Fix 0x80072f8f Bitlocker issues in Intune

If you have configured specific BitLocker policies in your tenant to silently enable BitLocker and have started enrolling devices, you might encounter an issue related to “escrow/backup.”

In some cases, the device may fail to back up the BitLocker Drive Encryption recovery information to your Azure AD. This failure is indicated by event 846 and is accompanied by the error code 0x80072f8f, which signifies a security-related error.

It’s worth noting that this error is distinct from access being denied (error code 0x80070005) or error code 0x801c0450, as mentioned in the blog I previously referred to. Instead, it seems to be related to security concerns.

One solution would be to update the firmware to your computer. The other solution is to delete the following values from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 Functions key:




For this, you can use the following PowerShell script:


$string = Get-ItemPropertyValue “HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003” -Name “Functions”


$NewString = $string -replace “RSAE-PSS/SHA256” -replace “”

$NewString2 = $NewString -replace “RSAE-PSS/SHA384” -replace “”

$NewString3 = $NewString2 -replace “RSAE-PSS/SHA512” -replace “”


[System.Collections.ArrayList]$NewString4 = $NewString3


$NewString5 = $NewString4.Split(”,[System.StringSplitOptions]::RemoveEmptyEntries)


Rename-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 -Name Functions -NewName Backup_Functions


Set-itemProperty “Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003” -name “Functions” -value $NewString5 -type MultiString


Leave a comment

Your email address will not be published. Required fields are marked *

twelve + 3 =