One of my latest blog posts I wrote about Modern desktop deployment. One of the paragraphs was about security and the ability to fully automate disk encryption on Azure AD joined, Intune managed devices.
At one of our customers we are implementing Intune to manage the laptops and run into a problem with this silent encryption process. I`d like to share my findings in this blog post and what setting resolved our issue.
Failed to enable silent encryption
In this environment we are testing modern desktop deployment using Windows AutoPilot. So the user authenticates to Azure AD, the device is joined to the Azure AD and automatically enrolled in Intune.
We created an Endpoint Protection policy with some Windows encryption settings. One of the encryption settings we set is Encrypt devices (to Require), which equals to the Bitlocker CSP setting RequireDeviceEncryption set to value 1.
We also set Warning for other Disk encryption to Block, this equals BitLocker CSP AllowWarningForOtherDiskEncryption set to 0.
As stated on Microsoft docs here, on Windows 10 1803 and newer devices Windows will attempt to silent enable BitLocker with those settings.
Because we don`t have devices with InstanGo or HSTI hardware, but we are piloting Windows 10 1809 devices, we also set AllowStandardUserEncryption with a value of 1.
The Intune policies are successfully applied and the first pilot devices were indeed successful encrypted without any user action. But when we tested some more devices with the same settings (and same hardware), BitLocker wasn`t enabled by default.
In the BitLocker-API event log on these devices, we saw several errors and warnings.
On of the errors we saw repeatedly was event 846:
Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
The error was followed by a warning, event 778:
The BitLocker volume C: was reverted to an unprotected state.
Strange enough we looked up the device under the user his account in Azure AD and it showed us the BitLocker recovery key. And a recovery key wasn`t available once, but several times!
Event 845 confirmed the recovery information was indeed uploaded to Azure AD, unlike event 846 told us:
BitLocker Drive Encryption recovery information for volume C: was backed up successfully to your Azure AD.
Because these events are completely the opposite of each other and the recovery information was written to Azure AD, we didn`t immediately had an idea where to begin with our troubleshooting. We searched on the internet for those events. We also checked online documentation if we missed a requirement to silent enable encryption. It couldn`t be a hardware requirment, the hardware is all equal and still on some hardware it worked as expected and some did not. We compared the TPM versions on several devices and noticed we have TPM 1.2 and 2.0. So we run a TPM update on some of our test devices, without luck. We went through the BIOS (which is UEFI) searching for differences. After a while we noticed Secure Boot was disabled on some devices. With that in mind I took one of the machines and opened the BitLocker API log again. I remembered I had seen an information event about BitLocker that it wasn`t able to use Secure Boot.
BitLocker cannot use Secure Boot for integrity because the reguired UEFI variable ‘PK’ is not present.
Because it was an Information event and not an error or warning, we didn`t paid much attention to it, but we decided to turn on Secure Boot on a few devices. And yes now the machines were able to silent start encryption without any user interaction!
On a few devices which still didn`t work as expected, we noticed an older BIOS version. After upgrading the BIOS of those devices to the latest version, all our devices are starting silent encryption.
Conclusion for us:
Turn on Secure Boot and update your BIOS!
And if you are upgrading your BIOS, update your TPM to 2.0 😉
NB: I recommend testing silent encryption on physical hardware and NOT on a Virtual Machine. I have tested silent encryption on several VM`s and this was very unstable!
Thanks for sharing; this is indeed great information.
I am too running a pilot on Windows 1803 but facing lot of issues because of admin rights, and want silent encryption for all my devices.
Can you please tell how did you enrol your devices to Intune without giving users an admin right, in my case we have Azure hybrid AD joined and I am trying enrolment through GPO which is not working with a standard user right.
We are now running on Windows 10 1809, Azure AD joined, Intune cloud only. At this customer the users are admin on the laptop, but everything is fully automated, no user action taken to start BitLocker. But I already implemeted this at an other environment with standard users.
Thank you for replying, I am currently stuck at Win10 1803 enrollment to Intune due to hybrid AD join as it does not show up device owner in Azure AD.
I have researching since a quite a long time but no luck with automatic device enrolment to Intune- below is the issues I am facing.
I will have this checked with standard users, as we can not give our users an admin rights due to our security policies.
Like in the article you mentioned your devices are hybrid Azure AD joined, but not enrolled in Intune?
As far as I know, Hybrid Azure AD joined devices don`t show an (device) owner.
Hope you are well.
MS support engineer informed hybrid does not support silent encryption but the engg. was not very confident on what he was saying…
I have a quick question for you- have you done silent encryption in Hybrid Azure AD Windows 10 devices.
Yes, Months ago I have done silent encryption in a hybrid AAD environment. First in a lab and after that worked fine, implemented it at the customer. Must I say at first it didn`t work either, but after working with a MS engineer we where both able to configure silent encryption. The encryption settings in Intune used, are exactly the same as when I do silent encryption on an AAD joined device. That MS engineer never mentioned it is not supported in a Hybrid AAD environment. The only thing we noticed, the user is unable to read the recovery key from his AAD account. When the recovery key is needed, the user need to contact an admin.
We are now running on Windows 10 1809, Azure AD joined, Intune cloud only. At this customer the users are admin on the laptop, but everything is fully automated, no user action taken to start BitLocker.
However, we faced issue related to BitLocker won’t silently installed. It happens on Lenovo x280. Could you share some experiences related to the problem? what would be root cause?
But within same model x280 if we install with Windows 10 1803 then the silent BitLocker encryption is working fine.
Yes there was an known issue with 1809 not encrypting. Maybe that will fix your problem.
Have a look at this KB: https://support.microsoft.com/en-us/help/4497934/windows-10-update-kb4497934
I have browsed to some KB files especially the version that I am currently running, yet I didn’t find what they say about the issue I had. Version 1809 (OS Build 17763.437).
Any solutions to resolve it?
You`re not running the latest build, give installing kb4497934 a try. That article mentions fixing a Bitlocker issue.
I’ve been running into this issue quite a bit at my work place.
Secure boot is annoying. If someone leaves a USB plugged in, they will be presented with Bitlocker recovery. What should be done is setting which protectors are used for Bitlocker via group policy. I stumbled on this page when I was looking for which they were.
There’s a requirement for Secure-boot with TPM 2.0 I think.
There’s also an issue with some Lenovo machines that require a TPM chip firmware update to work correctly.
Oh and another thing.. Major windows updates, unabashed, disable Bitlocker.
Worse, the updates fail, and in some cases leave the computer with Bitlocker suspended.
I first saw this notice in the bitlocker logs trying to figure out why this was happening.