none
BitLocker API: Failed to enable Silent Encryption RRS feed

  • Question

  • The new silent encryption seems to not work in every single situation.

    Has anyone else experienced problems with it?

    Similar issue was blogged by Peter Klapwijk here https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/

    Try for days to find a reason even discussed with him but couldnt find the reasom.

    I had the problem occurring on 2 devices , a hyper-v vm and a Lenovo Yoga X1. Both running Windows 10 1809 Pro with Secure Boot, TPM 2.0, etc..

    Coming April updates as soon as both devices installed the patch (KB4493509) and reboot both started the encryption. I though that was the fix. Even tried to revert the VM to a previous state snapshot and tried to encrypt again and no luck, updated to april CU and it worked again.

    Another simple test tells me is something else. Just manually disabled Bitlocker and boom, same behavior  again.

    What i noticed on the logs is that a key is generated and saved to Azure AD but it then tried to generate another before actually starting the encryption??

    (events in reverse other)

    1

    BitLocker Drive Encryption is using software-based encryption to protect volume C:.

    2

    A BitLocker key protector was created.
    Protector GUID: {51c12168-6205-4671-ae15-9b612d469e1f}
    Identification GUID: {2e5bed95-eef5-465b-a240-c7c8693942cb}

    3

    BitLocker Drive Encryption recovery information for volume C: was backed up successfully to your Azure AD.
    Protector GUID: {51c12168-6205-4671-ae15-9b612d469e1f}.
    TraceId: {e588226f-54ba-42ca-9905-f3ca49928bbb}

    4

    BitLocker successfully sealed a key to the TPM.
    PCRs measured include [7,11].

    5

    A trusted WIM file has been added for volume C:.
    The SHA-256 hash of the WIM file is: 0xBFE5F878896AF624FAAD9BCD5BEA88988ACC9C8FF03B0CAF0DD49C42765F1853

    6

    A BitLocker key protector was created.
    Protector GUID: {77a80019-d468-42a9-b873-3afb6946e666}
    Identification GUID: {2e5bed95-eef5-465b-a240-c7c8693942cb}

    7

    The identification field was changed. 
    Identification GUID: {2e5bed95-eef5-465b-a240-c7c8693942cb}

    8

    Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
    TraceId: {5ebe8939-cbb6-49dd-af79-edb746f43c8f}
    Error: Unknown HResult Error code: 0x80072f9a

    9

    The BitLocker volume C: was reverted to an unprotected state.

    10

    Failed to enable Silent Encryption. 
    Error: Unknown HResult Error code: 0x80072f9a.

    The only other thing i can think about is the update changed the Azure AD Computer object when the update happened in a way that allow the encryption to happen (maybe because of build change??).

    If anyone have any information to share please.


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Wednesday, April 17, 2019 11:42 PM

All replies

  • Hello,

    Before you reverted the VM to a previous state, could you please delete the device from both the Intune and Azure AD devices, and then reverted it, and re-enroll the device.

    Just in case, you can just enable the silent encryption from the Endpoint Protection directly, and you don't need to deploy the BitLocker CSP policy.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 18, 2019 6:53 AM
  • On a VM as test you might also hit a problem I described in my blog here:

    Enabling BitLocker on non-HSTI devices with Intune
    https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/

    If the VM does have the ISO still mounted when enabling BitLocker it goes wrong also.

    best,
    Oliver

    Thursday, April 18, 2019 7:44 PM
  • Hi Andy, Thanks for the reply, i know i can use the endpoint protection, when i got the errors was the first thing i tested though the same happens. I cant delete de objects, if i do it will probably solve but that is unacceptable as a solution because if i need to do on 50 devices at a client that will cause too much downtime. OLiver, as discussed before an ISO is not the problem for this specific error. Thanks

    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Thursday, April 18, 2019 10:56 PM
  • I have exactly the same problem! Have tried everything I can think of.

    Did you ever find what the cause was or at least a solution/workaround?

    In the mean time, I have reverted to using a powershell script to get the job done.

    Thanks!

    /N

    Friday, April 26, 2019 9:28 AM
  • Have a ticket open with MS. Will update once i know more

    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, April 26, 2019 10:41 AM
  • Hey any update from MS? I'm having the same issue trying to enable Silent Encryption on Surface devices
    Thursday, May 9, 2019 5:00 PM
  • Hey not from my ticket but someone else commented on a post on another thread that the next Cumulative update should fix it. Once i hear back will update.

    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Thursday, May 9, 2019 9:24 PM
  • Update:

    Cumulative update didnt fix.

    Microsoft Support advised me to use this solution.

    https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/

    Will be testing the MSI soon even tough i dont like this solution.

    More to come...


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Thursday, May 16, 2019 1:59 AM
  • Microsoft have posted this:

    BitLocker Drive Encryption cannot silently encrypt drives on Windows 10, version 1809-based devices that join Azure AD domains https://support.microsoft.com/en-us/help/4501517/bitlocker-cannot-silently-encrypt-drives-on-azure-ad-joined-devices
    Thursday, May 16, 2019 11:59 PM
  • Hi Nick,

    Thanks for that but that is not the problem

    "If other encryption methods are not disabled, the encryption process cannot back up the BitLocker recovery key to Azure AD. This failure, in turn, causes the encryption process to stop without encrypting any fixed drives. This issue occurs regardless of the user's permission level on the computer."

    There are no other encryptions in place and the key is being backed up to Azure AD. What happens is every time it tries to encrypt it generates a new key and after it fails saying was able to generate the key (which is generated because i can see a bunch in there and a new one every time the encryption kicks in).

    But thanks for the post anyway, it might help someone with that problem.


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 12:45 AM
  • Are you sure you don't have other encryption in place, such as the Security Baselines in preview in Intune? They contain BitLocker settings as well.
    Friday, May 17, 2019 1:20 AM
  • Hey Nick.

    Positive, 

    i only use Custom CSPs and i have only one policy to deploy all my settings.

    There are others discussions happening on twitter and some comment sessions of other blogs, it seems that occurs with the latest win 10 1809 medias available from MS website. I havent tested but someone said that if you use the Win 10 1809 from September 2018 (the one without any Cumulatives installed) it works always.

    I did some other testing with a brand new deployment which were able to enable bitlocker (hence my settings would be ok) then i disabled it manually. Same error happens when it tries to re encrypt.

    So something is def not as it should.

    Lets wait for the fix from MS (just hope it comes soon).


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 1:32 AM