Bitlocker silent enabler not working anymore

Pavel yannara Mirochnitchenko 11,986 Reputation points MVP
2021-08-12T05:06:13.977+00:00

Everything was fine for a quite some time, but now all machines which rolled autopilot recently, are without encryption. I will paste my configuration and then Bitlocker-API events happening on those machines. As a side comment, Intune has 4-5 different methods where to configure bitlocker, so which one we should use today?

122576-image.png

122566-image.png

122535-image.png

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,749 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,268 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,466 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pavel yannara Mirochnitchenko 11,986 Reputation points MVP
    2021-08-18T09:28:12.36+00:00

    Not sure what happend, but probably I have mess up the config profiles for Bitlocker config. I managed to get the automation back to work. Let me summarize what I've learned;

    • Events ID 810, 812 813 in Bitlocker-API does not matter.
    • Secure boot is not mandatory
    • New Bitlocker encryption in Endpoint Protection should be in use
    • Some "required" rules in configuration around TPM and PIN are too heavy, consider to change them to Allowed, that might solve some incompatibility issues.
    • TPM 1.2 is enough
    0 comments No comments

7 additional answers

Sort by: Most helpful
  1. Rahul Jindal [MVP] 9,271 Reputation points MVP
    2021-08-12T06:27:16.913+00:00

    You should ideally be using Endpoint Protection Bitlocker profile. Device configuration has additional settings that can cause confusion. As for the issue, are there anymore events logged in eventvwr? Also, what does it say in system information? You can refer to the links below for some guidance.

    intune-bitlocker-silent-and-automatic.html

    how-to-force-escrowing-of-bitlocker.html

    1 person found this answer helpful.
    0 comments No comments

  2. Lu Dai-MSFT 28,356 Reputation points
    2021-08-12T08:48:27.423+00:00

    @Pavel yannara Mirochnitchenko In fact, I think any method where to configure bitlocker is ok. It is based on what settings you want. And there is no article showing which method is the best one.

    If the policy is deployed via intune successfully, but it doesn't work. It is more related to windows. In fact, the information that I have is limited. For the error message, I have done a lot of research. I find that this error occurs when doesn't enable Secure Boot. We can read the following article as a reference.
    https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/954cf796-a640-4134-b742-eaf0ed2663ff#troubleshooting

    The following article shows how to enable Secure Boot:
    https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot#re-enable-secure-boot

    Hope the above information will help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Pavel yannara Mirochnitchenko 11,986 Reputation points MVP
    2021-08-12T09:10:43.697+00:00

    Found something new from msinfo32:

    Device Encryption Support: Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

    0 comments No comments

  4. Pavel yannara Mirochnitchenko 11,986 Reputation points MVP
    2021-08-12T14:01:25.4+00:00

    I see that msinfo32 does not matter, what I did was I took the problematic machine, reset Secure Boot, reset Bios factory defaults, reset TPM and started autopilot again. After that, is is encrypted with same error messages in event viewer:

    122756-image.png