Microsoft Intune - BitLocker: Client-driven recovery password rotation error 0x87d1fde8 Remediation failed

Yevhenii Bozhenko 11 Reputation points
2021-06-23T10:04:25.487+00:00

Hello!

I'm trying to silently encrypt devices via Intune Device Configuration profile.
The endpoints are on-prem domain-joined + azureAD-registered Windows 10 machines (10.0.19042)
The error I'm getting is Client-driven recovery password rotation Fails with -2016281112 (Remediation failed) error code 0x87d1fde8
108602-image.png

Event log on the endpoint shows that configure recovery password rotation URI request is not supported:
108533-image.png

The Device configuration profile settings are:
108530-image.png

Could you please help figure out how this can be fixed?

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,945 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,387 questions
0 comments No comments
{count} votes

12 answers

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,196 Reputation points Microsoft Vendor
    2021-06-24T08:32:30+00:00

    @Yevhenii Bozhenko Thanks for posting in our Q&A.
    Based on my experience, it could be caused by CSP URI. Could you please confirm the URI settings as below and try again to see if it is working?
    OMA-URI:
    ./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation

    If it doesn't work, we need to do further log analysis. With the limitation of Q&A, it is better to create an online support ticket to handle this issue. It is free. Here is the online support link and hope it will be resolved as soon as possible.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
    Thanks for your understanding.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. tlbern 6 Reputation points
    2021-09-23T13:31:11.207+00:00

    @Jarvis Sun-MSFT I am having the same issue as @Yevhenii Bozhenko . How would I check a OMA-URI value for a setting pushed via a Endpoint Protection template?

    1 person found this answer helpful.
    0 comments No comments

  3. Youri - Voiped Wholesale 26 Reputation points
    2022-05-20T08:30:43.877+00:00

    Same issue here. The device does encrypt but the password rotation is not supported. Same as in the screenshot made by the OP.

    1 person found this answer helpful.
    0 comments No comments

  4. TG 1 Reputation point
    2021-10-05T23:12:52.42+00:00

    Also running into this issue now using the same configuration template. The device is not automatically encrypting and is prompting for encryption. Upon clicking the promt, getting the "Warning for other disk encryption" popup, which it shouldn't be because that is Blocked in the configuration profile template.

    0 comments No comments

  5. Carlos Martinez 1 Reputation point
    2022-09-14T13:41:47.783+00:00

    adding my name to the "same issue here" pile

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.