Forum Discussion
Bitlocker encryption issues over Intune
Hi,
I have an Hybrid AD deployment and use Intune to deploy security settings to our endpoints.
I set up a Device Configuration policy to deploy Bitlocker on all our Windows devices, and this was done quite some time ago. Now I created a powershell script to audit if the bitlocker keys are in AzureAD and Intune, and found out that around 500 out of 2000 devices do not have keys, so I guess that they are not encrypted. I looked at a couple of cases to analyze and I've got some conflicting information. If I look at the device on Intune, I can see that my Device Configuration policy was "Succeeded", like shown here:
But then if I go to "Endpoint Security" -> "Disk Encryption", I can see my policy named "Bitlocker_All_Devices" there, and entering the policy, looking at "Device Status", I have the list of "Succeeded" devices, and the device is not there.
So on the device, the policy seems to have been applied, but in fact no encryption happened. How can I debug what's going on here? Without having to look individually to 500 devices of course.
Thanks
- A successful compliance of the policy doesn’t necessarily mean that it applied successfully all the way. I would check the device encryption report to identify devices that have not encrypted and start from there. If the report says that devices are encrypted but missing recovery key, then it should easy enough push a script to force the backup of the recovery key to Entra ID.
- rahuljindal-MVPBronze ContributorA successful compliance of the policy doesn’t necessarily mean that it applied successfully all the way. I would check the device encryption report to identify devices that have not encrypted and start from there. If the report says that devices are encrypted but missing recovery key, then it should easy enough push a script to force the backup of the recovery key to Entra ID.
- dmarquesgnIron Contributor
rahuljindal-MVP Thanks, I didn't knew that report yet, and it's much more clear now.
Now I can see that I've got around 90 devices which are encrypted, but I have no keys stored and about 60 devices which are ready for encryption, but most of them have this error:
"The encryption method of the OS volume doesn't match the BitLocker policy. The TPM isn't ready for BitLocker."
Now I'll try to find out how to solve this issues.