Today I wanted to enable the Personal Vault feature on my Home PC. While following the wizard I got an error 0x8031000a “Your organization requires your device to join the domain before you can use the Personal Vault”. What does this have to do with MDM. GPO and BitLocker troubleshooting? Here’s some quick Friday entertainment!
Step 1: What is going on?
My first reaction was to google for the error, and after a while I’ve found this useful docs page, which said
0x8031000a – FVE_E_AD_SCHEMA_NOT_INSTALLED – The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed.
BitLocker??? For OneDrive??? Anyways, my drive is already encrypted with BitLocker, and I am definitively not joined to AD!
However, my private PC is indeed managed – I have enrolled it as a BYOD machine, and it is managed by Intune over MDM, which pushes some configuration profiles to my device.
I can check what settings are pushed exactly by going to to Settings ->Access work or school -> [Info] and generating the MDM Diagnostics Report.
I will spare you the screenshot of going there and opening the MDMDiagReport.html 🙂 Looking inside the report (Ctrl-F for BitLocker) and carefully reading I found the following:
FDVRequireActiveDirectoryBackup_Name you say? Where can I find this? I know that all MDM settings in Windows come via the Configuration Service Providers (CSPs). In fact, the first column of the report contains the CSP name: BitLocker. Let’s google for that one: https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp and Ctrl-F for this setting:
OK. Now I know that my company’s MDM has a legacy setting in it, that makes no sense for my AAD-Registered BYOD PC (a bug report is surely coming towards the help desk), but prevents me from using my private OneDrive fully. What can I do about it? Will I have to file a help desk ticket to get the MDM options changed, or I could fix it all myself?
I need to get better at cliffhangers…
Step 2: Understanding my options
Reading the BitLocker CSP docs page I see that this setting actually corresponds to a GPO:
Opening the gpedit.msc I see that the corresponding GPO is not configured on my PC. So one way to fix the issue could be to re-create the MDM options using this policy, but leave the AD requirements out.
However, before going that we need to ensure that MDM does not override the GPO settings on my machine – otherwise the change won’t make any sense! For this, the Policy CSP has an MDMwinsOverGP setting, which I can check in my MDM Diagnostics Report. In his case GPO wins – so my path is clear!
Step 3: Fix it!
Now that I know what the problem is, and what solution will work, the rest in details. Opening GPedit.msc I go to the corresponding area and manually configure GPO. No reboot required, BTW.
Now, trying to enable the Personal Vault in OneDrive again – it works! (No cliffhanger here)
So, what did we just see?
- MDM diagnostics report goes really deep into what is going on on the machine – it is usually my first place to look.
- We’ve seen some ways to learn more about error messages, Windows CSPs and GPOs
- Things may start in one place, and end in a very different one (I did not know that OneDrive relies on BitLocker) – chain googling is an important troubleshooting skill these days!
- MDMwinsOverGP is probably the most important setting once you begin using Modern Device Management (get it? MDM!)
- You are now fully equipped to use my patented 3-step troubleshooting process “Understand the problem – Find a working solution – Fix it!” , or another way to look at it:
Hope you enjoyed the read! What are your thoughts?