0x87d1fde8 remediation failed intune bitlocker

0x87d1fde8 remediation failed intune bitlocker

Update This issue has been solved by Microsoft. A fix was rolled out and implemented on the 26th of August Huge thanks to ConfigMgrDogs over on Twitter for the follow up on this. Should have full scale unit overage by the weekend. Thanks Timmy for the clear repro! Exactly when this started to happen is not clear at this point. The Allow standard users to enable encryption during Azure AD Join policy was added in Intune to solve the situation where Bitlocker needs administrator rights to encrypt the drive.

And to my knowledge it has been working just fine until recently. If you run the MDM diagnostic when the policy is activated it never shows up, as seen here: We 2 out of 3 Bitlocker policies.

Thanks mate for the tips and tricks. You are not alone count me in, I had the same settings applied using the screen menu options. Under Bitlocker Base Settings. Did you change your Allow standard users to enable encryption during Azure AD Join to Not Configured or did you keep it on top of creating a custom policy? I can see that the settings are applies as per your screenshots though, so it seems everything is in place. My scenario is a manual intune enrollment via OOBE. So that means I AM an admin in this case.

But the policy should work anyway right?

Romfast dev setting 2

One got fixed by enabling Device guard in BIOS, one got auto encryption started by running the device guard readiness tool. A fix for this issue was started to roll out to all Intune tenants on the 22nd of august. Might be a different issue for you. What does the client report back in to Intune when you look at the policy? Gets generic msg remediation failed 0x87d1fde8. Microsoft engineer said he tried this on both and and also got the same error with standard user accounts.

Microsoft engineer said he put in a work order to get this fixed but this is the workaround for now. One little incremet from ver. Skip to content Update This issue has been solved by Microsoft. Like this: Like Loading Solved it… The CU for August for did the trick. Everything works as intended. Microsoft engineer said he put in a work order to get this fixed but this is the workaround for now Loading Leave a Reply Cancel reply.It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure. Select Enable next to Configure encryption methods if you would like to configure the encryption methods. Select Enable next to Additional authentication at start up.

Contact your system administrator for more information. Back to Intune — Configure the Assignments and select a group that will receive the Bitlocker policy.

The Windows 10 machine will get a notification saying that the machine needs Bitlocker configured. After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:. Is there a log to view errors related to intune policies being applied.

I have tried this and my test machine is not getting the prompt.

Microsoft Bitlocker

Like Like. What version of Windows 10 is it? Is it Pro or Enterprise? Thanks for the reply. That gives me something to go on.

Bon k chuda pet korlam story

Does it work on surface devices? Hi Daniel. Also Intune recently released support for some Bitlocker settings on Windows 10 Pro. That could be your issue. Has the workflow for this changed? You are commenting using your WordPress.

Tubeec wadani

You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. The user is prompted to enter a PIN: After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:. Share this: Twitter Facebook. Like this: Like Loading Leave a Reply Cancel reply Enter your comment here Please log in using one of these methods to post your comment:.

Email required Address never made public. Name required. Post to Cancel.Is there a way to diagnose a problem more deeply or what else I should be looking at? So I think I figured out what was a cause of the problem. And just yesterday I've got a confirmation from Microsoft about my guess.

The version I was trying to enable BitLocker on is It's a 7th generation i5 laptop released in or end of I tried to laptops from this model line and both failed.

Now, I have another Lenovo laptop L with 8th generation i5. Older platforms support Bit locker which means the user are allowed to manually turn on Bit locker Drive Encryption but are not able to do so automatically.

Gsm jemli apk

So, if you are going to use cutting edge Microsoft services, be sure you have literally the latest devices on board. I solved my issue by creating a powershell script. It's extremely simple, but I tested it out on a few machines and it seems to be working properly. It checks current status of BitLocker and based on the result enables or resumes it, and then backs up the generated KeyProtectorID to Azure.

Starting in Windows 10, versionthe value 0 can only be set for Azure Active Directory joined devices. Device is Azure AD Joined. Apologies for a typo. All other device configuration profiles are applied without missing a beat. When I logged in under administrator account I could see the actual error in the Event Viewer:.

Failed to enable Silent Encryption. Error: BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives.

Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted.

Encrypt devices reporting -2016281112 (Remediation failed)

Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker Unfortunately, after I amended policy accordingly, I'm getting the same error under ordinary user account, however it started working under administrator account, but it doesn't solve the problem. The Intune enforcement may or may not need all these requirements. Sadly I can't remember that. Can you validate if your hardware supports all these features. Did you try different hardware and is it failing there also?

Thanks for the link. Intune BitLocker works if enabled not silently it asks for admin credentials then, and if those are provided, it encrypts device without any problems.Literally spent a week troubleshooting just to find the keys in local AD.

But when the policy actually seems to work ish by enabling BitLocker on the target system, and storing the key in AD, I still get "Remediation failed" errors on the device in Intune. On all test devices this happens.

That's obviously not all though. The process to activate BitLocker on different computers and different users differs as well. And on one test system the user was asked to choose recovery options even though the policy should block this from the user. Anyways, do any of you have experience with BitLocker through Intune on Hybrid joined devices?

If all the stars in the universe align and option 1 happens, the following error is present on the device page in Intune even though encryption went fine and the recovery key is working:.

In my opinion this should have been a fairly simple to deploy. Get answers from your peers along with millions of IT pros who visit Spiceworks. Hi, So Where do I begin To express my frustration with Intune and BitLocker policy. A popup appears in Action Center, you click it and are presented with a window that asks you to confirm that you don't have preexisting drive encryption.

You confirm and then a Windows Settings window opens stating that BitLocker is suspended and will reactivate at reboot.

Enabling BitLocker on non-HSTI devices with Intune

If you reboot nothing happens. Here you have to option to "Turn on" BitLocker. Click that and you are asked to create a PIN, the key is stored and encryption begins. You confirm and then the BitLocker activation window pops up, asking for how you want to store the key. Popular Topics in Microsoft Intune. Which of the following retains the information it's storing when the system power is turned off?

No difference resetting TPM. Still open to ideas though. Thai Pepper. Run the following on under an elevated command prompt: manage-bde -on c: -rp The message will then display that a hardware test is required in order to kick start Bitlocker.

Restart the PC Bitlocker will then start deploying after the reboot. Replace Attachment. Add link Text to display: Where should this link go? Add Cancel. Insert code. Join me to this group. Read these nextBy anywebJuly 1, in Microsoft Intune. Security is a big focus for many companies, especially when it comes to data leakage company data. Encrypting data on Windows 10 devices using BitLocker means that data is protected " data at rest ".

Microsoft Intune got yet more updates on June 30th,one of which was the ability to configure BitLocker settings detailed here. This ability was initially raised as a uservoice item.

You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example, you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is turned on.

For more information, see Endpoint protection settings for Windows 10 and later. In the Azure Portalnavigate to Intuneand select Device Configurationthen click on Profiles and then click on Create Profileand fill in the following details:. Next, in the Windows Encryption pane that appears, make your choices for Windows Settings. Set the Require devices to be encrypted Desktop only option to Enable.

Make note of the note the 'i', you can hover over it to see the info it containsand I've bolded part of that statement below:. Selecting "Yes" will prompt end users to enable device encryption. End users will be asked to confirm there is no third party device encryption in use on their device. Turning on Windows encryption while third party encryption is in use will render device unstable.

So by requiring BitLocker encryption, your users will need to confirm the above prior to encryption taking place. For BitLocker base settingsset Configure encryption methods to Enable and then set the desired encryption level via the drop down menus for each drive connected. For BitLocker fixed data-drive settingsyou can deny write access to drives not BitLockered by enabling the option.

Once you've finished configuring the settings, click on OK and then click on Createto Create the device configuration profile. Now that you've created the profile, you need to deploy it assign it to a Group containing Windows 10 devices.

Select the profile created above, and click on Assignmentsnext click on Select groups to Include. Select a previously created Group or groups if you wishI selected one which I previously created called BitLocker Configuration but you can select whichever Group you want, and then click on the Select button at the bottom of that pane, if it's not visible, zoom out browser zoom.

Step 4. Monitor the device configuration on a Windows 10 device. Once the sync is done you should see an Encryption Needed notification in the systray. Select I don't have any other disk encryption before clicking on Yes. And you can open an administrative command prompt to verify the encryption algorithm using the following.

As you can see from the above, encryption is in progress and the Encryption method matches the XTS-AES setting selected in the device configuration.

Step 5. Verify device is configured with BitLocker in Azure.Skip to main content. Select Product Version. All Products. In this scenario, devices that receive the policy display the following status in the Microsoft Intune admin console: An error occurred: 0x87D1FDE8. This is a known issue in Microsoft Intune. The error in the admin console goes away after the device checks in again.

This error does not affect the performance or behavior of Intune Managed Browser, and it can be safely ignored. Last Updated: Mar 11, Was this information helpful? Yes No. Tell us what we can do to improve the article Submit.

Your feedback will help us improve the support experience. Australia - English. Bosna i Hercegovina - Hrvatski. Canada - English. Crna Gora - Srpski. Danmark - Dansk. Deutschland - Deutsch. Eesti - Eesti. Hrvatska - Hrvatski. India - English. Indonesia Bahasa - Bahasa. Ireland - English. Italia - Italiano.

Malaysia - English. Nederland - Nederlands. New Zealand - English. Philippines - English. Polska - Polski. Schweiz - Deutsch. Singapore - English. South Africa - English. Srbija - Srpski. Suomi - Suomi. Sverige - Svenska. United Kingdom - English.Oliver Kieselbach October 23, It is an interface to report the results of security-related self-tests. Its purpose is to provide high assurance validation of proper security configuration. To successful start the encryption as a standard user, a Windows 10 version was the minimum as the feature was introduced with this version.

Yes, as long as they are running Windows 10 version The most common problem is that we do not replace all devices in every Windows 10 project to have only latest HSTI compliant devices in the environment. We have to support older devices purchased maybe not long ago but not HSTI compliant.

These devices can now be managed by an Intune device configuration policy to turn on BitLocker silently without administrative permissions as long as the device is a Windows 10 version device. Currently at the time of writing we need two configuration policies. One endpoint protection profile and a custom profile.

The endpoint protection profile configures the silent BitLocker enforcement and other parameters like encryption strength. Sure you can set other parameters like encryption methods as well, but for a functional test this is enough. These two settings make sure the encryption starts and it starts silently as we block the warning dialog for other disk encryption software.

The second profile is a custom profile at time of writing it was not available in the UI and it configures the ability to enforce the BitLocker encryption even when standard users are logging in.

Bashaal raaxo ah

For example when the Windows 10 device is enrolled with an Autopilot profile where the user account type is set to standard user. The two policies must be assigned to a user group or device group to test the new policies. To force the user type to a standard user after enrollment we need an Autopilot profile and assign it to our device.

During my test I had to make sure that after the first restart, the Windows 10 version ISO is ejected, otherwise silent BitLocker encryption will fail. This is because the system does not have the normal start parameters during the BitLocker and TPM provisioning. The platform would take into account the additional media as the normal platform verification parameter.

Which means after ejecting the ISO it would have prompted us for the recovery key.