Share via

Intune Policy for Bitlocker Encryption.

Antony Maxwin 20 Reputation points
2026-04-01T14:30:34.0433333+00:00

Hi

We are trying to push intune policy for enable bitlocker encryption in all the user machine ,

initially it will shows as success , but later the encryption will fail .

is there any way that we can get it done with intune policy ?

Microsoft Security | Intune | Compliance

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Q&A Assist
    2026-04-01T14:31:06.2866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use of Intune to enable BitLocker on all user machines is supported, but the failures must be diagnosed and the policy/hardware prerequisites corrected. Use the following approach.

    1. Use the Intune Encryption report to identify failure type
    • In the Microsoft Intune admin center, go to Devices > Monitor > Encryption report.
    • Check each device’s status:
      • Encrypted / Ready: Meets prerequisites and is encrypted or can be encrypted.
      • Not ready: Does not meet prerequisites for silent encryption (for example, TPM not present/active).
    • This helps distinguish between:
      1. Hardware/software not meeting BitLocker prerequisites.
      2. Intune BitLocker policy misconfiguration or GPO conflicts.
      3. Device already encrypted with a method that doesn’t match the policy.
    1. Verify BitLocker policy configuration for silent encryption For silent BitLocker encryption via Intune, verify the key BitLocker CSP settings:
    • ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption = 1 (Require)
    • ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption = 0 (Blocked)
    • For Autopilot/standard users, also:
      • ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption = 1

    When these are set as described and hardware supports it, Intune can enforce silent BitLocker encryption. If AllowWarningForOtherDiskEncryption is Not configured, the BitLocker wizard must be started manually and silent encryption will not occur.

    1. Confirm device prerequisites From the client-side troubleshooting guidance, most failures are due to missing prerequisites:
    • TPM not present or not enabled/activated in firmware.
    • Windows Recovery Environment (WinRE) not enabled.
    • UEFI BIOS not enabled (for TPM 2.0 devices).
    • Device not HSTI-compliant or not supporting Modern Standby when those are required for the chosen silent-encryption method.

    Use the BitLocker-API event log to confirm which prerequisite is missing:

    • On the device, open Event Viewer > Applications and Services Logs > Microsoft > Windows > BitLocker-API.
    • Look for errors such as:
      • Event ID 853 (no compatible TPM).
      • Event ID 854 (WinRE not configured).
      • Errors about Secure Boot/UEFI.
    1. Verify that Intune policy is applied correctly If the encryption report shows “Success” initially and then failure, confirm that the policy is actually being processed and that no CSP errors occur:

    a. Force a sync

    • On the device: Settings > Accounts > Access work or school > [work/school account] > Info > Sync.

    b. Check MDM agent log

    • Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
    • Filter by Critical/Error/Warning and search for BitLocker or CSP paths like:
      • ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
    • Fix any CSP processing errors (for example, invalid combinations of settings, conflicting policies).

    c. Check BitLocker-API log

    • If MDM policy is processed successfully but encryption fails, the BitLocker-API log will show why (TPM, WinRE, BIOS, Secure Boot, etc.). Correct the underlying hardware/OS configuration and re-sync.
    1. Handle devices already encrypted or with mismatched settings If a device is already encrypted manually or with different settings, Intune may show an error state even though the drive is encrypted:
    • In such cases, decrypt the device manually or via PowerShell.
    • After decryption, let the Intune BitLocker policy re-encrypt the device so that the encryption method and settings match the policy.
    1. Use Task Scheduler log if encryption never starts If:
    • The policy appears in the DeviceManagement-Enterprise-Diagnostics-Provider log and registry, and
    • There are no errors there, but
    • Nothing appears in BitLocker-API (encryption never starts),

    then enable the Task Scheduler operational log:

    • Event Viewer > Applications and Services Logs > Microsoft > Windows > TaskScheduler > Operational (right-click > Enable Log).
    • Look for issues with the BitLocker MDM policy Refresh scheduled task and correct them.
    1. General guidance
    • Avoid configuring startup PINs/keys in policies intended for silent encryption, because they require user interaction and will block silent enablement.
    • Ensure there are no conflicting on-premises Group Policies for BitLocker if devices are hybrid-joined.
    • After fixing prerequisites and policy configuration, re-sync devices and monitor the Intune encryption report until they show as encrypted.

    Following these steps allows BitLocker to be reliably enabled and managed via Intune policy, provided that each device meets the hardware/software requirements and the BitLocker CSP settings are configured correctly.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.