Bitlocker D drive and Recovery after Restart

Ahmed Sh 100 Reputation points
2024-05-23T15:38:08.47+00:00

Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive. 

Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device.

I need some more understanding about the policy template settings to see what could be causing those behaviors.

Current policy settings for reference:

BitLocker

Require Device Encryption

Enabled

Allow Warning For Other Disk Encryption

Disabled

Allow Standard User Encryption

Enabled

Configure Recovery Password Rotation

Refresh on for both Azure AD-joined and hybrid-joined devices

Administrative Templates

Windows Components > BitLocker Drive Encryption

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

Enabled

Select the encryption method for removable data drives:

AES-CBC 128-bit (default)

Select the encryption method for operating system drives:

XTS-AES 128-bit (default)

Select the encryption method for fixed data drives:

XTS-AES 128-bit (default)

Provide the unique identifiers for your organization

Not configured

Windows Components > BitLocker Drive Encryption > Operating System Drives

Enforce drive encryption type on operating system drives

Enabled

Select the encryption type: (Device)

Full encryption

Require additional authentication at startup

Disabled

Configure minimum PIN length for startup

Not configured

Allow enhanced PINs for startup

Not configured

Disallow standard users from changing the PIN or password

Not configured

Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.

Not configured

Enable use of BitLocker authentication requiring preboot keyboard input on slates

Not configured

Choose how BitLocker-protected operating system drives can be recovered

Enabled

Omit recovery options from the BitLocker setup wizard

False

Allow data recovery agent

False

Allow 256-bit recovery key

Configure storage of BitLocker recovery information to AD DS:

Store recovery passwords and key packages

Do not enable BitLocker until recovery information is stored to AD DS for operating system drives

True

Save BitLocker recovery information to AD DS for operating system drives

True

Configure user storage of BitLocker recovery information: 

Allow 48-digit recovery password

Configure pre-boot recovery message and URL

Enabled

Select an option for the pre-boot recovery message:

Use default recovery message and URL

Custom recovery URL option:

Custom recovery message option:

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Enforce drive encryption type on fixed data drives

Enabled

Select the encryption type: (Device)

Full encryption

Choose how BitLocker-protected fixed drives can be recovered

Enabled

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

True

Allow data recovery agent

True

Configure storage of BitLocker recovery information to AD DS:

Backup recovery passwords and key packages

Allow 256-bit recovery key

Save BitLocker recovery information to AD DS for fixed data drives

True

Omit recovery options from the BitLocker setup wizard

True

Configure user storage of BitLocker recovery information: 

Allow 48-digit recovery password

Deny write access to fixed drives not protected by BitLocker

Not configured

Windows Components > BitLocker Drive Encryption > Removable Data Drives

Control use of BitLocker on removable drives

Not configured

Deny write access to removable drives not protected by BitLocker

Not configured

Review + save

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,612 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 12,381 Reputation points MVP
    2024-05-23T16:10:08.5766667+00:00

    In Event Viewer you have Bitlocker-API node(folder) where to look first. It is located under Applications and Services\Microsoft\Windows.

    See what errors you get there.

    :)


  2. Pavel yannara Mirochnitchenko 12,381 Reputation points MVP
    2024-05-27T12:10:23.1266667+00:00

    Sence there was no other replies on this thread, let me try to point few aspects...

    1. If you have co-management, and devices are also in Intune, consider that you would have only one control mechanizmin use. And sence you are saving recovery keys to on-prem Active Directory, I would ensure that your Intune has nothing to do with Bitlocker, so check that all currenct settings you have in Intune, do not configure anything regarding Disk encryption. Also make sure Windows Security Baseline and Defender Baseline have no bitlocker settings.
    2. Computer being in AD as a member and GPOs placed, are you able to encrypt data drive manually, and also that it would save the key into AD. See first that you can do this manually.
    0 comments No comments