none
Intune - Win10 Device Compliance for Bitlocker and SecureBoot

    Question

  • I have the following device compliance policy setup for Win10.

    My PC (Win10 1709) is fully Bitlocker encrypted and it has SecureBoot turned on in the BIOS.
    However, when I check the compliance status in the portal, it tells me that both items for that PC are in an Error state.

    Interestingly enough, when I check the compliance for the 'Encryption of data storage on device', that reports back successfully.

    My understanding is that the 2 settings I am trying to monitor are part of the Windows 10 Device Health Attestation (DHA). DHA with Intune should just work out of the box with no additional setup required, right?

    Not sure what I am missing here, but any insight would be greatly appreciated.


    • Edited by Jan G' Thursday, November 2, 2017 2:16 PM additional clarification
    Thursday, November 2, 2017 1:31 PM

Answers

  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Jan G' Thursday, November 9, 2017 9:51 AM
    Thursday, November 9, 2017 9:51 AM

All replies

  • I too am having the same problem. In my case it's even more basic, all I'm requiring is the first option (Require bitlocker). For most of my devices it works just fine. For one device though it says there is an error, even though I can see with my own eyes that the device is indeed encrypted with Bitlocker. Hopefully can get some help here.
    Thursday, November 2, 2017 9:47 PM
  • I am experiencing the same issue for some of our Windows 10 Professional devices. Btilocker is definitely enabled, but Intune shows them as not compliant. My first thought was that this had to do with the creators update (build 10.0.16299.19) , but I see this also on build 10.0.15063.674. I have verified on both systems that Bitlocker is on and not suspended. All the other policies as showing as compliant.

    Intune compliance

    In AzureAD, these devices also show the bitlocker recovery key, so it looks like Intune agent has a problem reading the Bitlocker configuration.


    -\O_o/-

    Friday, November 3, 2017 11:39 AM
  • We`ve experienced the same error on Windowes 10 Pro Build 15063. Bitlocker is definitely enabled and disk encrypted according to output from "manage-bde -status". Intune shows an error in policie "Encryption of data storage on device" and as result policy "require bitlocker" is showing "not compliant". In AzureAD and Intune Portal the bitlocker recovery key is shown correctly.
    Friday, November 3, 2017 11:56 AM
  • Yes, i am also having this issue and I've tried multiple different computers enrolled into Intune with secure boot and bitlocker enabled. In fact going to the Intune self-service portal (portal.manage.microsoft.com) shows that all off my devices compliant state is "unknown." It seems to me that device health information is either not being sent to the cloud/azure  dha service or Intune is having trouble reading that information.

    Monday, November 6, 2017 3:50 AM
  • A month ago I had a compliance policy for Surface Hubs that included Encryption and Bitlocker. Back then both settings were "compliant" for all my Hubs.

    This month they are now not able to report back being compliant in either setting. It is either error or not compliant now.

    Monday, November 6, 2017 10:04 AM
  • Same exact problem.  Sooooo many problems with InTune.  Not really sure how MS can even say this is a working product.  All the problems are SUPER BASIC functionality.  I'm completed perplexed why MS would put out the product like this.
    Wednesday, November 8, 2017 3:52 AM
  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Jan G' Thursday, November 9, 2017 9:51 AM
    Thursday, November 9, 2017 9:51 AM
  • Thanks for this update, but i`m not sure if everyone is happy with this. There are some guys here (including me) who hasn`t installed the Fall Creators Update and are running on Build 15063 (1703) and do also have this issue.
    Thursday, November 9, 2017 10:06 AM
  • My issue was 1709 specific, that's why for me the reply from MS actually answers my question.

    If you are having the same issue with 1703 or earlier I would advise you to log a ticket with MS (premier support) to see if your problem is related.

    Thursday, November 9, 2017 10:17 AM
  • Same issue here, will be escalating this to our premier account manager to get a date.
    Thursday, November 9, 2017 2:12 PM
  • I can confirm this issue is on 1703 (I'm getting the same issue).

    I've disabled all the health attestation service evaluation rules for now.


    http://www.dreamension.net

    Friday, November 10, 2017 2:57 AM
  • Ticket is already opened more then 2 weeks ago....

    This issue seems to be not related so far.

    Friday, November 10, 2017 9:44 AM
  • I got a ping from MS support yesterday, saying that the bug has been fixed.

    They told me to install the latest Windows Updates and then try again.

    Wednesday, November 29, 2017 9:00 AM
  • Funny. We received this reply on our case yesterday:

    The Windows team has finished their analysis of this issue and prepared a fix. It will came out on a Windows update to be released in 2 to 3 weeks (mid December). Until then, the recommendation is to not include the Health Attestation properties in the Compliance policies. 

    Great support experience... As always... NOT!

    Wednesday, November 29, 2017 10:18 AM
  • We`ve also received an update for our case, the same as you guys. (Update mid december).

    Another question, since about two weeks every device is compliant even if they are not yet synced and all the devices with this bitlocker / tpm issue we`re talking about. Anybody else there in this situation?

    Wednesday, November 29, 2017 10:21 AM
  • As others have already mentioned, looks like the fix will be released in mid-December. Latest MS response I got:

    Deployment has been delayed for mid-december. The fix will be applied to both RS3 (1709) and upcoming Windows versions.

    • Proposed as answer by Rob Mack Monday, July 23, 2018 6:33 PM
    • Unproposed as answer by Rob Mack Monday, July 23, 2018 6:33 PM
    Wednesday, November 29, 2017 11:54 AM
  • Yeah, I've heard the same from MS support. Their reaction:

    We have confirmed that the it was the issue with the Device health attestation CSP and the update RS3/12-B update on 12<sup>th</sup> December will be release to fix this issue.


    -\O_o/-

    Thursday, November 30, 2017 7:38 AM
  • Been fighting this issue for weeks.  Took multiple MS reps to field this problem (two sets of complete screenshots, repro in their environment, etc) before they finally came back with it as a known issue - just today!  I can't believe we actually paid for Intune licenses.  It has really let us down with all the basic functionality problems.  We're really disappointed with the service.  It was not tested well and we are constantly running into quirks and intermittent issues with it.  This type of issue should go against uptime SLA.

    • Edited by JohnKarlo Thursday, November 30, 2017 9:30 PM
    Thursday, November 30, 2017 9:23 PM
  • Ok so apparently this update fixes the issue.

    https://support.microsoft.com/en-us/help/4054517/windows-10-update-kb4054517

    It should be available to deploy now.


    http://www.dreamension.net

    Monday, December 18, 2017 10:44 PM
  • Do we know if kb4054517 fixed the issue.  I read the article but does not mention this fix.  I am still experiencing this issue with Intune.
    Thursday, February 15, 2018 9:49 AM
  • I don't know if kb4054517 specifically fixed the issue. What I do know is that I am no longer experiencing the issue using the latest ISOs from MS, e.g. 1709 (updated December 2017).

    Also, I have to assume that their public changelog does not list all the fixes that went into a CU.


    Thursday, February 15, 2018 11:18 AM
  • same thing. Install Windows Updates for the latest build. Solved the problem in my case.
    Thursday, February 15, 2018 3:41 PM
  • We`ve still got the problem with secureboot, MS support had ignored this problem a few weeks. Only after a lot of research-work from our side. Only bitlocker issue was fixed, but not with the update from 12th dec 2017.
    Thursday, February 15, 2018 4:06 PM
  • I also have the issue with the secure bit compliance on a large number of my 1709 devices, although a couple of them do seem to specify they are compliant. These are only the newest devices (newer laptop models purchased in the last couple months and with clean 1709 installs), all the devices failing so far are different models, older than half a year. A possible chipset-specific issue?
    Thursday, February 15, 2018 10:50 PM
  • Same issue here for Secure Boot on a 1709 laptop with latest CU. I had to perform a full reset to get rid of this problem...

    Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene

    Tuesday, February 20, 2018 9:15 AM
  • Same issue for me.

    Device: Surface Book 2
    OS: Windows 10 Pro 1709
    Build: 16299.251

    Require Bitlocker shows "Not Compliant". All other Policies are fine ("Encryption of data storage on device" etc.)
    Powershell says all device encrypted (100%). Disabled Bitlocker and reenable -> no success.

    Most of the devices are fine (different builts). For the moment, only two devices facing this error.

    No solution for the moment.
    Tuesday, March 6, 2018 7:02 PM
  • SecureBoot issue still here, too.

    BitLocker and CodeIntegrity attestation working reliably. SecureBoot fails sporadically on the same hardware where it is compliant after a reimage.

    Friday, March 16, 2018 8:28 AM
  • As already mentioned we`ve still got the Bitlocker Issue and also the secureboot Issue. According to Microsoft the SecureBoot Issue only appears on Lenovo Devices. So those of you who also facing secureboot problems, do you also have Lenovo devices or on which devices you are counting the problems?
    Tuesday, March 20, 2018 5:04 PM
  • Exactly, I was facing the Secure boot issue on a Lenovo X1 Carbon laptop. I had to perform a full reset to get rid of it.

    Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene

    Wednesday, March 21, 2018 3:51 PM
  • Does someone already have a solution for this issue?

    we are running 1803 now on two devices, but both of them now have this complaince issues while both of them are encrypted.

    both of them are lenovo t470s.

    Thursday, May 3, 2018 2:14 PM
  • How strange... I have exactly the same issue, with only 2 devices both of which are Lenovo E470's...

    Wednesday, May 9, 2018 12:56 PM
  • 2 Lenovo's showing this in 1803 too. But also Some Dell XPS15's too.
    Thursday, May 24, 2018 6:35 PM
  • I see the same issues on a couple of Dell Latitude machines that are running version 1803.  (OS build 10.0.17134.48). 

    Bitlocker is enabled, but not according to Intune.


    -\O_o/-

    Friday, May 25, 2018 1:18 PM
  • Managing many Surface Pro 3 devices with Windows 10 Pro 1709. Some devices show compliant, some show not compliant. All have Bitlocker enabled. After about 5 weeks of back and forth with Intune support I'm told that the Bitlocker settings are not supported by Intune in Windows 10 Pro by design. This is the link the engineer shared, see the blue "Note These settings are not supported on the Home and Professional editions of Windows 10" at the beginning of the article.

    https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10

    Engineer also said they may not all fail and that the configurations were not fully tested for Pro or Home and can bring unknown/unexpected behavior, which is why some computers are showing compliant.  

    Frustrating.


    Wednesday, June 6, 2018 7:47 PM
  • We have it on Windows Enterprise, so it's not unique or an issue with Pro.  PCs with the issue are from Lenovo, Dell and Microsoft (Surface Pro).
    • Proposed as answer by Bilal Babar Friday, June 8, 2018 8:27 AM
    • Unproposed as answer by Bilal Babar Friday, June 8, 2018 8:27 AM
    Wednesday, June 6, 2018 8:37 PM
  • Did you ever resolve this, My company also has Lenovo products and i have the same issue any help would be appreciated Thanks 
    Thursday, August 23, 2018 9:31 PM
  • Hi, The problem is still present, unfortunately. All we have to is hoping Windows 10 1809 will solve this issue.

    Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene

    Friday, August 24, 2018 9:36 AM
  • I am currently having this issue as well, as we enable bitlocker during OSD with SCCM. I have seen this issue with both Windows 10 1709 and 1803. Secure Boot seems to work correctly.  But as far as Intune checking if Bitlocker is enabled fails.

    We are running mostly Lenovo T470s and T480s.


    • Edited by Tyler_F3745 Friday, August 24, 2018 6:20 PM Clarification
    Friday, August 24, 2018 6:18 PM
  • 1809 did not resolve it for me, in fact we have only just discovered the sam issues and I was already on 1809. Several other machines in out organization are fine though. There is even another machine with identical hardware (Dell OptiPlex's) and also running 1809 that is not having the issues.
    Tuesday, November 20, 2018 9:59 PM