diff --git a/windows/security/information-protection/bitlocker/images/4509186_en_1.png b/windows/security/information-protection/bitlocker/images/4509186_en_1.png index 56b1ce4b56..01944d04ea 100644 Binary files a/windows/security/information-protection/bitlocker/images/4509186_en_1.png and b/windows/security/information-protection/bitlocker/images/4509186_en_1.png differ diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md index f5f6a7d835..9e54e42395 100644 --- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md +++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md @@ -20,7 +20,7 @@ This section addresses common issues and provides troubleshooting guidelines for ## Review the event logs -Open Event Viewer and review the following logs under applications and services logs\\Microsoft\\Windows: +Open Event Viewer and review the following logs under **Applications and Services logs\\Microsoft\\Windows**: - **BitLocker-API**. Review the Management log and the Operational log, and any other logs that are generated in this folder. - **BitLocker-DrivePreparationTool**. Review the Admin log and the Operational log, and any other logs that are generated in this folder. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 7ffbc224ce..7745d07a60 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -14,15 +14,17 @@ ms.topic: troubleshooting ms.date: 9/19/2019 --- -# Enforcing BitLocker policies by using Intune--known issues +# Enforcing BitLocker policies by using Intune—known issues Reference: -On the portal, you should see the BitLocker encryption failing as shown here: +This article provides assistance for issues you may see if you use Microsoft Intune policy to manage BitLocker encryption on devices. The Intune portal indicates if BitLocker has failed to encrypt on or more managed devices. -![](./images/4509189_en_1.png) +![The BitLocker status indictors on the Intune portal](./images/4509189_en_1.png) -Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **BitLocker API**. In addition, check your BitLocker policy settings as described in [Reviewing BitLocker policy](#prelim). +To start narrowing down the cause of the problem, review the event logs (as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. + +In addition, check your BitLocker policy settings as described in [Reviewing BitLocker policy](#prelim). The following sections provide more information about resolving the following events and error messages: @@ -40,9 +42,7 @@ For information about how to verify that Intune policies are enforcing BitLocker ## Reviewing BitLocker policy -When troubleshooting BitLocker policy enforcement issues, start by reading the following KB: [4502023](https://internal.support.services.microsoft.com/en-us/help/4502023) - Intune: Requirements for automatic Bitlocker encryption during AAD join () - -Continue below for additional information and troubleshooting tips. +When troubleshooting BitLocker policy enforcement issues, start by reading the following KB: [Intune: Requirements for automatic BitLocker encryption during AAD join](https://internal.support.services.microsoft.com/en-us/help/4502023) BitLocker enforcement on the end device can be of three types: @@ -51,7 +51,7 @@ BitLocker enforcement on the end device can be of three types: - Interactive (Endpoint policy for pre Windows v 1803) If your device supports modern Standby (Instant Go) and is HSTI compliant, AADJ will trigger automatic device encryption for Windows version 1703 and above. This does not requires the admin to enforce/deploy an endpoint protection policy. -If your device is HSTI compliant but does not supports modern Standby (Instant Go), you would require an endpoint protection policy to enforce silent Bitlocker encryption. Below settings allow for the same. +If your device is HSTI compliant but does not supports modern Standby (Instant Go), you would require an endpoint protection policy to enforce silent BitLocker encryption. Below settings allow for the same. ![](./images/4509186_en_1.png) @@ -70,7 +70,7 @@ The OMA-URI reference for the above settings: ![](./images/4509187_en_1.png) -If your device does not supports modern Standby but is HSTI compliant, for pre Windows v 1803, an endpoint protection policy with the above settings will deliver the policy to the device but user will need to manually enable Bitlocker encryption by clicking on the toast notification as received and going through the Bitlocker activation guide. +If your device does not supports modern Standby but is HSTI compliant, for pre Windows v 1803, an endpoint protection policy with the above settings will deliver the policy to the device but user will need to manually enable BitLocker encryption by clicking on the toast notification as received and going through the BitLocker activation guide. For Autopilot devices, from 1803 and above, automatic device encryption is supported for standard users vide the settings made available in UI with 1901 Intune release as below. System requirement still remains same as above (HSTI compliant and support for modern Standby) @@ -83,9 +83,9 @@ The OMA-URI reference for the above settings: Value: 1 > [!NOTE] -> This node works in tandem with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** node. As such when you have **RequireDeviceEncryption** set to **1**, **AllowStandardUserEncryption** set to **1** and **AllowWarningForOtherDiskEncryption** set to **0**, this allows silent Bitlocker encryption for Autopilot devices with standard user profiles. +> This node works in tandem with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** node. As such when you have **RequireDeviceEncryption** set to **1**, **AllowStandardUserEncryption** set to **1** and **AllowWarningForOtherDiskEncryption** set to **0**, this allows silent BitLocker encryption for Autopilot devices with standard user profiles. -With update to the Bitlocker Policy CSP, starting with Windows version 1809 and above, the endpoint protection policy can enable silent Bitlocker encryption on the end device even if the device is non-HSTI compliant. +With update to the BitLocker Policy CSP, starting with Windows version 1809 and above, the endpoint protection policy can enable silent BitLocker encryption on the end device even if the device is non-HSTI compliant. [Back to list](#list)