Intune Bitlocker on an window 10 Pro ver 1903 RRS feed

  • Question

  • HI all,

    can Bitlocker compliance policy and Bitlocker Configuration work on Window 10 Pro? my current win10 version is 1903.
    So far I have apply Bitlocker Configuration and I got error. I am wondering can configuration endpoint protection work on window 10 pro?

    Thank alot
    Wednesday, July 24, 2019 9:30 AM

All replies

  • Hi,

    the underlying BitLocker CSP does the configuration and the official documentation tells us that it is supported on Pro version since 1809:

    The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro

    If you have a look at the compatibility tables below the settings you get detailed information regarding a specific setting.


    Wednesday, July 24, 2019 11:54 AM
  • HI Oliver , thank for your help.

    at the moment I am looking for setting "Configuration" setting in Intune. I wonder will it work in window 10 pro. if intune  "Configuration" setting can't be apply, then I will use CSP next. 

    Thursday, July 25, 2019 2:41 AM
  • This is the few Error on window 10 pro 1903. I wonder can anyone have this problem trying to deploy it out.

    Monday, July 29, 2019 5:02 AM
  • The configuration profile sets the CSP. You don't need a separate CSP.

    Have you reviewed the event logs on the device? See if there are any errors in Application and Services Logs > Microsoft > Windows > BitLocker -API > Management

    Can you test changing the compatible TPM startup PIN options to something like in this guide

    Monday, July 29, 2019 6:41 AM
  • Hi Nick Hogarth, thank for the useful information. I have follow the configuration above and I am obtaining the same result. I have check my TPM have a manufacturer version 5.662.3126.2. I suspect that my hardware is not supported for automatic device encryption.
    Tuesday, July 30, 2019 7:53 AM
  • Try testing it with 1809. We had similar problems when testing 1903. 1809 everything worked.
    Tuesday, July 30, 2019 1:32 PM
  • Hi

    A few things to check. First can you enable bitlocker manually on the windows 10 device? has it picked up the settings you pushed out when enabling manually, just not started the encryption?

    On the windows 10 device, on the start menu, search for tpm.msc and then open the tpm console.Check that the device has a tpm and its status is set to ready as shown below and what version it is. If the TPM status is not set to ready, you can clear the TPM, which will require a restart.

    Also, are you storing the recovery key in active directory?

    Is there a reason you are enabling a pin at startup? try setting this to do not allow pin at startup.

    • Edited by Shane W Wednesday, July 31, 2019 9:31 AM
    Wednesday, July 31, 2019 9:29 AM
  • Hi Shane W, thank for your help.

    I have reset TPM and I have also change the whole setting according to what Oliver Kieselbach suggested,

    I plan to store the recovery key in azure active directory.  

    but I am getting the same result. my Specification Version is 2.0 and manufacturer version is 5.662.3126.2.

    I have manually try to turn on the bit locker and it have no issue. the problem come when I try to use intune to deploy it out. 
    currently I am only doing deployment for bit locker via intune on ver.1903 and have not try out ver.1809. the reason is because software update ring there is problem with 1809. it will always give me an error.

    • Edited by Chang Hian Friday, August 2, 2019 3:59 AM
    Wednesday, July 31, 2019 11:19 AM
  • I came across this link, I wonder is it my TPM version.
    Friday, August 2, 2019 4:51 AM
  • I'm actually getting this exact same issue, intune is so passive, its so hard to determine why some things work flawlessly and others just dont work at all. 
    Thursday, September 5, 2019 8:00 PM
  • This is the setting I set and is able to encrypt the hard disk when I join the device. I have call in Microsoft and they told me the device need to be a new device and cannot be a device that have done encryption before. this don't really make sense for me and I find is ridiculous. so in order to allow the machine to get encrypted. I need to unencrypt my harddisk, clear TPM and  format my machine to allow the auto encryption to be successful. once format successful I run the cmd to check is it encrypted "manage-bde -status". and enable "allow standard users to enable encryption during Azure AD join", when my device is join to Azure AD and I sign in into the Azure AD account, it will start to encrypt and store the Recovery key back to my portal. (fyi I have try to unencrypt the harddisk and clear TPM without format, it will not work.) No additional CSP configuration or GPO setting require for it to work. but this setting does not allow user to enable pin during signing in. I am look at it how to make that happen.

    "allow standard users to enable encryption during Azure AD join" is only for user without admin right to silent encrypt . set it to not configure will only allow user with local administrator right to get encrypt. 

    • Edited by Chang Hian Tuesday, September 24, 2019 6:52 AM
    Tuesday, September 17, 2019 5:46 AM
  • After few week of testing, I Have encounter so many problem and I find it is so unstable.
    After checking with Microsoft, they mention they are many way to get it encrypted and give me some advice which I am still testing on it. 

    1. Intune policy is only able to encrypt Hard disk if the User have local admin right on the azure AD account. We will get notification of bit locker ( in the notification area on the machine  after creating Intune policy ) only when the computer is logged in with the Local admin Account . we need to set to Not configured "Allow standard users to enable encryption during Azure AD join" in Windows Encryption policy for Administrator account, This setting basically silent encrypted the hard disk for standard User.
    Some of my machine will not prompt for notification and will still encrypt the hard disk silently. 
    For machine to Encrypted , we might need to 
    Enable Windows Recovery Environment (WinRE) first.
    Because I have check that on System information --> System Summary --> Device Encryption Support --> Reason for failed automatic device encryption : WinRE is not configured.
    Checking and Enable Windows recover option:
    reagentc /info 
    reagentc /enable

    2. When the user is logged in on the machine without local admin rights then we need to enable Silent Encryption however for silent encryption the machine must meet the prerequisites. 
    Run Msinfo32 (system Information) as administrator in cmd, ensure Machine meet the prerequisites.
    BIOS Mode - UEFI
    PCR7 Configuration - Binding Possible (will change to Bound once is encrypted)
    Secure Boot State - On

    For Silent encryption for User without local admin right , it is set by CSP using Custom OMA-URI Settings  and not in Intune bit locker policy. this will silently encrypt the hard disk. once is encrypted. we need to manually Set the Bit locker Pin if there is such requirement for the environment. simply by Right click on the C Drive and select Manage Bitlocker. before hand to allow Surface Pro to key in Bitlocker PIN, Open GPO and “Enable use of bitlocker authentication requiring preboot key." , make sure the azure user login does not have local administrator right, else you will get error.

    OMA-URI - 
    Data type - Integer
    Value - 1

    Once is successfully Apply - restart the machine and go to 
    Ensure AllowStandUserEncryption is change to 0x00000000 (0)

    If any case where Intune Policies are working fine and even changing the registry as well but Windows CSP is not enabling Bit-locker (e.g AllowStandUserEncryption is at 0x00000001 (0) ) then Windows team has to look into that matter.

    3. Using Powershell Script. which i have not tested.

    4. Troubleshooting Bitlocker.

    Check the bit locker Encryption status.
    manage-bde -status

    Check if support PCR 7 for silent encryption
    Manage-bde -protectors -get %systemdrive% 
    Manage-bde -protectors -protectors -add c: -tpm

    To check Device encryption Support why it fail :
    System information --> System Summary --> Device Encryption Support --> Check the Reason

    Check the bitlock vaule have been apply at regedit

    Open Event Viewer To check for Error.
    Expand Applications and Services Logs --> Microsoft --> Windows --> Bitlocker-API --> Management

    the final step if all thing seem not to be working, is to decrypt the hard disk if encrypted , 
    Open Bit Locker TPM as admin to reset if necessary.
    tpm.msc --> then format the machine. when the machine boot up, check the machine is not encrypted by running manage-bde -status , Then push the policy from the machine to check again. 

    This is one of the link that i found out he update all his Bios to get it to work. but mine is at the latest..

    • Edited by Chang Hian Tuesday, September 24, 2019 8:22 AM
    Tuesday, September 24, 2019 8:15 AM
  • and old post, but had the same issue for 1903. Although the device config profile is correct you still need to enable WinRE on the client.

    as soon as the WinRE is enabled the policies should apply

    Saturday, January 11, 2020 10:29 AM