Setting up and managing device configurations using Intune
The error 0x8007000D – The data is invalid when BitLocker is enabled via Intune almost always indicates an underlying TPM or BitLocker policy/configuration problem on the client. Based on the steps already taken, further troubleshooting should focus on verifying TPM health, BitLocker policy coming from Intune, and WinRE/BitLocker prerequisites on that specific device.
Use the following checks on the affected device:
- Verify TPM health and readiness
- Run
tpm.mscand confirm that the TPM is present, enabled, and not in an unhealthy state. - Open an elevated PowerShell window and run:
All key properties (such asget-tpmTpmPresent,TpmReady,ManagedAuthLevel) must beTruefor BitLocker to use the TPM. If any areFalse, BitLocker will fail until the TPM is present, ready, enabled, activated, and owned.
- Run
- Check for TPM-related errors in Event Viewer
Hardware or firmware issues with the TPM can surface as generic BitLocker failures:- Open Event Viewer → Windows Logs → System.
- Filter on event sources TPMProvisioningService and TPM-WMI.
- Any repeated errors here indicate a TPM provisioning or firmware problem that must be resolved (often with OEM firmware/BIOS updates) before BitLocker will succeed.
- Confirm WinRE (Windows Recovery Environment) is enabled
WinRE is a prerequisite for certain BitLocker scenarios (especially silent/automatic encryption via Intune):- Run an elevated Command Prompt and execute:
reagentc /info - If the WinRE status is Disabled, enable it:
reagentc /enable - After enabling, retry BitLocker encryption.
- Run an elevated Command Prompt and execute:
- Check BitLocker status directly on the device
Usemanage-bdeto confirm current encryption state and whether BitLocker is partially configured:- Run an elevated Command Prompt:
manage-bde -status - Verify that the OS volume is not in a partially encrypted or error state. If it is, clear any existing protectors and attempt a fresh configuration after TPM/WinRE issues are resolved.
- Run an elevated Command Prompt:
- Inspect BitLocker policy as received from Intune
Because this device is managed by Intune, confirm that the BitLocker CSP settings applied to it are valid for its OS build and edition:- Generate an MDM Diagnostics Report (stored under
C:\Users\Public\Documents\MDMDiagnostics) and review the BitLocker CSP section to see which settings are actually applied. - Pay particular attention to:
- OS build and edition support for the configured CSP settings (for example, many BitLocker CSP settings were introduced in Windows 10, version 1703 and later, and some only work on specific editions).
- Whether the policy requires a healthy TPM (for example,
UseTPM,UseTPMKey,UseTPMKeyPIN) on a device where the TPM is missing or unhealthy. Configuring a policy that requires TPM when the TPM is not healthy is a common cause of BitLocker failures.
- Generate an MDM Diagnostics Report (stored under
- Validate BitLocker policy in the registry
Confirm that the BitLocker policy settings picked up by the MDM agent match what is expected:- Open regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker - Identify the GUID under
PolicyManager\Providers<GUID>\default\Device\BitLockerand review the effective BitLocker policy values (for example,EncryptionMethodWithXtsOs,UseTPM,OSActiveDirectoryBackup, etc.). - Compare these with the main BitLocker policy key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE - Ensure the settings are consistent and supported by the OS version.
- Open regedit and navigate to:
- Review BitLocker-API logs for more specific error context
On Intune-managed devices, BitLocker failures are logged in BitLocker-API:- Open Event Viewer → Applications and Services Logs → Microsoft → Windows → BitLocker-API → Management and Operations.
- Look for events around the time BitLocker was attempted (for example, Event IDs 851, 853, 854, 846, 778). These may indicate missing TPM, WinRE not configured, BIOS/firmware issues, or conflicting recovery policies.
- Use those specific event messages to guide remediation (for example, enabling WinRE, updating BIOS, or adjusting recovery options policies).
- Check Task Scheduler for BitLocker MDM policy refresh
If Intune policy is present but encryption never properly starts, verify the scheduled task:- In Event Viewer → Applications and Services Logs → Microsoft → Windows → TaskScheduler → Operational (enable this log if it is disabled).
- Confirm that the BitLocker MDM policy refresh task runs successfully when the device syncs with Intune. Failures here can prevent BitLocker from starting even if policy appears correct.
- If TPM is locked (dictionary attack protection)
If BitLocker-API or TPM logs show messages like “The TPM is defending against dictionary attacks and is in a time-out period”, reset and clear the TPM using the documented script rather than repeated manual clears:- Run elevated PowerShell:
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Restart, confirm the TPM clear when prompted, then sign in and retry BitLocker.
- Be aware that resetting and clearing the TPM can cause data loss if existing keys depend on it.
- Run elevated PowerShell:
- Escalate with device-specific details if logs show no clear cause
If, after these checks, BitLocker still fails with0x8007000Dand BitLocker-API/TPM logs do not provide a clear error, collect:- MDM Diagnostics Report (including BitLocker CSP section).
- System and BitLocker-API event logs around the failure.
- TPM status (
get-tpmoutput and TPM event logs).
These artifacts can then be used with Microsoft support to investigate any underlying OS or Intune service-side issues for that specific device.
References: