Share via

Intune Bitlocker remediation failed

Halogeen 236 Reputation points
2021-01-05T14:19:39.4+00:00

Hey guys,

as you all helped me so much with my previously asked questions here's another one: My device has a problem with its assigned Bitlocker policy, telling me "-2016281112 (Remediation failed)"
53651-bitlocker1.jpg

So first of all, here is my Endpoint Protection Policy:
53575-bitlocker2.jpg
53468-bitlocker3.jpg

I think the most important point regarding that problem is to "Allow standard users to enable encryption during Azure AD Join".

The TPM-Status is as following:
53643-tpm.jpg

Next thing ive checked is "manage-bde -status" which returns following points:
Bitlocker Version: None
Convertingstatus: completly decrypted
Encryption (procent): 0,0%
Protectionstatus: The protection is deactivated
Lockstatus: Unlocked
ID-Field: None
Key Protectors: Nothing found
(Translated into english, was in my native language)

OK Secure Boot was not active. So i activated it in Bios and added a Key Protector with:
"manage-bde -protectors -add C: -rp".

But now im waiting and waiting, bitlocker isnt starting encryption on its own as i thought it would. Am I doing anything wrong here? Bitlocker is still deactivated.

Update:
After restarting my pc i got the following Message:
53577-bitlockercouldnotbeenabled.png

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AliceYang-MSFT 2,106 Reputation points
    2021-01-07T08:01:20.983+00:00

    Hi,

    Perhaps you need to check BitLocker policy configuration

    The BitLocker policy must not require use of a startup PIN or startup key. When a TPM startup PIN or startup key is required, BitLocker can't silently enable and requires interaction from the end user. This requirement is met through the following three BitLocker OS drive settings in the same policy:
    Compatible TPM startup PIN must not be set to Require startup PIN with TPM
    Compatible TPM startup key must not set to Require startup key with TPM
    Compatible TPM startup key and PIN must not set to Require startup key and PIN with TPM

    And I'm not sure about TPM status now because PC client spec version is 1.01. If it means TPM version of clients is 1.01, they need to be 2.0. Please make sure that both the host and clients have UEFI, enabled secure boot and TPM 2.0

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    3 people found this answer helpful.
  2. AliceYang-MSFT 2,106 Reputation points
    2021-01-06T07:18:29.87+00:00

    Hi,

    Thank you for the screenshots you provided.

    -2016281112 (Remediation failed) is a known issue. Please refer to Enforcing BitLocker policies by using Intune: known issues to narrow down the cause.

    TPM status seems to be OK, but BitLocker couldn’t be enabled. Perhaps we need to check which TPM driver is installed on the computer.

    We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Halogeen 236 Reputation points
    2021-01-06T12:42:53.753+00:00

    Hey @AliceYang-MSFT ,

    as what I can tell the TPM-Device in device manager has installed a Microsoft driver. I have read the first link and worked it through.

    • The Eventlog has "only" two different kind of events in the group "Bitlocker-API":
      x ID 851: Failed to enable Silent Encryption. Error: The Group Policy blocks saving of the recoverykey to Active Directory for this drive.
      x ID 778: The Bitlocker volume C: was reverted to an unprotected state

    For ID 851 I have checked if there are any group policies. So I executed gpresult and searched in the Report for Bitlocker, but i couldnt find any entries. Are there any other things I should check or search for in the report?

    • Event if I had no other Event IDs mentioned in that guide i checked everything:
      x WinRE seems to be enabled, BIOS Mode is UEFI, Secure Boot is enabled as well.
      x What again does not looks that good are the Key Protectors. When typing in manage-bde -protectors -get %systemdrive% there are no key protector available.
    • The Windows Version is up to date, so it cant be a missing patch (Version 2004 Build 19041.264)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.