none
Intune - Win10 Device Compliance for Bitlocker and SecureBoot

    Question

  • I have the following device compliance policy setup for Win10.

    My PC (Win10 1709) is fully Bitlocker encrypted and it has SecureBoot turned on in the BIOS.
    However, when I check the compliance status in the portal, it tells me that both items for that PC are in an Error state.

    Interestingly enough, when I check the compliance for the 'Encryption of data storage on device', that reports back successfully.

    My understanding is that the 2 settings I am trying to monitor are part of the Windows 10 Device Health Attestation (DHA). DHA with Intune should just work out of the box with no additional setup required, right?

    Not sure what I am missing here, but any insight would be greatly appreciated.


    • Edited by Ян Dobrigod Thursday, November 02, 2017 2:16 PM additional clarification
    Thursday, November 02, 2017 1:31 PM

Answers

  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Ян Dobrigod Thursday, November 09, 2017 9:51 AM
    Thursday, November 09, 2017 9:51 AM

All replies

  • I too am having the same problem. In my case it's even more basic, all I'm requiring is the first option (Require bitlocker). For most of my devices it works just fine. For one device though it says there is an error, even though I can see with my own eyes that the device is indeed encrypted with Bitlocker. Hopefully can get some help here.
    Thursday, November 02, 2017 9:47 PM
  • I am experiencing the same issue for some of our Windows 10 Professional devices. Btilocker is definitely enabled, but Intune shows them as not compliant. My first thought was that this had to do with the creators update (build 10.0.16299.19) , but I see this also on build 10.0.15063.674. I have verified on both systems that Bitlocker is on and not suspended. All the other policies as showing as compliant.

    Intune compliance

    In AzureAD, these devices also show the bitlocker recovery key, so it looks like Intune agent has a problem reading the Bitlocker configuration.


    -\O_o/-

    Friday, November 03, 2017 11:39 AM
  • We`ve experienced the same error on Windowes 10 Pro Build 15063. Bitlocker is definitely enabled and disk encrypted according to output from "manage-bde -status". Intune shows an error in policie "Encryption of data storage on device" and as result policy "require bitlocker" is showing "not compliant". In AzureAD and Intune Portal the bitlocker recovery key is shown correctly.
    Friday, November 03, 2017 11:56 AM
  • Yes, i am also having this issue and I've tried multiple different computers enrolled into Intune with secure boot and bitlocker enabled. In fact going to the Intune self-service portal (portal.manage.microsoft.com) shows that all off my devices compliant state is "unknown." It seems to me that device health information is either not being sent to the cloud/azure  dha service or Intune is having trouble reading that information.

    Monday, November 06, 2017 3:50 AM
  • A month ago I had a compliance policy for Surface Hubs that included Encryption and Bitlocker. Back then both settings were "compliant" for all my Hubs.

    This month they are now not able to report back being compliant in either setting. It is either error or not compliant now.

    Monday, November 06, 2017 10:04 AM
  • Same exact problem.  Sooooo many problems with InTune.  Not really sure how MS can even say this is a working product.  All the problems are SUPER BASIC functionality.  I'm completed perplexed why MS would put out the product like this.
    Wednesday, November 08, 2017 3:52 AM
  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Ян Dobrigod Thursday, November 09, 2017 9:51 AM
    Thursday, November 09, 2017 9:51 AM
  • Thanks for this update, but i`m not sure if everyone is happy with this. There are some guys here (including me) who hasn`t installed the Fall Creators Update and are running on Build 15063 (1703) and do also have this issue.
    Thursday, November 09, 2017 10:06 AM
  • My issue was 1709 specific, that's why for me the reply from MS actually answers my question.

    If you are having the same issue with 1703 or earlier I would advise you to log a ticket with MS (premier support) to see if your problem is related.

    Thursday, November 09, 2017 10:17 AM
  • Same issue here, will be escalating this to our premier account manager to get a date.
    Thursday, November 09, 2017 2:12 PM
  • I can confirm this issue is on 1703 (I'm getting the same issue).

    I've disabled all the health attestation service evaluation rules for now.


    http://www.dreamension.net

    Friday, November 10, 2017 2:57 AM
  • Ticket is already opened more then 2 weeks ago....

    This issue seems to be not related so far.

    Friday, November 10, 2017 9:44 AM
  • I got a ping from MS support yesterday, saying that the bug has been fixed.

    They told me to install the latest Windows Updates and then try again.

    Wednesday, November 29, 2017 9:00 AM
  • Funny. We received this reply on our case yesterday:

    The Windows team has finished their analysis of this issue and prepared a fix. It will came out on a Windows update to be released in 2 to 3 weeks (mid December). Until then, the recommendation is to not include the Health Attestation properties in the Compliance policies. 

    Great support experience... As always... NOT!

    Wednesday, November 29, 2017 10:18 AM
  • We`ve also received an update for our case, the same as you guys. (Update mid december).

    Another question, since about two weeks every device is compliant even if they are not yet synced and all the devices with this bitlocker / tpm issue we`re talking about. Anybody else there in this situation?

    Wednesday, November 29, 2017 10:21 AM
  • As others have already mentioned, looks like the fix will be released in mid-December. Latest MS response I got:

    Deployment has been delayed for mid-december. The fix will be applied to both RS3 (1709) and upcoming Windows versions.

    Wednesday, November 29, 2017 11:54 AM
  • Yeah, I've heard the same from MS support. Their reaction:

    We have confirmed that the it was the issue with the Device health attestation CSP and the update RS3/12-B update on 12<sup>th</sup> December will be release to fix this issue.


    -\O_o/-

    Thursday, November 30, 2017 7:38 AM
  • Been fighting this issue for weeks.  Took multiple MS reps to field this problem (two sets of complete screenshots, repro in their environment, etc) before they finally came back with it as a known issue - just today!  I can't believe we actually paid for Intune licenses.  It has really let us down with all the basic functionality problems.  We're really disappointed with the service.  It was not tested well and we are constantly running into quirks and intermittent issues with it.  This type of issue should go against uptime SLA.

    • Edited by JohnKarlo Thursday, November 30, 2017 9:30 PM
    Thursday, November 30, 2017 9:23 PM
  • Ok so apparently this update fixes the issue.

    https://support.microsoft.com/en-us/help/4054517/windows-10-update-kb4054517

    It should be available to deploy now.


    http://www.dreamension.net

    Monday, December 18, 2017 10:44 PM
  • Do we know if kb4054517 fixed the issue.  I read the article but does not mention this fix.  I am still experiencing this issue with Intune.
    Thursday, February 15, 2018 9:49 AM
  • I don't know if kb4054517 specifically fixed the issue. What I do know is that I am no longer experiencing the issue using the latest ISOs from MS, e.g. 1709 (updated December 2017).

    Also, I have to assume that their public changelog does not list all the fixes that went into a CU.


    Thursday, February 15, 2018 11:18 AM
  • same thing. Install Windows Updates for the latest build. Solved the problem in my case.
    Thursday, February 15, 2018 3:41 PM
  • We`ve still got the problem with secureboot, MS support had ignored this problem a few weeks. Only after a lot of research-work from our side. Only bitlocker issue was fixed, but not with the update from 12th dec 2017.
    Thursday, February 15, 2018 4:06 PM
  • I also have the issue with the secure bit compliance on a large number of my 1709 devices, although a couple of them do seem to specify they are compliant. These are only the newest devices (newer laptop models purchased in the last couple months and with clean 1709 installs), all the devices failing so far are different models, older than half a year. A possible chipset-specific issue?
    Thursday, February 15, 2018 10:50 PM
  • Same issue here for Secure Boot on a 1709 laptop with latest CU. I had to perform a full reset to get rid of this problem...

    Twitter: @MatAitAzzouzene | Linkedin: Mathieu Ait Azzouzene

    Tuesday, February 20, 2018 9:15 AM