Intune Issue – Allow standard users to enable encryption during Azure AD Join

Update

This issue has been solved by Microsoft. A fix was rolled out and implemented on the 26th of August 2019

Huge thanks to @ConfigMgrDogs over on Twitter for the follow up on this.

See more

The BitLocker silent enable bug raised by @TimmyITdotcom (https://t.co/W6p94tTPuo) has been fixed and rolling out. Should have full scale unit overage by the weekend. Thanks Timmy for the clear repro! #MSIntune @IntuneSuppTeam

— ConfigMgrDogs (@ConfigMgrDogs) August 22, 2019

I’ve had several customers reaching out to me recently and wondering why their newly provisioned Autopilot devices won’t seem to encrypt the hard drive when using bitlocker. Exactly when this started to happen is not clear at this point.

Encrypt devices Error -201628112 (remediation failed)

After some troubleshooting I’ve found out that it came down to a policy that never gets pushed to the client when the setting is turned on if you are using Autopilot and the user who enrolls the device is a Standard User and not an Administrator on the machine.

If you have your Autopilot profile configured with “User account type” set to “Standard” and in your Endpoint protection profile you have enabled “Allow standard users to enable encryption during Azure AD Join” you now get this issue where Bitlocker won’t encrypt.

The Allow standard users to enable encryption during Azure AD Join policy was added in Intune 1901 to solve the situation where Bitlocker needs administrator rights to encrypt the drive. And to my knowledge it has been working just fine until recently.

https://docs.microsoft.com/en-us/intune/whats-new#week-of-january-21-2019

Why doesn’t work ?

I don’t have the root cause but what I know is that when you turn on the policy it never gets applied to any device.

If you run the MDM diagnostic when the policy is activated it never shows up, as seen here: We 2 out of 3 Bitlocker policies.

It should look like this if the policy got applied:

Also in registry we can see that we have 3 values

Should look like this

Workaround

However there’s a workaround and that is to set the CSP policy manually with a custom OMA-URI and assign that to your users or devices. This is the “old” way of doing it before we had the policy option in Intune with 1901.

Here’s how you do it

In Intune navigate to Device Configuraiton -> Profiles -> Create Profile and create a Custom profile

Choose “Add” and use the following

Name: AllowStandardUserEncryption
OMA-URI: ./Vendor/MSFT/BitLocker/AllowStandardUserEncryption
Data type: Interger
Value: 1

Then assign the policy to your users or devices and Bitlocker will start encrypting your devices and once that’s done Intune will happily report that your device is encrypted.

Why “Allow standard users to enable encryption during Azure AD Join” reports as “Not Applicable” I dont know but might be one of the reason why its not working in first place but that’s all on the back end from Microsoft.

Leave a comment or question in the comment section below.

That’s all for now and until next time, cheers !

Don’t forget to follow me on twitter and you can also find me blogging over at http://blog.ctglobalservices.com/