Forum Discussion

marckuhn's avatar
marckuhn
Brass Contributor
Aug 12, 2021
Solved

Endpoint security - Device encryption policy shows error

Hi all

 

i have around 100 new HP Elitebooks which i want to configure with Bitlocker. We would like to accomplish this in the Endpoint security section and created a Device encryption policy according to this article: Best Practices for Deploying BitLocker with Intune | Petri

 

I have the issue, that in Intune it shows that the policy has an error. When i click on the error, everything shows successful (see printscreen intune1)

 

When i check the report, i have as far as i can say everything correct there for my Test Device (see printscrren Intune2).

 

When i check on the device i see the only the used space is encrypted (see printscreen bitlocker).

 

Does anybody know how i could correct the error as well is that the recommended configuration to have only the used space encrypted?

 

Many thanks for your feedback

 

Best regards,

Marc

 

 

Bitlocker Encryption
device encryption
Endpoint Security
  • BilalelHadd's avatar
    BilalelHadd
    Aug 13, 2021

    Hi Marc,

     

    Check if you can re-image the Windows 10 client to be sure.


    Below the settings that difference from yours:
    - BitLocker - Base Settings
    Require storage cards to be encrypted (mobile only): Yes
    Configure client-driven recovery password rotation: Azure AD-Joined devices only

    BitLocker - Fixed Drive Settings
    Enable BitLocker after recovery information to store: Not configured

    BitLocker - OS Drive Settings
    Compatible TPM startup : Allowed
    Compatible TPM startup PIN: Blocked
    Compatible TPM startup key: Blocked
    Compatible TPM startup key and PIN: Blocked
    Enable BitLocker after recovery information to store: Not configured
    Block the use of certificate-based data recovery agent (DRA): Yes

    BitLocker - Removable Drive Settings
    Block write access to removable data-drives not protected by BitLocker: Yes

    Hope this helps, and keep me posted.

    Regards, Bilal

8 Replies

Sort By
  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Aug 12, 2021
    Hi Marc,

    How does your assignment look like? Did you apply this policy on user- or device groups?
    • marckuhn's avatar
      marckuhn
      Brass Contributor
      Aug 12, 2021
      Hi Bilalel

      i assigned it to the device group of all Windows devices. I'm not a 100% sure when to use device and when user policy.

      What would you recommend?

      Best regards
      Marc
      • BilalelHadd's avatar
        BilalelHadd
        Iron Contributor
        Aug 12, 2021
        Hi Marc,

        When did you create the endpoint security profile? Sometimes it can take some time before the status changes. I've seen in the past that the status returned, is not always up to date. And indeed, you should apply this policy to device groups.

        To give an answer to your question regarding device group assignment of user group assignment, it depends on the configuration, but choose for device group assignment if you want to apply settings on a device, regardless of who's signing in, it will always apply the configuration. Choose a user group assignment if you want to apply profile settings.

        Regards, Bilal

Resources