Teaching you how to be a device management expert
- Defender / Intune / Security / Windows 10
Configure Microsoft Defender Antivirus with Intune
by Janusz · September 28, 2020
Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.
I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality .
Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more ( which you can read about here ). But Microsoft Defender Antivirus can also be used independent of MDfE.
So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.
Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy :
Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.
Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.
Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:
The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.
Starting with Cloud protection , I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).
For Exclusions , here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.
For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.
For Remedation, I use the following:
For Scan , we’ll actually be affecting the user experience a lot . Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.
For Updates , the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.
And then the final settings page, User Experience . So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.
And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app .
And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:
Now you’ve deployed Defender Antivirus in your environment. Happy securing! ?
Tags: antivirus defender defender atp
You may also like...
Use Autopilot to lock down a device to your tenant by assigning a user
May 10, 2019
Exploring Hybrid Azure AD Join with a Provisioning Package
April 6, 2021
How to use MMAT to convert DISA STIG GPOs to Intune CSPs
October 18, 2019
- Comments 22
- Pingbacks 2
Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?
Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.
I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.
Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.
Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!
It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.
Can we use a third-party antivirus Like Trend Micro Apex One with Microsoft Endpoint Manager (intune Device), is there a special setting or exclusions required, because facing performance issues. And it starts after implementing to MEM devices, before it all things working fine. Please reply to my mail id, if possible – [email protected] Anyone please help, thanks in advance.
Yeah, you can absolutely use a third party antivirus with a MEM managed device. It might be worth contacting Trend Micro to troubleshoot performance. Or alternatively take a fresh device and enroll it into Intune before installing Trend Micro Apex One and seeing what is causing the slowdown.
Thank you so such a detailed post! Would love to see something like this to configure MS defender for endpoint! I know it’s a huge monster of policies but MS does not provide structured guidance on this. I had to fish for info all over the place and still having a hard time understanding what policies fall under what…Can you recommend any resources? Thx!!
Thanks for the feedback! I’ll put that on the to-do list, I think it would make a great post. If you’re still looking for MDfE setup articles I would start with the Tech Community post: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-endpoint-manager-enable-endpoint-protection/ba-p/1801197
Thank you for this great, clear and thorough post, I had been struggling with this topic and all the different terms but if I not mistaken we can put it this way:
MDFE / MDATP = whole threat protection solution MD = Antivirus solution is is included in the MDFE solution But also works as standalone if we don’t own a MDFE subscription
Yes, that’s right! But just to be picky, I would specify that MDfE isn’t a WHOLE threat protection solution, it’s an endpoint solution. Microsoft’s 365 E5 license that includes the whole suite of security products (MDfE, Sentinel, Azure Defender, Cloud App Security, Defender for Identity, etc.) is the all up solution. If you want to know how all those pieces fit together then take a look at the Microsoft Cybersecurity Reference Architecture
Hi Janusz, Fantastic write up, i too was unclear on Windows Defender and Microsoft Defender for Endpoint. Just a quick question, is there anyway to put our business Support contact details some where in the Seurity area?
There is not, as far as I know. Closest I can think of is adding your support contact info in the Intune Company Portal app.
Hi, great sharing! I have a question: After configure Microsoft Defender Antivirus with Intune, can we see the virus alert and AV definition version on intune or somewhere？
Yup, you’ll see it in the MEM console under Reports > Microsoft Defender Antivirus. You can generate a detailed report that has the definition versions and more.
I want to configure daily quick scan at 11:00 AM everyday and weekly full scan at 12:00 PM every Thursday. But these settings don`t seem to be working as per your explained in the scan section of this article.
Run daily quick scan at : 11:00 AM Scan type : Full Scan Day of week to run a scheduled scan : Thursday Time of day to run a scheduled scan : 12:00 PM
Might be worth opening a case with Microsoft to investigate what’s going on. It should be possible to configure those scans as per the settings you have.
Have you ever figured out how to do this?
Have you ever had to disable the Defender temporarily to test if it blocks something? If so, do you have an easy way to do so (ex. PS or cmd)?
Great summary. We have the issue that the setting “Check for signature updates before running scan” has the status ERROR on a lot of devices – Error Code -2016281112. Any ideas what could cause this? I was not able to find information on the error code. Thanks
Please Add RSS feeds to this. That will help us to get the latest posts updated. Thanks
Sure – I’ve added the link to our RSS feed in the social media icons area. Can access the feed here: https://deviceadvice.io/feed/
[…] our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it […]
[…] Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your […]
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
- Next story Deploy Microsoft Defender ATP Baseline with Intune (no Defender ATP license required!)
- Previous story How to disable the “Your organization requires Windows Hello” prompt during OOBE
- How to disable the “Your organization requires Windows Hello” prompt during OOBE 35 comments | 121.58 views per day | by Janusz | posted on September 17, 2020
- Autopilot Reset – What does it do? How is it different? 26 comments | 32.75 views per day | by Janusz | posted on August 9, 2019
- Enable Audio and Video Redirection for Windows Virtual Desktop 12 comments | 31.23 views per day | by Janusz | posted on March 20, 2020
- Configure Microsoft Defender Antivirus with Intune 24 comments | 29.24 views per day | by Janusz | posted on September 28, 2020
- Export & import your Intune tenant settings 19 comments | 28.53 views per day | by Janusz | posted on July 12, 2019
- Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM 3 comments | 25.12 views per day | by Janusz | posted on June 28, 2021
- Windows 10 update rings – the best user experience 12 comments | 24.80 views per day | by Janusz | posted on January 27, 2020
- Block screenshots using Microsoft Information Protection 2 comments | 22.61 views per day | by Janusz | posted on November 1, 2021
- How to set up Windows Hello for Business for cloud-only devices 5 comments | 20.63 views per day | by Janusz | posted on June 22, 2020
- Set Time Zone Automatically during Autopilot 4 comments | 18.87 views per day | by Janusz | posted on October 21, 2021
- Use DevTools to find the Graph API requests made by MEM
- Use winget to install Microsoft Store apps on Windows 11
- Enable 256-bit BitLocker Full Disk Encryption during Autopilot
- Enable Tamper Protection for Windows Servers
- Block remote support/assist applications using Windows Defender App Control & MEM
Intune / Mobile Device Management
The new Microsoft Endpoint Manager admin center is live!
November 29, 2019
Deployment / Security / Windows 10 / Windows 11
Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM
June 28, 2021
Deployment / Intune / Microsoft Endpoint Manager / Mobile Device Management / Windows 10
Use Group Policy analytics to convert GPOs to Intune Configuration Profiles
November 23, 2020
Intune / Log Analytics / Microsoft Endpoint Manager / Windows 10
Collect Windows Event Logs using Log Analytics and Intune
February 1, 2021
Intune / Microsoft Endpoint Manager / Mobile Device Management / Security / Windows 10
Manage and report on Defender Antivirus Signature update versions through Microsoft Endpoint Manager
December 7, 2020
Search code, repositories, users, issues, pull requests...
We read every piece of feedback, and take your input very seriously.
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Troubleshooting BitLocker policies from the client side
- 3 contributors
This article provides guidance on how to troubleshoot BitLocker encryption on the client side. While the Microsoft Intune encryption report can help you identify and troubleshoot common encryption issues, some status data from the BitLocker configuration service provider (CSP) might not be reported. In these scenarios, you will need to access the device to investigate further.
BitLocker encryption process
The following steps describe the flow of events that should result in a successful encryption of a Windows 10 device that has not been previously encrypted with BitLocker.
- An administrator configures a BitLocker policy in Intune with the desired settings, and targets a user group or device group.
- The policy is saved to a tenant in the Intune service.
- A Windows 10 Mobile Device Management (MDM) client syncs with the Intune service and processes the BitLocker policy settings.
- The BitLocker MDM policy Refresh scheduled task runs on the device that replicates the BitLocker policy settings to full volume encryption (FVE) registry key.
- BitLocker encryption is initiated on the drives.
The encryption report will show encryption status details for each targeted device in Intune. For detailed guidance on how to use this information for troubleshooting, see Troubleshooting BitLocker with the Intune encryption report .
Initiate a manual sync
If you've determined that there is no actionable information in the encryption report, you'll need to gather data from the affected device to complete the investigation.
Once you have access to the device, the first step is to initiate a sync with the Intune service manually before collecting the data. On your Windows device, select Settings > Accounts > Access work or school > <Select your work or school account> > Info . Then under Device sync status , select Sync .
After the sync is complete, continue to the following sections.
Collecting event log data
The following sections explain how to collect data from different logs to help troubleshoot encryption status and policies. Make sure you complete a manual sync before you collect log data.
Mobile device management (MDM) agent event log
The MDM event log is useful to determine if there was an issue processing the Intune policy or applying CSP settings. The OMA DM agent will connect to the Intune service and attempt to process the policies targeted at the user or device. This log will show success and failures processing Intune policies.
Collect or review the following information:
LOG > DeviceManagement-Enterprise-Diagnostics-Provider admin
- Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
- File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
To filter this log, right-click the event log and select Filter Current Log > Critical/Error/Warning . Then search through the filtered logs for BitLocker (press F3 and enter the text).
Errors in BitLocker settings will follow the format of the BitLocker CSP, so you will see entries like this:
You can also enable debug logging for this event log using the Event Viewer for troubleshooting.
BitLocker-API management event log
This is the main event log for BitLocker. If the MDM agent processed the policy successfully and there are no errors in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, this is the next log to investigate.
LOG > BitLocker-API management
- Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > BitLocker-API
- File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx
Usually, errors are logged here if there are hardware or software prerequisites missing that the policy requires such as Trusted Platform Module (TPM) or Windows Recovery Environment (WinRE).
Error: Failed to enable Silent Encryption
As shown in the following example, conflicting policy settings that cannot be implemented during silent encryption and manifest as group policy conflicts are also logged:
Failed to enable Silent Encryption.
Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker.
Solution: Configure the compatible TPM startup PIN to Blocked . This will resolve conflicting Group Policy settings when using silent encryption.
You must set the PIN and TPM startup key to Blocked if silent encryption is required. Configuring the TPM startup PIN and startup key to Allowed and other startup key and PIN setting to Blocked for user interaction and will result in a conflicting Group Policy error in BitLocker-AP event log. Also, if you configure TPM startup PIN or startup key to require user interaction, it will cause silent encryption to fail.
Configuring any of the compatible TPM settings to Required will cause silent encryption to fail.
Error: TPM not available
Another common error in the BitLocker-API log is that the TPM is not available. The following example shows that TPM is a requirement for silent encryption:
Failed to enable Silent Encryption. TPM is not available.
Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.
Solution: Ensure there is a TPM available on the device and if it is present, check the status via TPM.msc or the PowerShell cmdlet get-tpm.
Error: Un-Allowed DMA capable bus
If the BitLocker-API log displays the following status, it means that Windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat.
Un-Allowed DMA capable bus/device(s) detected
Solution: To remediate this issue, first verify that the device has no external DMA ports with the original equipment manufacturer (OEM). Then follow these steps to add the device to the allowed list. Note: Only add a DMA device to the allowed list if it is an internal DMA interface/bus.
System event log
If you're having hardware-related issues—such as problems with the TPM—errors will appear in the system event log for TPM from the TPMProvisioningService or TPM-WMI source.
LOG > System event
- Location: Right-click on Start Menu > Event Viewer > Windows Logs > System
- File system location: C:\Windows\System32\winevt\Logs\System.evtx
Filter on these event sources to help identify any hardware-related issues that the device may be experiencing with the TPM and check with the OEM manufacturer whether there are any firmware updates available.
Task scheduler operational event log
The task scheduler operational event log is useful for troubleshooting scenarios where the policy has been received from Intune (has been processed in DeviceManagement-Enterprise), but BitLocker encryption has not successfully initiated. BitLocker MDM policy refresh is a scheduled task that should run successfully when the MDM agent syncs with the Intune service.
Enable and run the operational log in the following scenarios:
- The BitLocker policy appears in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, in MDM diagnostics, and the registry.
- There are no errors (the policy has been picked up successfully from Intune).
- Nothing is logged in the BitLocker-API event log to show that encryption was even attempted.
LOG > Task scheduler operational event
- Location: Event Viewer > Applications and Service Logs > Microsoft > Windows > TaskScheduler
- File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
Enable and run the operational event log
You must manually enable this event log before logging any data because the log will identify any problems running the BitLocker MDM policy Refresh scheduled task.
To enable this log, right-click on Start Menu > Event Viewer > Applications and Services > Microsoft > Windows > TaskScheduler > Operational .
Then enter task scheduler in the Windows search box, and select Task Scheduler > Microsoft > Windows > BitLocker . Right-click on BitLocker MDM policy Refresh and choose Run .
When the run is complete, inspect the Last Run Result column for any error codes and examine the task schedule event log for errors.
In the example above, 0x0 has run successfully. The error 0x41303 this means the task has never previously run.
For more information about Task Scheduler error messages, see Task Scheduler Error and Success Constants .
Checking BitLocker settings
The following sections explain the different tools you can use to check your encryption settings and status.
MDM Diagnostics Report
You can create a report of MDM logs to diagnose enrollment or device management issues in Windows 10 devices managed by Intune. The MDM Diagnostic Report contains useful information about an Intune enrolled device and the policies deployed to it.
For a tutorial of this process, see the YouTube video How to create an Intune MDM diagnostic report on Windows devices
- File system location: C:\Users\Public\Documents\MDMDiagnostics
OS build and edition
The first step in understanding why your encryption policy is not applying correctly is to check whether the Windows OS version and edition supports the settings you configured. Some CSPs were introduced on specific versions of Windows and will only work on a certain edition. For example, the bulk of BitLocker CSP settings were introduced in Windows 10, version 1703 but these settings weren't supported on Windows 10 Pro until Windows 10, version 1809.
Additionally, there are settings such as AllowStandardUserEncryption (added in version 1809), ConfigureRecoveryPasswordRotation (added in version 1909), RotateRecoveryPasswords (added in version 1909), and Status (added in version 1903).
Investigating with the EntDMID
The EntDMID is a unique device ID for Intune enrollment. In the Microsoft Intune admin center , you can use the EntDMID to search through the All Devices view and identify a specific device. It is also a crucial piece of information for Microsoft support to enable further troubleshooting on the service side if a support case is required.
You can also use the MDM Diagnostic Report to identify whether a policy has been successfully sent to the device with the settings the administrator configured. By using the BitLocker CSP as a reference, you can decipher which settings have been picked up when syncing with the Intune service. You can use the report to determine if the policy is targeting the device and use the BitLocker CSP documentation to identify what settings have been configured.
MSINFO32 is an information tool that contains device data you can use to determine if a device satisfies BitLocker prerequisites. The required prerequisites will depend on BitLocker policy settings and the required outcome. For example, silent encryption for TPM 2.0 requires a TPM and Unified Extensible Firmware Interface (UEFI).
- Location: In the Search box, enter msinfo32 , right-click System Information in the search results, and select Run as administrator .
- File system location: C:\Windows\System32\Msinfo32.exe.
However, if this item doesn't meet the prerequisites, it doesn't necessarily mean that you can't encrypt the device using an Intune policy.
- If you have configured the BitLocker policy to encrypt silently and the device is using TPM 2.0, it is important to verify that BIOS mode is UEFI. If the TPM is 1.2, then having the BIOS mode in UEFI is not a requirement.
- Secure boot, DMA protection, and PCR7 configuration are not required for silent encryption but might be highlighted in Device Encryption Support . This is to ensure support for automatic encryption.
- BitLocker policies that are configured to not require a TPM and have user interaction rather than encrypt silently will also not have prerequisites to check in MSINFO32.
TPM.msc is a Microsoft Management Console (MMC) Snap-in file. You can use TPM.msc to determine whether your device has a TPM, to identity the version, and whether it is ready for use.
- Location: In the Search box, enter tpm.msc , and then right-click and select Run as administrator .
- File system location: MMC Snap-in C:\Windows\System32\mmc.exe.
TPM is not a prerequisite for BitLocker but is highly recommended due to the increased security it provides. However, TPM is required for silent and automatic encryption. If you're trying to encrypt silently with Intune and there are TPM errors in the BitLocker-API and system event logs, TPM.msc will help you understand the problem.
The following example shows a healthy TPM 2.0 status. Note the specification version 2.0 in the bottom right and that the status is ready for use.
This example shows an unhealthy status when the TPM is disabled in the BIOS:
Configuring a policy to require a TPM and expecting BitLocker to encrypt when the TPM is missing or unhealthy is one of the most common issues.
A cmdlet is a lightweight command in the Windows PowerShell environment. In addition to running TPM.msc, you can verify the TPM using the Get-Tpm cmdlet. You will need to run this cmdlet with administrator rights.
- Location: In the Search box enter cmd , and then right-click and select Run as administrator > PowerShell > get-tpm .
In the example above, you can see that the TPM is present and active in the PowerShell window. The values equal True. If the values were set to False, it would indicate a problem with the TPM. BitLocker will not be able to use the TPM until it is present, ready, enabled, activated, and owned.
Manage-bde command-line tool
Manage-bde is a BitLocker encryption command-line tool included in Windows. It's designed to help with administration after BitLocker is enabled.
- Location: In the Search box, enter cmd , right-click and select Run as administrator , and then enter manage-bde -status .
- File system location: C:\Windows\System32\manage-bde.exe.
You can use manage-bde to discover the following information about a device:
- Is it encrypted? If reporting in the Microsoft Intune admin center indicates a device is not encrypted, this command-line tool can identify the encryption status.
- Which encryption method has been used? You can compare information from the tool to the encryption method in the policy to make sure they match. For example, if the Intune policy is configured to XTS-AES 256-bit and the device is encrypted using XTS-AES 128-bit, this will result in errors in Microsoft Intune admin center policy reporting.
- What specific protectors are being used? There are several combinations of protectors . Knowing which protector is used on a device will help you understand if the policy has been applied correctly.
In the following example, the device is not encrypted:
BitLocker registry locations
This is the first place in the registry to look when you want to decipher the policy settings picked up by Intune:
- Location: Right-click on Start > Run and then enter regedit to open the Registry Editor.
- Default file system location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
The MDM agent registry key will help you identify the Globally Unique Identifier (GUID) in the PolicyManager that contains the actual BitLocker policy settings.
The GUID is highlighted in the above example. You can include the GUID (it will be different for each tenant) in the following registry subkey to troubleshoot BitLocker policy settings:
This report shows the BitLocker policy settings that have been picked up by the MDM agent (OMADM client). These are the same settings that you will see in the MDM Diagnostic report, so this is an alternative way of identifying settings that the client has picked up.
Example of EncryptionMethodByDriveType registry key:
Example of SystemDrivesRecoveryOptions :
BitLocker registry key
The settings in the policy provider registry key will be duplicated into the main BitLocker registry key. You can compare the settings to ensure they match what appears in the policy settings in the user interface (UI), MDM log, MDM diagnostics and the policy registry key.
- Registry key location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
This is an example of the FVE registry key:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
- 6 = XTS-AES 128
- 7 = XTS-AES 256
- B: UseTPM, UseTPMKey, UseTPMKeyPIN, USeTPMPIN are all set to 2, which means they are all set to allow.
- C: Notice that most of the keys are divided into groups of settings for the operating system drive (OS), fixed drive (FDV) and removable drive (FDVR).
- D: OSActiveDirectoryBackup has a value of 1 and is enabled.
- E: OSHideRecoveryPage is equal to 0 and not enabled.
Use the BitLocker CSP documentation to decode all of the setting names in the registry.
REAgentC.exe command-line tool
REAgentC.exe is a command-line executable tool that you can use to configure the Windows Recovery Environment (Windows RE). WinRE is a prerequisite for enabling BitLocker in certain scenarios such as silent or automatic encryption.
- Location: Right-click on Start > Run , enter cmd . Then right-click cmd and select Run as administrator > reagentc /info .
- File system location: C:\Windows\System32\ReAgentC.exe.
If you see error messages in the BitLocker-API about WinRe not being enabled, run the reagentc /info command on the device to determine the WinRE status.
If the WinRE status is disabled, run the reagentc /enable command as an administrator to enable it manually:
When BitLocker fails to enable on a Windows 10 device using an Intune policy, in most cases, the hardware or software prerequisites are not in place. Examining the BitLocker-API log will help you identify which prerequisite is not satisfied. The most common issues are:
- TPM is not present
- WinRE is not enabled
- UEFI BIOS is not enabled for TPM 2.0 devices
Policy misconfiguration can also cause encryption failures. Not all Windows devices can encrypt silently so think about the users and devices that you're targeting.
Configuring a startup key or PIN for a policy intended for silent encryption will not work because of the user interaction required when enabling BitLocker. Keep this in mind when configuring the BitLocker policy in Intune.
Verify whether the policy settings have been picked up by the device to determine whether the targeting has been successful.
It is possible to identify the policy settings using MDM diagnostics, registry keys, and the device management enterprise event log to verify if settings were successfully applied. The BitLocker CSP documentation can help you decipher these settings to understand whether they match what has been configured in the policy.
Was this page helpful?
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .
Submit and view feedback for