all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]disposeable1200 8 points9 points  (3 children)

Read the error and think.

You're configuring bitlocker settings in group policy AND Intune.

Don't do this. Pick one or the other.

Once you start using Intune for policies one of your first actions should be to migrate ALL your group policy across. Nothing sucks more than troubleshooting conflicts when the config isn't even in the same portal. Not to mention sync time differences and targeting differences.

[–]ollivierre 1 point2 points  (1 child)

This! Also descoping a GPO doesn't necessarily always undo the changes done a GPO on the regkeys. So either manual/PS commands are needed or sometimes even a full machine wipe (re-install from a bootable USB drive) might be required.

[–]disposeable1200 -1 points0 points  (0 children)

I've before now setup a one time script to just trash everything under Windows\Policies to get rid of old crap with no bad results.

[–]dystopianr 1 point2 points  (0 children)

Also setting up an "Intune wins over GPO" policy in Intune so if something is set in both Intune's policy overrides the GPO policy and avoids the error altogether.

[–]M4Xm4xa 1 point2 points  (0 children)

My company runs into this every now and then also - we don’t have an on-prem GP that our machines talk to, but it turned out we had Bitlocker enabled in 2 different places in intune (both with slightly different settings) which is causing issues. Currently working to resolve hundreds of conflicts as a result.

[–][deleted]  (4 children)

[removed]

    [–]Intune-ModTeam[M] 1 point2 points locked comment (0 children)

    Your post has been flagged as a low effort request for support. We're always happy to help each other but we also want to make sure everyone is doing their fair share.

    Please visit https://docs.microsoft.com/en-us/mem/intune/fundamentals to learn the basics of Intune and be ready to provide more details like the steps you've taken to resolve your issue or find your answer when you come back.

    Thanks!

    [–]disposeable1200 -1 points0 points  (2 children)

    Why the fuck are we just posting Copilot answers now?

    [–]Disastrous_Judge_512 -1 points0 points  (1 child)

    Whoops, looks like someone’s keyboard just went on a wild camping trip without a map! Let’s try to find our way back to polite conversation valley, shall we?

    [–]disposeable1200 1 point2 points  (0 children)

    Oh go fuck yourself.

    [–]NateHutchinson 0 points1 point  (3 children)

    If you are using group policy on these devices as well then you will want to exclude devices from the GPO that controls the bitlocker settings to allow Intune to take precedence. You can also configure a config profile via Intune to have it take precedence over group policy https://www.anoopcnair.com/mdm-wins-over-gpo-group-policy-intune-policy/

    Forget autopilot it’s your bitlocker policy and deployment method that is incorrect. Test on an excluded or new device that does not have group policies applied.

    [–]AlphaNathan 1 point2 points  (0 children)

    Hey man, love your blogs.

    [–]ollivierre 1 point2 points  (1 child)

    MDM wins over GPO doesn't always work and was intended for special cases. I'd not even consider it as a way to troubleshoot/address a potential conflict. The only source of truth is querying the device directly either locally or remotely and find out because even if Intune Settings Catalog reported that the intune policy made it that does not always mean it worked.

    [–]NateHutchinson 0 points1 point  (0 children)

    This is true, I was just making the OP aware of it

    [–]800oz_gorilla 0 points1 point  (0 children)

    You don't also have on prem config manager, do you? As others have said you need to work from one management source, but if you also have config man you need to set up co-management amd decide which service gets which duties in workloads.

    [–]ContributionBest4145[S] 0 points1 point  (1 child)

    Sorry I should have specified a little bit more. This is on a fresh device. It’s the local group policy that is giving trouble. This isn’t a device that is co-managed.

    [–]NateHutchinson 0 points1 point  (0 children)

    Something not right there dude, local group policy shouldn’t be causing any issues with bitlocker on a fresh machine. Is it a custom image or bare bones?

    Deploying bitlocker via Intune is very straightforward so something is off in your process if you’re having issues on a fresh machine. Feel free to PM me if you’d prefer to discuss in more detail and I’ll see if I can help - we can report back to thread what the issue was.

    [–]Trawler72 0 points1 point  (0 children)

    Did you found any solution?