This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 55.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive.
Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device.
I need some more understanding about the policy template settings to see what could be causing those behaviors.
Current policy settings for reference:
BitLocker
Require Device Encryption
Enabled
Allow Warning For Other Disk Encryption
Disabled
Allow Standard User Encryption
Enabled
Configure Recovery Password Rotation
Refresh on for both Azure AD-joined and hybrid-joined devices
Administrative Templates
Windows Components > BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Enabled
Select the encryption method for removable data drives:
AES-CBC 128-bit (default)
Select the encryption method for operating system drives:
XTS-AES 128-bit (default)
Select the encryption method for fixed data drives:
XTS-AES 128-bit (default)
Provide the unique identifiers for your organization
Not configured
Windows Components > BitLocker Drive Encryption > Operating System Drives
Enforce drive encryption type on operating system drives
Enabled
Select the encryption type: (Device)
Full encryption
Require additional authentication at startup
Disabled
Configure minimum PIN length for startup
Not configured
Allow enhanced PINs for startup
Not configured
Disallow standard users from changing the PIN or password
Not configured
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Not configured
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Not configured
Choose how BitLocker-protected operating system drives can be recovered
Enabled
Omit recovery options from the BitLocker setup wizard
False
Allow data recovery agent
False
Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS:
Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
True
Save BitLocker recovery information to AD DS for operating system drives
True
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Configure pre-boot recovery message and URL
Enabled
Select an option for the pre-boot recovery message:
Use default recovery message and URL
Custom recovery URL option:
Custom recovery message option:
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
Enforce drive encryption type on fixed data drives
Enabled
Select the encryption type: (Device)
Full encryption
Choose how BitLocker-protected fixed drives can be recovered
Enabled
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
True
Allow data recovery agent
True
Configure storage of BitLocker recovery information to AD DS:
Backup recovery passwords and key packages
Allow 256-bit recovery key
Save BitLocker recovery information to AD DS for fixed data drives
True
Omit recovery options from the BitLocker setup wizard
True
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Deny write access to fixed drives not protected by BitLocker
Not configured
Windows Components > BitLocker Drive Encryption > Removable Data Drives
Control use of BitLocker on removable drives
Not configured
Deny write access to removable drives not protected by BitLocker
Not configured
Review + save
In Event Viewer you have Bitlocker-API node(folder) where to look first. It is located under Applications and Services\Microsoft\Windows.
See what errors you get there.
:)
Hello @Pavel yannara Mirochnitchenko I can mainly see the below error:
Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.
Hello @Pavel yannara Mirochnitchenko , Sure.
Failed to enable Silent Encryption.
Error: Group policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info, contact your system administrator..
However we can't really locate a GPO creating this conflict/error
Later on after using GPO as a workaround, got this error:
failed to enable silent encryption illegal operation attempted on a registry key that has been marked for deletion
@Pavel yannara Mirochnitchenko
Regarding D drive encryption, Was getting the error below:
Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.
It did not work until I created a GPO for Fixed Data drives as mentioned in the below article.
https://www.burgerhout.org/the-bitlocker-haadj-nightmare/
-Had to later on add another to avoid the error above
Do not forcefully unload the user registry at user logoff
I'm sorry, but do you work with Active Directory + Group Policy or Intune? You added only Intune as a tag in the thread so I was expecting you have Intune enviroment.
You should consider to open new thread with correct tags like Group Policy, Windows Security :)
Hello @Pavel yannara Mirochnitchenko ,
This is mainly a co-management scenario, Sorry about the confusion and thanks for your help thus far.
Yep my idea was just provide a hint about the log location, because usually that Bitlocker-API node reveals what you need to know and can start to work on troubleshoting 😊
Sence there was no other replies on this thread, let me try to point few aspects...