Which Windows Licenses are required to manage BitLocker through Intune
License Confusion for Managing BitLocker via Intune Scenario: We are managing BitLocker through Intune, with recovery keys backed up to Entra ID for both Hybrid and Entra ID-joined devices. Our devices run Windows 10/11 Professional, and we have EMS E3 licenses. Confusion: Most Microsoft documents state that Windows 10/11 Professional is sufficient to enable and manage BitLocker. However, one document mentions that Windows 10/11 Enterprise is required to manage BitLocker using CSP (Configuration Service Provider). We need clarification on whether Windows 10/11 Professional is fully capable of BitLocker management via Intune or if Enterprise is required for CSP-based management. I am providing reference Microsoft articles and screenshots to support this. BitLocker Enablement: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/#windows-edition-and-licensing-requirements BitLocker Management: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common#windows-edition-and-licensing-requirements Encrypt Devices with Intune: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys You can find this paragraph in above document. "Information for BitLocker is obtained using the (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10 Pro version 1809 and later, and Windows 11." Contradictory Statement Document: https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
Bitlocker Recovery Key Sync Issue in Intune
Hello All, We’ve configured Bitlocker settings in Intune using a device configuration profile in a hybrid environment. While it was previously working fine, for the past two weeks, devices assigned to the Bitlocker policy are encrypting successfully, but the recovery keys are not syncing to Intune/Entra. Below are the relevant event logs from the affected devices: - Event ID: 846 - Failed to backup Bitlocker Drive Encryption recovery information for volume C: to your Azure AD. - TraceId: (xxxx) - Error: JSON value not found. - Event ID: 875 - Server reported a failure while attempting to retrieve recovery password information from AAD. - Error: Unknown HResult Error code: 0x80190000 - HTTP Status Code: 0 - RetryRequest: false - DidSetRetryHint: false - RetryHintSeconds: 0 - Event ID: 868 - Failed while attempting to get Bitlocker Drive Encryption recovery information from Azure AD. - Error Code: Unauthorized (401) If anyone has encountered similar issues, your guidance on troubleshooting would be greatly appreciated. Thanks,
Bitlocker pushed via Intune does not work
Hello, I'm trying to set up silent bitlocker deployment via Intune->Endpoint Security -> Disk Encryption. I have assigned a testing machine to it but it doesn't seems to enable bitlocker at all on the machine. I am attaching the configuration. We are in hybrid scenario and the computer is hybrid joined... Now... I can see the policy SUCCEEDED in intune... also "Per setting status" report shows all successful the laptop has only one drive - OS drive - and it is not encrypted in Event Viewer, I see "Bitlocker CSP: OS Drive not protected" before, I saw also "encryption type not supported" when I had "Full encryption" enabled. After changing it to "Used data only" this warning does not appear anymore I have forced sync from the laptop.. also restarted few times already... but the drive still does not have bitlocker turned on. Btw, it is a fresh new laptop Any advise? Am I missing anything here? UPDATE: I see one more warning in Event Viewer that is related to Bitlocker: "BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV is not compliant with returned status 0x106" Regards, MichalMicrosoft Entra ID Bitlocker Key Packages location
Hello, According to info provided in Intune, key packages can be now saved in Entra ID (so it means that KPs can be saved in cloud-ony environment Entra ID right?) I would like to know how to download those key packages or where can I find them? Best regards,
External SSD Locked by BitLocker After Restart
Hello, I am experiencing an issue with my external SSD, which has been locked by BitLocker. I had to restart my work computer, and after the restart, the drive was automatically locked. I did not make any changes; I simply restarted the computer. Now, the drive is locked, and I am being prompted to enter a 48-digit recovery key, which I do not have. Could you please advise me on what to do in this situation? Is there a location on my computer where I might be able to find the recovery key? Thank you for your assistance.
BitLocker backup into Entra ID
We are in the process of setting up Hybrid Join. When I try to backup the bitlocker key to Entra ID I get the following error in the event viewer Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. TraceId: ***************************** Error: Unknown HResult Error code: 0x80072efe. When I run the backup powershell script on the computer i get the following error: I have logged in with my FQDN on the computer. I show the computer is compliant and CO-Managed. I have also blocked the GPO that was handling the bitlocker from being pushed to the computer. I have restarted and ran gpupdate /force multiple time. Any assistance would be helpfull. I am unable to find anything online to resolve this issue.
