This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi, I would like to activate the bitlocker in "silent" mode for all devices in Intune. Previously on some devices this functionality was implemented through SCCM. I then created a "Device collections" with pilot clients and in cloud management I moved the workloads to Pilot Intune and then selected that collections. ![44133-sccm-bitl.jpg][1] Currently in the pilot group, I have inserted 4 different types of PCs all with "Encryption readiness" as "Ready" extracting them from the report obtained from Monitor | Encryption report. The 4 pilot groups are as follows: devices with Encryption status = not encrypted devices with Encryption status = Encrypted Tpm version = 1.2 Tpm version = 2 Following the documentation I then created the "Bitlocker" configuration profile with the following settings: ![44062-image.png][2] [1]: /api/attachments/44133-sccm-bitl.jpg?platform=QnA [2]: /api/attachments/44062-image.png?platform=QnA What I expected is that it will fail on devices with TPM 1.2 (both encrypted and not encrypted), that it will update the Bitlocker key on Azure for devices already encrypted and with TPM 2.0, and that the encryption will take place on TPM 2.0 devices but not encrypted. The result was that it didn't work on any devices. For some the message is "Not applicable" for others "error". The most common error is the following: -2016281112 (Remediation failed). I don't understand if I got something wrong with the Intune configuration, or if it was down to SCCM. Thnk you, Alfio Santoro
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 61%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
We also have the same exact issue for the same exact configuration.
We've also tried with an Azure AD only device so that there's no conflicting policies and the results are the same..
We're currently working with a Fast Track engineer to see what could cause that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Stéphane Lalancette , If there's any solution gotten, I appreciate your help sharing here. Thanks and have a nice day!
Hi, do you have resolved this issue ?
Thank you,
Alfio
Yes an no, like I mentionned, it seems to be not supported to do HAAD and silent bitlocker with Intune.
I'M still waiting for premier support to contact me to give me the official statement.
Hopefully by the end of the week.
@Alfio Santoro , From your description, I know we get both "Not applicable" and "-2016281112 (Remediation failed" error.
For "Not applicable", it means the prerequisites or requirements not met. So it shows not applicable.
For "-2016281112 (Remediation failed" error, it can caused by many reasons. To narrow down the issue, we can check the Management and Operations logs in the Applications and Services logs\Microsoft\Windows\BitLocker-API folder. Here is the link for the reference: https://video2.skills-academy.com/en-us/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Alfio Santoro ,, Hope things are going well? If there's still anything we can help, feel free to let us know. Thanks and have a nice day!
Hi,
in fact the most common error encountered, analyzing the Management and Operations logs the clients in "error" is:
"Failed to enable Silent Encryption. TPM is not available"
Although the devices are with OS Version 10.0.19042, the TPM 1.2 and as Encryption readines in "Ready".
If I were to ask for advice on how to encrypt these types of devices in silent mode, is there a solution?
Another error encountered, always on devices with TPM 1.2 but with encryption already performed is the following:
Intune Group Policy prevents you from backing up the recovery password to Active Directory for this type of drive.
So I was wondering if it was not necessary to also configure a policy in Endpoint security -> Disk encryption.
Thank you for your supportt.
@Alfio Santoro , For the TPM not available error, we can check if the TPM is turned on. To see more details, we can refer to the following links: https://video2.skills-academy.com/en-us/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm
However if the issue still persists, we suggest to contact Windows support team to help on such issue: https://video2.skills-academy.com/en-us/answers/topics/windows-10-security.html
For the error "Intune Group Policy prevents you from backing up the recovery password to Active Directory for this type of drive.", I know there's bitlocker policy configured under "Endpoint security->Disk encryption". This will cause conflict. We suggest to keep only one policy for this and remove the other one. Here is a link for the reference; https://video2.skills-academy.com/en-us/mem/intune/protect/endpoint-security-policy#manage-conflicts
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, troubleshooting is not over yet, but it seems that the issue is with the following setting:
Whenever this setting is set to block, I get the error in this post and if I set it as 'Not configured' the user gets a prompt to confirm there's no 3rd party drive encryption and bitlocker start encrypting (without having change any other settings. (I know that it's no longer a silent encryption)
It's the same behavior as mentionned here:
https://timmyit.com/2019/08/13/intune-issue-allow-standard-users-to-enable-encryption-during-azure-ad-join/
But the workaround and/or the fix on the Intune side doesn't seem to work.
I'll check back with Fast track to see if they have more information about this behavior.
@Stéphane Lalancette , Thanks for the update. For the setting "Warning for other disk encryption", we need to set it as block for silently enable BitLocker. For the issue it fixed, this is to let standard user to enable bitlocker. As you will check back, if there's any update, feel free to post.
Have a nice day!