Enforcing BitLocker policies by using Intune: known issues

This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.

Screenshot showing the BitLocker status indictors on the Intune portal.

To start narrowing down the cause of the problem, review the event logs as described in Troubleshoot BitLocker. Concentrate on the Management and Operations logs in the Applications and Services logs > Microsoft > Windows > BitLocker-API folder. The following sections provide more information about how to resolve the indicated events and error messages:

If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas:

For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see Verifying that BitLocker is operating correctly.

Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer

Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event:

Screenshot of details of event ID 853 (TPM is not available, cannot find TPM).

Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer

The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.

Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer

To resolve this issue, verify the following configurations:

  • The TPM is enabled in the device BIOS.
  • The TPM status in the TPM management console is similar to the following statuses:
    • Ready (TPM 2.0)
    • Initialized (TPM 1.2)

For more information, see Troubleshoot the TPM.

Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer

In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.

Screenshot of details of event ID 853 (TPM is not available, bootable media found).

Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer

During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts.

To avoid this situation, the provisioning process stops if it detects a removable bootable media.

Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer

Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.

Event ID 854: WinRE is not configured

The event information resembles the following error message:

Failed to enable Silent Encryption. WinRe is not configured.

Error: This PC cannot support device encryption because WinRE is not properly configured.

Cause of Event ID 854: WinRE is not configured

Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE.

The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.

If WinRE isn't available on the device, provisioning stops.

Resolution for Event ID 854: WinRE is not configured

This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps:

Step 1: Verify the configuration of the disk partitions

The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.

Screenshot of the default disk partitions, including the recovery partition.

To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:

diskpart.exe 
list volume

Screenshot of the output of the list volume command from Diskpart.

If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager):

Screenshot of Windows image configuration in Microsoft Configuration Manager.

Step 2: Verify the status of WinRE

To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:

reagentc.exe /info

The output of this command resembles the following.

Screenshot of the output of the reagentc.exe /info command.

If the Windows RE status isn't Enabled, run the following command to enable it:

reagentc.exe /enable

Step 3: Verify the Windows Boot Loader configuration

If the partition status is healthy, but the reagentc.exe /enable command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:

bcdedit.exe /enum all

The output of this command will be similar to the following output:

Screenshot of the output of the bcdedit /enum all command.

In the output, locate the Windows Boot Loader section that includes the line identifier={current}. In that section, locate the recoverysequence attribute. The value of this attribute should be a GUID value, not a string of zeros.

Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The event information will be similar to the following error message:

Failed to enable Silent Encryption.

Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.

Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions

The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.

Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions

To verify the BIOS mode, use the System Information application by following these steps:

  1. Select Start, and enter msinfo32 in the Search box.

  2. Verify that the BIOS Mode setting is UEFI and not Legacy.

    Screenshot of the System Information app, showing the BIOS Mode setting.

  3. If the BIOS Mode setting is Legacy, the UEFI firmware needs to be switched to UEFI or EFI mode. The steps for switching to UEFI or EFI mode are specific to the device.

    Note

    If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.

Error message: The UEFI variable 'SecureBoot' could not be read

An error message similar to the following error message is displayed:

Error: BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.

Cause of Error message: The UEFI variable 'SecureBoot' could not be read

A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.

Resolution for Error message: The UEFI variable 'SecureBoot' could not be read

This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:

Step 1: Verify the PCR validation profile of the TPM

To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:

Manage-bde.exe -protectors -get %systemdrive%

In the TPM section of the output of this command, verify whether the PCR Validation Profile setting includes 7, as follows:

Screenshot of the output of the manage-bde.exe command.

If PCR Validation Profile doesn't include 7 (for example, the values include 0, 2, 4, and 11, but not 7), then secure boot isn't turned on.

Screenshot of the output of the manage-bde command when PCR 7 is not present.

2: Verify the secure boot state

To verify the secure boot state, use the System Information application by following these steps:

  1. Select Start, and enter msinfo32 in the Search box.

  2. Verify that the Secure Boot State setting is On, as follows:

    Screenshot of the System Information app, showing an unsupported Secure Boot State.

  3. If the Secure Boot State setting is Unsupported, Silent BitLocker Encryption can't be used on the device.

    System Information app, showing a unsupported Secure Boot State.

Note

The Confirm-SecureBootUEFI PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:

Confirm-SecureBootUEFI

If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."

If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."

If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."

Event ID 846, 778, and 851: Error 0x80072f9a

Consider the following scenario:

Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Microsoft Entra ID. As part of the policy configuration, the Allow standard users to enable encryption during Microsoft Entra join option has been selected.

The policy deployment fails and the failure generates the following events in Event Viewer in the Applications and Services Logs > Microsoft > Windows > BitLocker API folder:

Event ID:846

Event: Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Microsoft Entra ID.

TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3} Error: Unknown HResult Error code: 0x80072f9a

Event ID:778

Event: The BitLocker volume C: was reverted to an unprotected state.

Event ID: 851

Event: Failed to enable Silent Encryption.

Error: Unknown HResult Error code: 0x80072f9a.

These events refer to Error code 0x80072f9a.

Cause of Event ID 846, 778, and 851: Error 0x80072f9a

These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.

The issue affects Windows 10 version 1809.

Resolution for Event ID 846, 778, and 851: Error 0x80072f9a

To resolve this issue, install the May 21, 2019 update.

Error message: There are conflicting group policy settings for recovery options on operating system drives

An error message similar to the following error message is displayed:

Error: BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…

Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives

To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, Review BitLocker policy configuration.

For more information about GPOs and BitLocker, see BitLocker Group Policy Reference.

Review BitLocker policy configuration

For information about the procedure to use policy together with BitLocker and Intune, see the following resources:

Intune offers the following enforcement types for BitLocker:

  • Automatic (Enforced when the device joins Microsoft Entra ID during the provisioning process. This option is available in Windows 10 version 1703 and later.)
  • Silent (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
  • Interactive (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)

If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Microsoft Entra ID triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption.

If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings:

Screenshot of the Intune policy settings showing Encrypt devices required.

The OMA-URI references for these settings are as follows:

  • OMA-URI: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
    Value Type: Integer
    Value: 1 (1 = Require, 0 = Not Configured)

  • OMA-URI: ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
    Value Type: Integer
    Value: 0 (0 = Blocked, 1 = Allowed)

Note

Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.

Note

If the Warning for other disk encryption setting is set to Not configured, the BitLocker drive encryption wizard has to be manually started.

If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard.

Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:

  • Be HSTI-compliant
  • Support Modern Standby
  • Use Windows 10 version 1803 or later

Screenshot of the Intune policy setting showing Allow standard users to enable encryption during Microsoft Entra join.

The OMA-URI references for these settings are as follows:

  • OMA-URI: ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
    Value Type: Integer Value: 1

Note

This node works together with the RequireDeviceEncryption and AllowWarningForOtherDiskEncryption nodes. For this reason, when the following settings are set:

  • RequireDeviceEncryption to 1
  • AllowStandardUserEncryption to 1
  • AllowWarningForOtherDiskEncryption to 0

Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.

Verifying that BitLocker is operating correctly

During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.

Screenshot of the Event ID 796 with detailed information.

Screenshot of the Event ID 845 with detailed information.

It can also be determined whether the BitLocker recovery password has been uploaded to Microsoft Entra ID by checking the device details in the Microsoft Entra Devices section.

Screenshot of the BitLocker recovery information as viewed in Microsoft Entra ID.

On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device

Screenshot of the Registry subkeys that relate to Intune policy.