Intune & BitLocker
Greetings folks. I am looking for a bit of guidance in troubleshooting an Intune/BitLocker issue we're having.
We've recently rolled out Intune & Entra to do our machine/id management as we move towards ISO27001 and I'm running into a super frustrating issue.
For context we are a small, fully remote, UK based business with around 15 employees; we have a mixture of Mac & Windows laptops all of which have been enrolled into Intune successfully and until recently showed as being fully compliant with the policies.
All users have a Microsoft 365 Business Premium License assigned to them.
Windows laptops are joined to 365, all users login with their 365 email & password using strong passwords & two-factor authentication in line with current cyber security guidance.
Our BitLocker policy is set to be required on all fixed drives, it gives multiple options for recovery key storage but the default is to escrow the key to Entra, we also have the configuration for BitLocker set to the silent deploy option.
All our machines had BitLocker enabled before we started to roll out Intune, this was just managed as default company policy and as part of the machine configuration, all users stored a local recovery key.
3 of our windows PCs (all Lenovo machines but a mixture of models) updated their BIOS recently and since then the BitLocker on those machines has been in the suspended state, any attempt to resume protection fails with an error saying:P
'Group policy settings require the creation of a recovery key' & when I look in the BitLocker API event log I see and error message that reads 'BitLocker encountered a failure to commit metadata changes for volume C:.'.
If I check the BitLocker panel in Windows it tells me BitLocker is suspended and will restart on the next system reboot.
So far I have checked & tried:
That the TPM shows as valid and active in both the BIOS and Windows (all machines are less than 2 yrs old and have TPM 2.0).
Secure boot is enabled in the BIOS.
I've checked the Entra accounts for the users and they all have a recovery key saved to them, I have also asked the users if they have an offline copy of the key and checked those values are the same and Entra key and that those keys are the correct keys for the machines in question (checked via Powershell).
We have attempted to disconnect a machine and then reconnect it, it rejoins but with the same error.
Temporary upgrade of users accounts to Local Admins in case it was a permission issue (although we do have the InTune policy set to allow non-local admins to start BitLocker).
I've been through the MS documentation and suggested settings and I cannot see anything in our configuration that would be casuing this, there are no conflicting policies in the system and non-bios updated laptops continue to work just fine.
Apologies for the long post but I am approaching my wits end with this and any guidance as to what I have missed would be greatly appreciated.