, let me know.
Thanks in advance !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 71%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPW%3C/text%3E%3C/svg%3E)
We are having the same issue here. Is there any update from Microsoft?
We are trailing AutoPilot on Windows 11 devices. The policy seems to work without error when using AutoPilot on windows 10 devices.