This is a quick blog post describing an annoying issue I encountered while developing a Windows 10 Autopilot process for a customer. My BitLocker policy (MEM > Endpoint Security > Disk encryption) reported as Succeeded and the recovery key was escrowed to Azure Active Directory.
The event log gave me an idea where to look. "Failed to enable Silent Encryption. Group Policy settings require the creation of a recovery key". This was Azure AD only so the Group Policy reference didn't make much sense. However it made me look for anything related to creating a recovery key in my BitLocker policy.
I found it here. I had set Recovery key file creation to Required.
What does this do? According to the tooltip "Setting this to Allow will allow an admin user to create a 256-bit recovery key file manually. Setting this to Require will require an admin user to create a 256-bit recovery key file manually. Setting this to Deny will disallow any admin user from creating a 256-bit recovery key file manually. BitLocker silent enablement requires this setting configured as Deny or Allow". I didn't want this to be required.
Changing this setting to Allowed did the trick and the device was encrypted successfully.
I hope this helps.
Until next time.......
Just want to say thanks for this. I've been troubleshooting this for a while.
ReplyDeleteThis one saved the remaining hair I have left. Thanks.
ReplyDelete