Blog Post

Intune Customer Success
3 MIN READ

Support Tip: Using Device Health Attestation Settings as Part of Your Intune Compliance Policy

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Nov 06, 2018
By Rob Lane | Sr. Service Engineer on the Enterprise Mobility and Customer Experience Team Intune Compliance policy for Windows devices allows an administrator to specify that a device shoul...
Updated Nov 06, 2018
Version 2.0
roblane_msft's avatar
roblane_msft
Icon for Microsoft rankMicrosoft
Nov 09, 2018

Hi Jeremy and Jan

 

Good questions  -  let me rephrase and provide answers based on my testing this morning (Surface pro 4 / 1803)

 

 What does the  "require encryption" setting do?

 This setting prompts the device user to enable encryption of the local drive, typically using Bitlocker.

  

When would a query on the "require Encryption" setting switch from False (not encrypted) to True (encrypted)?

 Checking the state of "Require Encryption" – would return False until the completion of encryption on the drive.

 

I think this behaviour may be agnostic of the type of drive encryption employed - be it Bitlocker or another vendor type but have not tested.

 

 

Does it matter if Bitlocker encryption has not completed on the system drive in order for Require Bitlocker to report as True (Enabled)?

 DHA Setting "Require Bitlocker" - will report  False (not enabled)  until 1) Bitlocker encryption is started  AND 2) The device is restarted.

 

There appears to be no requirement for encryption of the drive to be 100% complete at the point of measurement by the DHA client during boot in order for "require Bitlocker" to report as enabled.

 

Does that help?

Ta Rob