none
Intune - Win10 Device Compliance for Bitlocker and SecureBoot

    Question

  • I have the following device compliance policy setup for Win10.

    My PC (Win10 1709) is fully Bitlocker encrypted and it has SecureBoot turned on in the BIOS.
    However, when I check the compliance status in the portal, it tells me that both items for that PC are in an Error state.

    Interestingly enough, when I check the compliance for the 'Encryption of data storage on device', that reports back successfully.

    My understanding is that the 2 settings I am trying to monitor are part of the Windows 10 Device Health Attestation (DHA). DHA with Intune should just work out of the box with no additional setup required, right?

    Not sure what I am missing here, but any insight would be greatly appreciated.


    • Edited by Ян Dobrigod Thursday, November 02, 2017 2:16 PM additional clarification
    Thursday, November 02, 2017 1:31 PM

Answers

  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Ян Dobrigod Thursday, November 09, 2017 9:51 AM
    Thursday, November 09, 2017 9:51 AM

All replies

  • I too am having the same problem. In my case it's even more basic, all I'm requiring is the first option (Require bitlocker). For most of my devices it works just fine. For one device though it says there is an error, even though I can see with my own eyes that the device is indeed encrypted with Bitlocker. Hopefully can get some help here.
    Thursday, November 02, 2017 9:47 PM
  • I am experiencing the same issue for some of our Windows 10 Professional devices. Btilocker is definitely enabled, but Intune shows them as not compliant. My first thought was that this had to do with the creators update (build 10.0.16299.19) , but I see this also on build 10.0.15063.674. I have verified on both systems that Bitlocker is on and not suspended. All the other policies as showing as compliant.

    Intune compliance

    In AzureAD, these devices also show the bitlocker recovery key, so it looks like Intune agent has a problem reading the Bitlocker configuration.


    -\O_o/-

    Friday, November 03, 2017 11:39 AM
  • We`ve experienced the same error on Windowes 10 Pro Build 15063. Bitlocker is definitely enabled and disk encrypted according to output from "manage-bde -status". Intune shows an error in policie "Encryption of data storage on device" and as result policy "require bitlocker" is showing "not compliant". In AzureAD and Intune Portal the bitlocker recovery key is shown correctly.
    Friday, November 03, 2017 11:56 AM
  • Yes, i am also having this issue and I've tried multiple different computers enrolled into Intune with secure boot and bitlocker enabled. In fact going to the Intune self-service portal (portal.manage.microsoft.com) shows that all off my devices compliant state is "unknown." It seems to me that device health information is either not being sent to the cloud/azure  dha service or Intune is having trouble reading that information.

    Monday, November 06, 2017 3:50 AM
  • A month ago I had a compliance policy for Surface Hubs that included Encryption and Bitlocker. Back then both settings were "compliant" for all my Hubs.

    This month they are now not able to report back being compliant in either setting. It is either error or not compliant now.

    Monday, November 06, 2017 10:04 AM
  • Same exact problem.  Sooooo many problems with InTune.  Not really sure how MS can even say this is a working product.  All the problems are SUPER BASIC functionality.  I'm completed perplexed why MS would put out the product like this.
    Wednesday, November 08, 2017 3:52 AM
  • OK, so I have taken this up with Microsoft and received the following response:

    ##################################################

    Known Issue: Microsoft Intune and Windows RS3 Device Health Compliance Policy Settings
    We have detected an issue with Intune’s Device Health Attestation compliance policy settings and the recently released Windows 10 Fall Creators Update (RS3). We have received a few reports of customers hitting this issue and are sharing a workaround below with you. We will continue to investigate and keep you updated once a fix is released. 

    <How does this affect me?>
    Affected users are targeted with any combination of three Windows 10 device health compliance setting, such as:
    BitLocker is enabled
    Code Integrity is enabled
    Secure Boot is enabled
    These users will always appear non-compliant due to this issue on Windows RS3 devices. In addition, if the user(s) also has Conditional Access targeted to them, they will not be granted access to corporate resources as they are not compliant. Our data indicates your company is using some or all of these settings, which is why we’re sharing this known issue with your administrative team.

    <What do I need to do to prepare for this change?>
    You can restore access to corporate resources by following the steps below. 
    For Intune on Azure - 
    1) Login with your Intune admin credentials at https://portal.azure.com.
    2) Go to the Intune blade.
    3) Select Device Compliance, Properties, then Settings. 
    4) Disable all of the three device health attestation mentioned above. 
    Note that by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access and compliance policies. 

    For the legacy Silverlight console - 
    1) Login with your Intune admin credentials at https://manage.microsoft.com.
    2) In Policy, select Compliance Policies, then Device Health.
    3) Turn off the Windows Device Health Attestation. 
    Again, same note as above, by removing these settings, you will disable all health attestation settings checks on Windows, but will maintain other conditional access policies and compliance policies.

    For more information on health attestations settings, please view the documentation linked in Additional Information. 
    Additional Information: https://docs.microsoft.com/intune/compliance-policy-create-windows “

    ##################################################

    They said this will be fixed in RS4 and if possible they will try to release a fix for RS3 as well.

    • Marked as answer by Ян Dobrigod Thursday, November 09, 2017 9:51 AM
    Thursday, November 09, 2017 9:51 AM
  • Thanks for this update, but i`m not sure if everyone is happy with this. There are some guys here (including me) who hasn`t installed the Fall Creators Update and are running on Build 15063 (1703) and do also have this issue.
    Thursday, November 09, 2017 10:06 AM
  • My issue was 1709 specific, that's why for me the reply from MS actually answers my question.

    If you are having the same issue with 1703 or earlier I would advise you to log a ticket with MS (premier support) to see if your problem is related.

    Thursday, November 09, 2017 10:17 AM
  • Same issue here, will be escalating this to our premier account manager to get a date.
    Thursday, November 09, 2017 2:12 PM
  • I can confirm this issue is on 1703 (I'm getting the same issue).

    I've disabled all the health attestation service evaluation rules for now.


    http://www.dreamension.net

    Friday, November 10, 2017 2:57 AM
  • Ticket is already opened more then 2 weeks ago....

    This issue seems to be not related so far.

    Friday, November 10, 2017 9:44 AM