unable to enable bitlocker on new Intune enrolled device RRS feed

  • Question

  • We are deploying win10 images via winPE but am unable to run he 'c:\windows\system32\reagentc.exe /enable' (from the SetupComplete.cmd) which appears to be a prerequisite for enabling BitLocker via InTunne MDM. We had it configured prior to win10 1903 and seemed to all work before.

    Bitlocker seems to fail and I find that it may be most likely due to the fact the WinRE doesn’t seem to be ebaled…the errors tahtappear inevent viewer are ID 851. I have tested this and as soon as I enable it manually Bitlokcer enables fine (silently in the backgroud) without any issue.

    Any known issues since win 10 1903 or logs I should be aware of when trying to enable bit Locker for new devices?

    thedevice is a surface pro - not joined to the domain bu enrolled via azure ad

    Friday, November 8, 2019 5:25 PM


All replies

  • In the BitLocker report, does it show in the status "Windows Recovery Environment (WinRE) isn't configured"? BitLocker report is here

    Also check the last post here regarding Windows Recovery Environment
    Saturday, November 9, 2019 2:20 AM
  • Hi,

    The encryption status shows as 'Not Encrypted'. I have seen the post and understand that WinRE is a perquisite for configuring bitlocker via Intune. Once I enable WinRE (reagentc /enable) the config profile applies successfully after a few mins and then shows as 'encrypted' (after a few hours)

    Perhaps my question should be, during the initial OS install via WinPE, how can you enable this (either before or after enrolment), as the comand doesn't seem to work in the setupcomplete.cmd. However, it did used to work seemlessly prior to Windows 10 1903 (ie. Worked fine with 1809,etc)

    Monday, November 11, 2019 8:33 AM
  • > "during the initial OS install via WinPE"

    Can you please define exactly what this means? Are you using MDT, ConfigMgr, or something else?

    Jason | | @jasonsandys

    Wednesday, November 13, 2019 3:11 AM
  • not using MDT for this.

    This is a WoW build on a 32GB USB drive. (WinPE FAT32 partitioned, and WIM on NTFS partition) also using the customized scripts (setupComplete.cmd)...

    Monday, November 25, 2019 3:22 PM
  • So you're WIM booting these systems? If so, BitLocker is not supported and won't work for this.

    Jason | | @jasonsandys

    Monday, November 25, 2019 3:55 PM
  • You're right, I've also experienced the same thing multiple times.  
    Monday, November 25, 2019 4:15 PM
  • ..any suggestions for enabling BitLocker for newly enrolled devices?

    I have configured a Profile in intune already (but only seems to apply to Users once the reagent.exe /enable has run on the device - as mentioned before).

    i did find the below article explaining some settings via CSP. would this be necessary in addition.

    alternatively i was looking to deploy the profile to AAD devices, rather than users from a AD synced group.

    hope that makes sense

    Wednesday, November 27, 2019 12:41 PM
  • No, still not following the scenario here and you didn't answer my previous question here.

    Jason | | @jasonsandys

    Wednesday, November 27, 2019 10:02 PM
  • The build compromises a formatted USB driver 1st partition (FAT32) containing WinPE and 2nd partition (NTFS) containing the wim images (install.wim and winre.wim) and the packages (.xml files).

    The install.wim has been preconfigured with the OS & applications, which has been sysprepped.

    The USB is used to boot new devices, which goes through WinPE formatting the target disk (diskpart) and installing the wim files from the NFTS partition.

    Within the install.wim there are 2 files that have been configured - StartNet.cmd (which configures DISKPART, DISM to mount the install.wim and configure winRE settings) and SetupComplete.cmd (which is set to run 'c:\windows\system32\reagentc.exe /enable') .


    During the new user process (after sysprep), the user is then prompted for credentials to enroll the device to Intune (AAD Join).


    That sums up the process. This used to work seamlessly prior to Win10 1903. Up until then, new devices were encrypted with BitLocker turned ON.

    Since the issue, I have setup an endpoint encryption profile to configure BitLocker settings. However, we found that these settings do not apply UNTIL the device has WinRe enabled (c:\windows\system32\reagentc.exe /enable).


    In the Even Viewer (Microsoft-Windows-BitLocker-API/Management), the error showed consistently:

    Failed to enable Silent Encryption.

    Error: This PC does not meet the hardware requirements to support device encryption..


    Once 'reagentc.exe /enable' has been run on the device, BitLocker is then able to encrypt the drive.


    Hope that clears things up. I did find a post somewhere on here that mentioned you cannot push an Intune Profile to device that had previously be setup with BitLocker…(don’t have a link)

    Prior to running sysprep, if BitLocker is enabled, we disable it before the deployment.


    Thursday, November 28, 2019 1:45 PM
  • What happens if you try to manually enable BitLocker on the system after it is provisioned? Same issue?

    Jason | | @jasonsandys

    Thursday, November 28, 2019 11:35 PM
  • when you try to enable bitlocker (from the BitLocker Drive Encryption) option the error comes up:

    "This PC doesn't support entering a BitLocker recovery password during start-up. Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker"

    so either way I need to run Reagentc.exe /enable

    can't work out why this is not running in the script during initial setup

    is it possible (or best practice) to push this command via PowerShell (Device Configuration) in Intune?

    Wednesday, December 4, 2019 11:43 PM
  • ok. so the issue seemed to be with the install itself (unsure exactly, creating again from scratch seemed to enable WinRE and Bitlocker now)

    problem now is we have a around 110 surface devices that had this setup where it did not enable WinRE.

    Is there a way to enable WinRE to all these AAD joined devices? I've tried to setup a PS script (Intun > Device Configuration > Scripts) and running the following for a small group of test devices:

    $fileExe = "c:\windows\system32\reagentc.exe"
    & $fileExe "/enable"

    however, when checking the overview of this, it shows status as failed. any suggestions on how to enable WinRE on these? the devices are not on the domain but enrolled in Intune

    Monday, February 3, 2020 9:36 AM
  • ok. found a workaround. managed to update the script to run cmd.exe (as administrator) and running the code at logon (via scheduled task). seems to work now!


    Monday, February 3, 2020 3:57 PM