This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have very random experience with the Autopilot Reset process via Intune console, where in 50% of cases, computer is stuck with asking Bitlocker recovery key in a middle of the reset process. The fun thing is, that this happends randomly and I see this behavior in different Intune cloud-only enviroments. Any explanations or tricks for this. I want to avoid recovery key pop-up if possible.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Pavel yannara Mirochnitchenko , Based on my research, some specific events will cause BitLocker to enter recovery mode when attempting to start the operating system drive: Here is the link for the reference:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan#what-causes-bitlocker-recovery
Also, I find it seems tracking changes in the PCRs can pin point which change is causing recovery action, Maybe we can try to see if we can find it.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs#:~:text=By%20tracking%20changes%20in%20the,%5CLogs%5CMeasuredBoot%5C%20folder
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Decoding too diffucult and time consuming, not doing that :D
Yea, I understand, that clearly Windows Reset manipulates the OS and stuff, but it still works in some cases for me. If Bitlocker would be not supported during Windows Reset, the entire Autpilot Reset is quite useless. In Intune configuration, there is no PCR level like in GPO there was.
@Pavel yannara Mirochnitchenko , After doing more research, I didn't find any article mentioned that BitLocker not support during Windows Reset. But I found some PCs like Dell, Hp, Lenovo, Samsung, ASUS laptops, etc mention the issue.
https://www.m3datarecovery.com/bitlocker-drive-data-recovery/bitlocker-asking-for-recovery-key-instead-of-password.html
Note: Non-Microsoft link just for the reference.
To know our issue, I think the deep log analysis is necessary. We suggest to open case to see if we can get more help.
For the PCR configuration, I find the policy seems to be "Configure TPM platform validation profile for BIOS-based firmware configurations" and your understanding is correct. the setting is not under Intune device configuration profile.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations
But I find it can also be done with registry key. Maybe we can deploy the registry key to the devices via script in Intune.
https://admx.help/?Category=MDOP&Policy=Microsoft.Policies.BitLockerManagement::PlatformValidation_BIOS_Name
Note: Non-Microsoft link, just for the reference.
Thanks for the understanding and hope the above information can help.
That last link is helpfull, I should consider that, thanks.
I guess there is no easy way to track down the recovery root cause from Event Viewer? Bitlocker API log does not reveal it, right?
@Pavel yannara Mirochnitchenko , From the following link, it mentioned Event log can also help to indicate why recovery was initiated. You can check it to see if more findings.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan#determine-the-root-cause-of-the-recovery
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 54%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
@Pavel yannara Mirochnitchenko I had this issue just recently, which mine was due to secure boot not being enabled. It threw me a curveball but the BitLocker-API mentioned secure boot integrity could not be use and I checked and it was disabled! re-enabled and Autopilot reset without the bitlocker prompt.