Share via

Intune - Require Device Encryption ERROR TYPE 2 ERROR CODE 65000

Kannan Venkatachalam 5 Reputation points
2023-07-26T13:49:12.7466667+00:00

i'm trying to test/push bitlocker on autopilot hybrid join only devices somehow can't overcome from this error any suggestions?

Error Details on endpoint console:

Setting Details​

SETTING

Require Device Encryption

STATE

Error

ERROR TYPE

2

ERROR CODE

65000

SOURCE PROFILES
Source Profile

Unluckily there is no errors on the machine event log.

Windows Components > BitLocker Drive Encryption

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

Enabled

Select the encryption method for removable data drives:

AES-CBC 128-bit (default)

Select the encryption method for fixed data drives:

XTS-AES 128-bit (default)

Select the encryption method for operating system drives:

XTS-AES 128-bit (default)
Windows Components > BitLocker Drive Encryption > Operating System Drives

Enforce drive encryption type on operating system drives

Enabled

Select the encryption type: (Device)

Full encryption

Require additional authentication at startup

Enabled

Configure TPM startup key and PIN:

Allow startup key and PIN with TPM

Configure TPM startup:

Allow TPM

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)

False

Configure TPM startup PIN:

Allow startup PIN with TPM

Configure TPM startup key:

Allow startup key with TPM

Configure minimum PIN length for startup

Enabled

Minimum characters:

6

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Enforce drive encryption type on fixed data drives

Enabled

Select the encryption type: (Device)

Full encryption

Choose how BitLocker-protected fixed drives can be recovered

Enabled

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

True

Allow data recovery agent

True

Configure storage of BitLocker recovery information to AD DS:

Backup recovery passwords and key packages

Allow 256-bit recovery key

Configure user storage of BitLocker recovery information:

Allow 48-digit recovery password

Save BitLocker recovery information to AD DS for fixed data drives

True

Omit recovery options from the BitLocker setup wizard

Windows Components > BitLocker Drive Encryption > Removable Data Drives

Control use of BitLocker on removable drives

Enabled

Allow users to apply BitLocker protection on removable data drives (Device)

True

Enforce drive encryption type on removable data drives

Enabled

Select the encryption type: (Device)

Allow user to choose (default)

Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)

False

Deny write access to removable drives not protected by BitLocker

Enabled

Do not allow write access to devices configured in another organization

True

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,096 questions
0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Brian Knackstedt 0 Reputation points
    2023-09-20T03:09:10.9033333+00:00

    We are having the same issue here as well with a newly configured Intune tenant. Windows 10 and 11, hybrid Azure join, Endpoint Security > disk encryption policy. Other Intune tenants with the same policy seem fine. Another thing I noticed is the order of the BitLocker settings in the policy are sorted differently. Screen shot of a working tenant, but in a 65000 error Administrator Templates is above BitLocker as well as setting below are sorted oddly.

    User's image

    Screen shot of the issue.

    User's image

    OS drive does get encrypted, compliance policy shows require BitLocker as compliant, device is using TPM 2.0, latest Windows 22H2 Updates are installed, device has been restarted multiple times.

    0 comments
  2. Dennis 11 Reputation points
    2023-09-20T10:43:10.9166667+00:00

    Same problem here...

    0 comments
  3. Jonathan @ ANDRIA IT 30 Reputation points
    2023-09-20T14:05:28.8333333+00:00
    0 comments
  4. Clinson Valley 0 Reputation points
    2023-09-22T05:29:59.93+00:00

    I had the same problem. Turns out I had applied the compliance policy first which actually encrypted everyone's drives. It did it with used space encryption. I added the configuration policy not realizing the compliance policy had already done the encryption and I configured it for Full Encryption. I changed the configuration policy to used space encryption and the error went away.

  5. Dennis 11 Reputation points
    2023-09-25T08:11:09.07+00:00

    Same issue and workaround here (change "Full encryption" to "Used space only encryption')

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.