Support Tip: Using Device Health Attestation Settings as Part of Your Intune Compliance Policy

roblane_msft This is great information, thank you!  I know that I've seen many people wondering why Intune shows a computer as non-compliant for "Require Bitlocker" but Bitlocker is enabled and active on the computer.  SCCM suspends bitlocker protection automatically when restarting a computer to apply updates, which given this new information about the compliance setting would seem to explain exactly why so many computers often show non-compliant.  

I understand better now the difference between the Require Encryption and Require Bitlocker settings, but I'm still left with a couple of questions. 

• Does it make sense to enable *both* of these settings?  From your article, it seems that the require encryption setting is evaluated more frequently, and perhaps would at least indicate if the state reported by DHA is outdated.
• I'm seeing cases where Intune reports a computer as compliant with the Require Bitlocker setting, but shows an Error status for the Require Encryption setting, with 'remediation failed'.  If bitlocker was enabled at boot time (per DHA), and hasn't been suspended since, what would cause this Error status for the Require Encryption setting?

Thanks again!