Intune / Windows 10 – Unable to turn on BitLocker with conflicting group policy error

Recently I came across an issue turning on BitLocker with the error on a Windows 10 device

BitLocker Drive Encryption cannot be applied to this drive because there conflicting Group Policy settings for recovery options on fixed data drives.

image

Also got the error before starting the troubleshooting

You can’t create both a recovery password and a recovery key

image

The policy to enable and enforce BitLocker is set on Intune/Endpoint Configuration Manager and the device has been refreshed (auto-pilot).

The device used to already have BitLocker enabled before the refresh process and re-assignment to another user.

After some troubleshooting and investigation, it was found that a registry key was the root cause of this ‘so called conflict’

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

with the below values

“FDVRecoveryPassword”=dword:00000000

“FDVRequireActiveDirectoryBackup”=dword:00000001

The FVE key is not created by Intune policy and should not be present when BitLocker is managed by Intune.

Deleting the complete FVE key solved the problem.

5 thoughts on “Intune / Windows 10 – Unable to turn on BitLocker with conflicting group policy error”

Leave a Comment

Your email address will not be published.