Microsoft Intune “BitLocker encryption cannot be applied to this drive” | Solved
Today I faced a wired issue when trying to get an Intune policy to automatically encrypt windows 10/11 disks. Since the automatic encryption does not kick in, I tried to manually encrypt to see if there is an issue on the client device and got the below error immediately when I initiated the wizard.
Issue
BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, then the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker.
Since we have already configured the encryption policy as per the official guide, and it works on other devices, this error did not make sense.
Official Intune BitLocker guide: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
Solution
The issue was caused by a previous attempt to encrypt the disk. It does not matter how many policy changes we push it will not forget the past and re-attempt. For BitLocker to attempt again, we have to delete the knowledge of the system on the previous attempt by deleting the FVE registry container located in the below path.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
Once this registry container is deleted, rerun a intunes sync and restart the system. The BitLocker auto encryption should kick in if policy configuration is done.
Comments