Intune Issue – Allow standard users to enable encryption during Azure AD Join


This issue has been solved by Microsoft. A fix was rolled out and implemented on the 26th of August 2019

Huge thanks to @ConfigMgrDogs over on Twitter for the follow up on this.

I’ve had several customers reaching out to me recently and wondering why their newly provisioned Autopilot devices won’t seem to encrypt the hard drive when using bitlocker. Exactly when this started to happen is not clear at this point.

Encrypt devices Error -201628112 (remediation failed)

After some troubleshooting I’ve found out that it came down to a policy that never gets pushed to the client when the setting is turned on if you are using Autopilot and the user who enrolls the device is a Standard User and not an Administrator on the machine.

If you have your Autopilot profile configured with “User account type” set to “Standard” and in your Endpoint protection profile you have enabled “Allow standard users to enable encryption during Azure AD Join” you now get this issue where Bitlocker won’t encrypt.

The Allow standard users to enable encryption during Azure AD Join policy was added in Intune 1901 to solve the situation where Bitlocker needs administrator rights to encrypt the drive. And to my knowledge it has been working just fine until recently.

Why doesn’t work ?

I don’t have the root cause but what I know is that when you turn on the policy it never gets applied to any device.

If you run the MDM diagnostic when the policy is activated it never shows up, as seen here: We 2 out of 3 Bitlocker policies.

It should look like this if the policy got applied:

Also in registry we can see that we have 3 values

Should look like this


However there’s a workaround and that is to set the CSP policy manually with a custom OMA-URI and assign that to your users or devices. This is the “old” way of doing it before we had the policy option in Intune with 1901.

Here’s how you do it

In Intune navigate to Device Configuraiton -> Profiles -> Create Profile and create a Custom profile

Choose “Add” and use the following

Name: AllowStandardUserEncryption
OMA-URI: ./Vendor/MSFT/BitLocker/AllowStandardUserEncryption
Data type: Interger
Value: 1

Then assign the policy to your users or devices and Bitlocker will start encrypting your devices and once that’s done Intune will happily report that your device is encrypted.

Why “Allow standard users to enable encryption during Azure AD Join” reports as “Not Applicable” I dont know but might be one of the reason why its not working in first place but that’s all on the back end from Microsoft.

Leave a comment or question in the comment section below.

That’s all for now and until next time, cheers !

Don’t forget to follow me on twitter and you can also find me blogging over at


  1. Thanks mate for the tips and tricks. You are not alone count me in, I had the same settings applied using the screen menu options. I used the OMA-URI settings from your blog everything works!!!

    1. Forgot to add My OS Windows 10 Pro Version 1903.
      Many times I am stuck with MS adding templates which is easy to use but doesn’t work. When I started playing with applying template based setting one issue I had was some of the setting has a value of “Not Configured” and “Blocked”. If you set the option Initially to “Block” and then change it to “Not Configured” the “Not Configured” value will not be applied.

      Example: Try this
      Device Restriction – Properties>Device restrictions>Cellular and connectivity>Wi-fi
      once you have blocked this there is no way to enable Wi-fi back again !!!!
      I had to use the OMA-URI to enable Wi-fi.

  2. Under Bitlocker Base Settings. Did you change your Allow standard users to enable encryption during Azure AD Join to Not Configured or did you keep it on top of creating a custom policy?

  3. Still getting the “Failed to enable Silent Encryption – Error: Access is denied”.
    I can see that the settings are applies as per your screenshots though, so it seems everything is in place.
    My scenario is a manual intune enrollment via OOBE. So that means I AM an admin in this case. But the policy should work anyway right?

    1. I’ve had devices getting all settings but not initiating automatic encryption. One got fixed by enabling Device guard in BIOS, one got auto encryption started by running the device guard readiness tool.

      1. Solved it… The CU for August (for 1809) did the trick. Everything works as intended.

  4. I installed the CU for August 1809 and still not working, I have a ticket open with Microsoft at the moment… they’re still scratching their heads

      1. Gets generic msg remediation failed 0x87d1fde8. Microsoft engineer said he tried this on both 1809 and 1903 and also got the same error with standard user accounts. in the event viewer the Bitlocker logs are blank.

      2. got it working now, the custom OMA-URI actually had to be “./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption” and it started encrypting right away as soon as I synced. Microsoft engineer said he put in a work order to get this fixed but this is the workaround for now

  5. as Timmy says, that rollout did get stable autoencryption again in one of my customers tenant.

    That said, also verify the client pc’s has the Newest TPM update. One little incremet from ver. 1.70 to 1.71 on a Lenovo laptop did fix it for that particular device

    1. Thanks Kim, I tried on several Lenovo laptops, also verified all TPM are updated to latest version, updated BIOS already as well

Leave a Reply