BitLocker not working automatically

Matt Dillon 1,211 Reputation points
2024-03-19T13:12:23.5766667+00:00

I have been using the same silent BitLocker encryption settings on most tenants I set up with no issues. I have a Entra Hybrid Joined tenant that was using AirWatch as thier MDM which controlled BitLocker. Once the device was removed from BitLocker, the device was able to properly run the GPO to enroll in Intune. After a bit of waiting, we noticed that the BitLocker encryption reported successful, but the device was not encrypted. Event Viewer, etc is not proving to be very useful at diagnosing the error. We manually kicked off BitLocker encryption and it wanted a reboot and when he logged back in, the encryption was running. We removed BitLocker encryption and rebooted and getting the same errors in Event Viewer that don't really point to anything. I Entra joined two separate devices and both got BitLocker within minutes. I even removed BitLocker and rebooted twice and both times my device encrypted automatically. So I know BitLocker policy is working on new devices, BitLocker manual works on the test device, but automated BitLocker will not run. I tried adding the preventdeviceencryption reg key to my entra joined device, but it encrypted with BitLocker regardless. Not sure where else to look.

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
327 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,289 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 7,270 Reputation points Microsoft Vendor
    2024-03-20T06:02:55.17+00:00

    @Matt Dillon, Thanks for posting in Q&A.

    To narrow down this issue, please check the following.

    1.Device Prerequisites. A device must meet the following conditions to be eligible for silently enabling BitLocker:

    • If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
    • If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
    • The device must be Microsoft Entra joined or Microsoft Entra hybrid joined.
    • Device must contain at least TPM (Trusted Platform Module) 1.2.
    • The BIOS mode must be set to Native UEFI only.

    2.Review the logs and check BitLocker prerequisites.

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting

    3.Try to delete the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE key and then sync your device to see if it starts to encrypt.

    4.Check the BitLocker policy status in Intune portal and encryption report.

    https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMonitorMenu/~/encryptionReport

    If there is any unclear, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Pavel yannara Mirochnitchenko 11,596 Reputation points
    2024-03-27T06:41:36.2233333+00:00

    Not sure is this the same thing, but I have seen, that after Microsoft changed the Bitlocker template structure in Endpoint Security \ Disk encryption, the automation stopped working. I've seen this in my lab but also first customer reported this problem as well now. I am still investigating. In Bitlocker-API event viewer, I see some error about automation not kicking on. I don't have this right now, but I will keep testing.