Home
Windows
BitLocker Policy Failing: Errors & Complexity

BitLocker Policy Failing: Errors & ComplexitySolved

Participant

3 months ago

Hey everyone,

I am trying to roll out a BitLocker encryption policy silently to all Windows users. All of our devices are currently running on local accounts, not Microsoft accounts.

Initially, the deployment failed entirely, and the action history showed an unsupported password complexity configuration error. I figured out that combining the passcode policy with the encryption policy was causing a conflict, so I created a fresh, separate BitLocker policy to avoid that.

I tested the new policy on a single laptop, but it is not applying silently like I need it to. Instead, the user gets a prompt on their screen asking them to confirm the setup. When I tried to bypass this by pushing a force encryption command from the console, the action failed again, this time stating: The device does not have a compatible TPM. The associated BitLocker encryption policy does not allow enabling BitLocker in a device without a compatible TPM.

How can I get this deployed silently to everyone, even the older machines without TPM?

Also, one final concern from management: once encryption is active, will it restrict users from deleting their everyday data and files?

Any guidance would be hugely appreciated!

Replies (1)

Marked SolutionPending Review

george

Hexnode Expert

3 months ago

Marked SolutionPending Review

Hello,

Thank you for reaching out to Hexnode Connect. I understand your concerns. Let’s look into these issues and achieve a completely silent deployment, here is what you need to do:

1. Update Your Policy for Devices Without TPM

BitLocker defaults to requiring a compatible TPM chip. To bypass this on older hardware, you need to update the startup authentication settings within your policy:

Edit your active BitLocker policy.
Navigate to Configure BitLocker OS drive policy and check Configure additional startup authentication settings.
Enable the option: Allow BitLocker to be activated on devices without a compatible TPM.
Result: This ensures the policy does not fail on older hardware and permits the use of a fallback password instead of a standard TPM startup PIN.

2. Force the Encryption (Bypasses User Prompts)

While a standard BitLocker policy dictates the encryption requirements, it often waits for the user to initiate the setup. To bypass the prompt and encrypt silently “over-the-air,” use the remote action:

Navigate to the Manage tab in your Hexnode UEM portal and select the target device(s).
Click on Actions > Security > Force BitLocker Encryption.
In the configuration window under the Authentication and Recovery section, enter a Fallback Password (a minimum 8-character password required for devices without a supported TPM) and initiate the action.
Result: This bypasses the manual user confirmation and forces immediate encryption in the background.

3. Regarding User Data Deletion

Encryption will not prevent users from deleting their own data. BitLocker protects data at rest from unauthorized physical access (e.g., if a laptop is stolen). Once an authorized user logs into their Windows profile, they hold the decryption “key” and can create, edit, or delete their files exactly as they normally would.

Deploy the updated policy to your test laptop, follow it up with the Force BitLocker Encryption action, and you should be good to go!

If you have any more doubts or need any assistance, please do reach out.

Best regards,
George
Hexnode UEM

Save

BitLocker Policy Failing: Errors & ComplexitySolved

Tags

Replies (1)

Leaderboard

Popular Tags

BitLocker Policy Failing: Errors & ComplexitySolved

Tags

Replies (1)

Related Topics

Leaderboard

Popular Tags

Login to Hexnode Community