Intune Issue – Allow standard users to enable encryption during Azure AD Join

I’ve had several customers reaching out to me recently and wondering why their newly provisioned Autopilot devices won’t seem to encrypt the hard drive when using bitlocker. Exactly when this started to happen is not clear at this point.

Encrypt devices Error -201628112 (remediation failed)

After some troubleshooting I’ve found out that it came down to a policy that never gets pushed to the client when the setting is turned on if you are using Autopilot and the user who enrolls the device is a Standard User and not an Administrator on the machine.

If you have your Autopilot profile configured with “User account type” set to “Standard” and in your Endpoint protection profile you have enabled “Allow standard users to enable encryption during Azure AD Join” you now get this issue where Bitlocker won’t encrypt.

The Allow standard users to enable encryption during Azure AD Join policy was added in Intune 1901 to solve the situation where Bitlocker needs administrator rights to encrypt the drive. And to my knowledge it has been working just fine until recently.

https://docs.microsoft.com/en-us/intune/whats-new#week-of-january-21-2019

Why doesn’t work ?

I don’t have the root cause but what I know is that when you turn on the policy it never gets applied to any device.

If you run the MDM diagnostic when the policy is activated it never shows up, as seen here: We 2 out of 3 Bitlocker policies.

It should look like this if the policy got applied:

Also in registry we can see that we have 3 values

Should look like this

Workaround

However there’s a workaround and that is to set the CSP policy manually with a custom OMA-URI and assign that to your users or devices. This is the “old” way of doing it before we had the policy option in Intune with 1901.

Here’s how you do it

In Intune navigate to Device Configuraiton -> Profiles -> Create Profile and create a Custom profile

Choose “Add” and use the following

Name: AllowStandardUserEncryption
OMA-URI: ./Vendor/MSFT/BitLocker/AllowStandardUserEncryption
Data type: Interger
Value: 1

Then assign the policy to your users or devices and Bitlocker will start encrypting your devices and once that’s done Intune will happily report that your device is encrypted.

Why “Allow standard users to enable encryption during Azure AD Join” reports as “Not Applicable” I dont know but might be one of the reason why its not working in first place but that’s all on the back end from Microsoft.



Leave a comment or question in the comment section below.

That’s all for now and until next time, cheers !

Don’t forget to follow me on twitter and you can also find me blogging over at http://blog.ctglobalservices.com/



4 comments

  1. Thanks mate for the tips and tricks. You are not alone count me in, I had the same settings applied using the screen menu options. I used the OMA-URI settings from your blog everything works!!!

    1. Forgot to add My OS Windows 10 Pro Version 1903.
      Many times I am stuck with MS adding templates which is easy to use but doesn’t work. When I started playing with applying template based setting one issue I had was some of the setting has a value of “Not Configured” and “Blocked”. If you set the option Initially to “Block” and then change it to “Not Configured” the “Not Configured” value will not be applied.

      Example: Try this
      Device Restriction – Properties>Device restrictions>Cellular and connectivity>Wi-fi
      once you have blocked this there is no way to enable Wi-fi back again !!!!
      I had to use the OMA-URI to enable Wi-fi.

  2. Under Bitlocker Base Settings. Did you change your Allow standard users to enable encryption during Azure AD Join to Not Configured or did you keep it on top of creating a custom policy?

  3. Still getting the “Failed to enable Silent Encryption – Error: Access is denied”.
    I can see that the settings are applies as per your screenshots though, so it seems everything is in place.
    My scenario is a manual intune enrollment via OOBE. So that means I AM an admin in this case. But the policy should work anyway right?

Leave a Reply