This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 15%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Hi All,
I have created a device configuration policy for Bitlocker and deployed to 20 users. I can see some status are weird and unable to understand the same. Please advice
So i assume if the machine has Secure boot enabled - Silent bitlocker encryption is happening
If not secure boot - Those machines are getting error and pop up. Any logs please
Not applicable - Not sure what is the cause? Any logs
Errors from Bitlocker event:
Error machines - "BitLocker cannot use Secure Boot for integrity because it is disabled."
Succeeded machines - "Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {0f93d1b9-073c-4e45-a980-92fedb4dd627}
Error: Access is denied."
Please suggest your view
I am having a very similar issue and wanted to know if they should both be handled in the same manner. My error is as follows...
Succeeded machines - "Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
TraceId: {6eaxxxxx-xxxx-xxxx-xxxx-1188892fxxxx}
Error: The parameter is incorrect.
Please advise!
Thanks for any and all guidance you can provide in this matter.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@karthik palani , From your description, I know we configure silently Bitlocker via Intune policy. Firstly, please ensure "Device Prerequisites" are met on these devices:. Secondly, please check the startup PIN or start key configuration to see if it is also met.
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices
For the error "BitLocker cannot use Secure Boot for integrity because it is disabled", it seems the secure boot is not enabled, please check on the device to ensure it is enabled.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues
For the error "Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.Error: Access is denied.", this shows the backup Recovery information to AAD is failed. Silent Encryption does not supports enforcing startup authentication other than the default TPM. If your profile has authentication method set to Require for TPM+PIN or TPM+StartupKey, causes this failure. If recovery method is not set and is not configured to backup to AAD before enabling encryption, the profile fails with the same error event. Please ensure BitLocker recovery information to Azure Active Directory is set to Enabled and the startup authentication is configured correctly.
Research and find a link about troubleshooting Bitlocker Silent Encryption for the reference:
https://www.anoopcnair.com/intune-bitlocker-drive-encryption-part4/
Note: non-Microsoft link, just for the reference.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@karthik palani , How's everything going? I am writing to see if our issue is resolved. if there's any update, feel free to let us know.
Thanks and have a nice day!
Sorry for the late reply
Your info is so helpful. I found most of the machines are below 1809v in which error status appear
Is there any alternate solution i can try to encrypt these machines. Like is it ok i can create CSP policy from Intune and deploy only to those machines below 1809. Please advice
@karthik palani , Thanks for the reply.
From your description, I know the devices are below windows 10 1809. So silently Bitlocker is unable to enable.
As I know, deploy via CSP or device configuration is similar. That is is to say, if the silently Bitlockeris failed when we deploy via endpoint security policy. It will also fail when we deploy it via OMA URI. There's no much different. For Bitlocker CSP, here is a link for the reference.
https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
For these affected devices, we can disable the setting "Allow standard users to enable encryption during Azure AD join" to manage Bitlocker:. Hope it can help.
There are known Bitlocker issues related to versions older than 1909. You should upgrade to 1909 or above and then check if silent encryption is going through or not.