This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have been using the same silent BitLocker encryption settings on most tenants I set up with no issues. I have a Entra Hybrid Joined tenant that was using AirWatch as thier MDM which controlled BitLocker. Once the device was removed from BitLocker, the device was able to properly run the GPO to enroll in Intune. After a bit of waiting, we noticed that the BitLocker encryption reported successful, but the device was not encrypted. Event Viewer, etc is not proving to be very useful at diagnosing the error. We manually kicked off BitLocker encryption and it wanted a reboot and when he logged back in, the encryption was running. We removed BitLocker encryption and rebooted and getting the same errors in Event Viewer that don't really point to anything. I Entra joined two separate devices and both got BitLocker within minutes. I even removed BitLocker and rebooted twice and both times my device encrypted automatically. So I know BitLocker policy is working on new devices, BitLocker manual works on the test device, but automated BitLocker will not run. I tried adding the preventdeviceencryption reg key to my entra joined device, but it encrypted with BitLocker regardless. Not sure where else to look.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Matt Dillon, Thanks for posting in Q&A.
To narrow down this issue, please check the following.
1.Device Prerequisites. A device must meet the following conditions to be eligible for silently enabling BitLocker:
2.Review the logs and check BitLocker prerequisites.
3.Try to delete the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE key and then sync your device to see if it starts to encrypt.
4.Check the BitLocker policy status in Intune portal and encryption report.
If there is any unclear, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the reply.
What is interesting is the one device that is Windows 11 did not have Secure Boot enabled, but the Windows 10 did. When we reset the Windows 11 device and Entra joined it, BitLocker encryption worked perfectly. The Windows 10 device was able to manually encrypt when BitLocker was selected, but required a reboot. Never seen that before. When the Windows 11 device was reset yesterday, we domain joined and then it was hybrid joined and enrolled in Intune. Everything worked except BitLocker.
At this point, I need a hybrid device in my hands to get a closer look at. I saw no GPO's related to BitLocker, which I why I reached out here.
Another piece of the puzzle is a script I normally push out in Hybrid Intune environments to capture the BitLocker recovery key and upload to Entra is failing. The existing devices are set to use PINS. (I have not enabled that in Intune yet. I just want regular silent encryption applied and then after that happens, I have a whole other method of using the PIN thanks to this guy - Oliver Kieselbach. )
Not even sure what other GPO could be preventing the silent encryption on hybrid devices only at this point. Hoping to get a VPN account and hybrid autopilot a device to have on my own to test with.
@Matt Dillon, Thanks for your update.
We can check if there exist some settings in GPO that may refuse Silently BitLocker encryption. Location: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
Here is a link about how to troubleshoot BitLocker on client side.
Hope above information can help you.
As previously mentioned, there are no obvious GPO's getting applied.
@Matt Dillon, Thanks for your sharing.
We can try to create a new non-silently BitLocker policy and assign it to check whether it can work properly.
@Matt Dillon, Hope you have a nice day.
May I know the status from your side? If there is any update, feel free to contact me.
Client is on break this week so minimally looking at the issue to see if I cannot find the missing link. I am leaning on something (not sure what) is blocking the key upload from Intune-based scripts BitLocker policy on the Hybrid Joined devices. Cannot seem to find anyone else having the same issue as I am.
@Matt Dillon, Thanks for your sharing.
If you want to upload recovery key into Intune, here is a link about how to configure BitLocker recovery key in Intune.
Moreover, you can use the script to upload the recovery key into Intune.
#Get the BitLocker volume
$BitLockerVolume = Get-BitLockerVolume -MountPoint "C:"
#Backup the recovery information to Azure AD
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BitLockerVolume.KeyProtector[1].KeyProtectorId
Not sure is this the same thing, but I have seen, that after Microsoft changed the Bitlocker template structure in Endpoint Security \ Disk encryption, the automation stopped working. I've seen this in my lab but also first customer reported this problem as well now. I am still investigating. In Bitlocker-API event viewer, I see some error about automation not kicking on. I don't have this right now, but I will keep testing.
Intriguing. I saw the format of the policy changed last year. My policy works perfectly on Entra devices using the new format. Hybrid Joined devices won't silently encrypt. The other thing I noticed was that the script I use to upload BitLocker Recovery Keys for existing devices that were enrolled in Intune after they had BitLocker already present is failing on the hybrid devices as well. This is the code I use:
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
If it acts like a duck, its most likely a duck which tells me the Hybrid Joined devices have some sort of block on encryption or key upload somewhere. Until I am able to get my hands on a hybrid device myself to deep dive, I am going by what I can gather from a Teams meeting.
As a new test, I have created a policy in the Configuration profiles - templates to see if that helps. I will report back if this works on my Entra Joined device and see if anything changes on the Hybrids.