Troubleshooting
This section highlights some issues you may encounter and how to resolve them
Group Policy
If you have your policies misconfigured you can see event logs that highlight conflicts and the result will be that Silent BitLocker fails to encrypt the drive
- Open the Event Log and check the following
Microsoft-Windows-BitLocker-API/Management
Event: 851
2. Open Task Scheduler and go to Microsoft>Windows>Bitlocker
BitLocker Encrypt All Drives
BitLocker MDM policy Refresh: 0x8031005B
The stop code, 0x8031005B, on BitLocker MDM policy Refresh validates the error shown in the Event Log above.
What is the cause?
This will be a misconfiguration with the Intune policy for Bitlocker, specifically with the start up authentication methods
Silent Bitlocker as it’s name suggests is supposed to be silent and therefore should not have any options set to require a PIN or Start up key, this would require user interaction to set this and therefore is out of scope.
The configuration below is wrong
Change the configuration to the below
3. Now re-run the MDM tasks
BitLocker Encrypt All Drives
BitLocker MDM policy Refresh: 0x41301
4. Now check the Event log
Removable Drives
Make sure you remove the ISO installation media from the virtual DVD drives on your computer. This will halt BitLocker from silently encrypting the drive
Additional Troubleshooting
Troubleshoot BitLocker policies in Microsoft Intune
Enforcing BitLocker policies by using Intune: known issues
Encrypt Windows 10 devices with BitLocker in Intune – Microsoft Intune | Microsoft Docs
Points
Although the above options mention that you can allow a TPM and PIN option, Silent BitLocker only currently supports using a TPM protector when deployed through Intune. This is seen when running the manage-bde -status command
