This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello!
I'm trying to silently encrypt devices via Intune Device Configuration profile.
The endpoints are on-prem domain-joined + azureAD-registered Windows 10 machines (10.0.19042)
The error I'm getting is Client-driven recovery password rotation Fails with -2016281112 (Remediation failed) error code 0x87d1fde8
Event log on the endpoint shows that configure recovery password rotation URI request is not supported:
The Device configuration profile settings are:
Could you please help figure out how this can be fixed?
Setting up and managing device configurations using Intune
Registering devices with Intune for management and policy enforcement
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 76%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVG%3C/text%3E%3C/svg%3E)
I have noticed that this error is appearing when you haven't configured your TPM in the BIOS first.
Most of the laptops by default are with disabled TPM.
You should enable TPM and all storage keys there first and then roll your policy or Bitlocker rule again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 92%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Was anyone else able to resolve this issue?
@TG - Would you be able to share your PS scripts please? This is causing a huge issue in our tenant and I would be eternally grateful! Thank you for your help.
It looks like Intune policy doesn't automatically turn on BitLocker for Azure AD Registered devices, because they are technically joined then as personal devices.
For automatic BitLocker encryption via built-in Intune policy, the device should be Azure AD Joined and logged in to Windows with a Work or school account.
I created PowerShell scripts that can take care of automated BitLocker encryption and escrow in the case of AAD Registered devices.
@TG - Do you mind sharing your PS scripts so we can fix this issue? Thank you for your help!
Was anyone else able to resolve this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 63%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
I am also experiencing this same issue and Bitlocker key is not getting escrowed to AAD. Note: I am using MS Endpoint Manger (Intune)- Endpoint Security -Disk Encryption Policy Template and targeting Autopilot HAADJ Windows 10 laptops.