If you have configured specific BitLocker policies in your tenant to silently enable BitLocker and have started enrolling devices, you might encounter an issue related to “escrow/backup.”
In some cases, the device may fail to back up the BitLocker Drive Encryption recovery information to your Azure AD. This failure is indicated by event 846 and is accompanied by the error code 0x80072f8f, which signifies a security-related error.
It’s worth noting that this error is distinct from access being denied (error code 0x80070005) or error code 0x801c0450, as mentioned in the blog I previously referred to. Instead, it seems to be related to security concerns.
One solution would be to update the firmware to your computer. The other solution is to delete the following values from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 Functions key:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512
For this, you can use the following PowerShell script:
$string = Get-ItemPropertyValue “HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003” -Name “Functions”
$NewString = $string -replace “RSAE-PSS/SHA256” -replace “”
$NewString2 = $NewString -replace “RSAE-PSS/SHA384” -replace “”
$NewString3 = $NewString2 -replace “RSAE-PSS/SHA512” -replace “”
[System.Collections.ArrayList]$NewString4 = $NewString3
$NewString5 = $NewString4.Split(”,[System.StringSplitOptions]::RemoveEmptyEntries)
Rename-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 -Name Functions -NewName Backup_Functions
Set-itemProperty “Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003” -name “Functions” -value $NewString5 -type MultiString
