Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 99%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYV%3C/text%3E%3C/svg%3E)
Same issue here. The device does encrypt but the password rotation is not supported. Same as in the screenshot made by the OP.
Microsoft Intune - BitLocker: Client-driven recovery password rotation error 0x87d1fde8 Remediation failed
Yevhenii Bozhenko
11
Reputation points
Hello!
I'm trying to silently encrypt devices via Intune Device Configuration profile.
The endpoints are on-prem domain-joined + azureAD-registered Windows 10 machines (10.0.19042)
The error I'm getting is Client-driven recovery password rotation Fails with -2016281112 (Remediation failed) error code 0x87d1fde8
Event log on the endpoint shows that configure recovery password rotation URI request is not supported:
The Device configuration profile settings are:
Could you please help figure out how this can be fixed?
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Enrollment
Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
12 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 69%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
tlbern 6 Reputation points2021-09-23T13:31:11.207+00:00 @Jarvis Sun-MSFT I am having the same issue as @Yevhenii Bozhenko . How would I check a OMA-URI value for a setting pushed via a Endpoint Protection template?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jarvis Sun-MSFT 10,286 Reputation points Microsoft External Staff2021-06-24T08:32:30+00:00 @Yevhenii Bozhenko Thanks for posting in our Q&A.
Based on my experience, it could be caused by CSP URI. Could you please confirm the URI settings as below and try again to see if it is working?
OMA-URI:
./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotationIf it doesn't work, we need to do further log analysis. With the limitation of Q&A, it is better to create an online support ticket to handle this issue. It is free. Here is the online support link and hope it will be resolved as soon as possible.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Thanks for your understanding.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 34%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Carlos Martinez 1 Reputation point2022-09-14T13:41:47.783+00:00 adding my name to the "same issue here" pile
-
TG 1 Reputation point2021-10-05T23:12:52.42+00:00 Also running into this issue now using the same configuration template. The device is not automatically encrypting and is prompting for encryption. Upon clicking the promt, getting the "Warning for other disk encryption" popup, which it shouldn't be because that is Blocked in the configuration profile template.