In Event Viewer you have Bitlocker-API node(folder) where to look first. It is located under Applications and Services\Microsoft\Windows.
See what errors you get there.
:)
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive.
Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device.
I need some more understanding about the policy template settings to see what could be causing those behaviors.
Current policy settings for reference:
BitLocker
Require Device Encryption
Enabled
Allow Warning For Other Disk Encryption
Disabled
Allow Standard User Encryption
Enabled
Configure Recovery Password Rotation
Refresh on for both Azure AD-joined and hybrid-joined devices
Administrative Templates
Windows Components > BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Enabled
Select the encryption method for removable data drives:
AES-CBC 128-bit (default)
Select the encryption method for operating system drives:
XTS-AES 128-bit (default)
Select the encryption method for fixed data drives:
XTS-AES 128-bit (default)
Provide the unique identifiers for your organization
Not configured
Windows Components > BitLocker Drive Encryption > Operating System Drives
Enforce drive encryption type on operating system drives
Enabled
Select the encryption type: (Device)
Full encryption
Require additional authentication at startup
Disabled
Configure minimum PIN length for startup
Not configured
Allow enhanced PINs for startup
Not configured
Disallow standard users from changing the PIN or password
Not configured
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Not configured
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Not configured
Choose how BitLocker-protected operating system drives can be recovered
Enabled
Omit recovery options from the BitLocker setup wizard
False
Allow data recovery agent
False
Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS:
Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
True
Save BitLocker recovery information to AD DS for operating system drives
True
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Configure pre-boot recovery message and URL
Enabled
Select an option for the pre-boot recovery message:
Use default recovery message and URL
Custom recovery URL option:
Custom recovery message option:
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
Enforce drive encryption type on fixed data drives
Enabled
Select the encryption type: (Device)
Full encryption
Choose how BitLocker-protected fixed drives can be recovered
Enabled
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
True
Allow data recovery agent
True
Configure storage of BitLocker recovery information to AD DS:
Backup recovery passwords and key packages
Allow 256-bit recovery key
Save BitLocker recovery information to AD DS for fixed data drives
True
Omit recovery options from the BitLocker setup wizard
True
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Deny write access to fixed drives not protected by BitLocker
Not configured
Windows Components > BitLocker Drive Encryption > Removable Data Drives
Control use of BitLocker on removable drives
Not configured
Deny write access to removable drives not protected by BitLocker
Not configured
Review + save
In Event Viewer you have Bitlocker-API node(folder) where to look first. It is located under Applications and Services\Microsoft\Windows.
See what errors you get there.
:)
Sence there was no other replies on this thread, let me try to point few aspects...