Recently I came across an issue turning on BitLocker with the error on a Windows 10 device
BitLocker Drive Encryption cannot be applied to this drive because there conflicting Group Policy settings for recovery options on fixed data drives.
Also got the error before starting the troubleshooting
You can’t create both a recovery password and a recovery key
The policy to enable and enforce BitLocker is set on Intune/Endpoint Configuration Manager and the device has been refreshed (auto-pilot).
The device used to already have BitLocker enabled before the refresh process and re-assignment to another user.
After some troubleshooting and investigation, it was found that a registry key was the root cause of this ‘so called conflict’
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
with the below values
“FDVRecoveryPassword”=dword:00000000
“FDVRequireActiveDirectoryBackup”=dword:00000001
The FVE key is not created by Intune policy and should not be present when BitLocker is managed by Intune.
Deleting the complete FVE key solved the problem.
Hello
Did you delete the entire key?
or did you edit the values to fix it the issue?
Thanks
TD
Hi Tristan
delete the entire FVE key
2 thumbs up.
This was driving me nuts
You are welcome
This was driving me nuts too
Thanks Benoit. it worked for me.
I’m struggling with this too. What is the permanent fix? How can we prevent the keys from getting created at all? We can’t delete them from every computer.
worked for me too, thx man.
Well this works.
Thank you for to sharing
ヽ(✿゚▽゚)ノ
Hi
I tried deleting those keys, went to run BitLocker but still getting the same GPO error. Are any values in that FVE set to 2?
I have other entries set to 1, 0 or 2 in values.
Now I do see on article advising to delete all these keys but not sure if that is a good idea.
As explained in this post, the full HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE must be deleted when it is managed by Intune