Forum Discussion
Endpoint security - Device encryption policy shows error
Hi Marc,
Check if you can re-image the Windows 10 client to be sure.
Below the settings that difference from yours:
- BitLocker - Base Settings
Require storage cards to be encrypted (mobile only): Yes
Configure client-driven recovery password rotation: Azure AD-Joined devices only
BitLocker - Fixed Drive Settings
Enable BitLocker after recovery information to store: Not configured
BitLocker - OS Drive Settings
Compatible TPM startup : Allowed
Compatible TPM startup PIN: Blocked
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Enable BitLocker after recovery information to store: Not configured
Block the use of certificate-based data recovery agent (DRA): Yes
BitLocker - Removable Drive Settings
Block write access to removable data-drives not protected by BitLocker: Yes
Hope this helps, and keep me posted.
Regards, Bilal
When did you create the endpoint security profile? Sometimes it can take some time before the status changes. I've seen in the past that the status returned, is not always up to date. And indeed, you should apply this policy to device groups.
To give an answer to your question regarding device group assignment of user group assignment, it depends on the configuration, but choose for device group assignment if you want to apply settings on a device, regardless of who's signing in, it will always apply the configuration. Choose a user group assignment if you want to apply profile settings.
Regards, Bilal
i'm working already with the device a couple of days. In the eventlog i don't see any issues for Bitlocker.
Thanks for your feedback on this. I will keep an eye on it, probably it will solve it one time.
So then probably that isn't an issue, just shows the error there.
Is it normal for the Bitlocker to have the used space encrypted only?
Or shouldn't this be the whole drive?
Many thanks and best regards
Marc
- Hi Marc,
Are you sure that there are no duplicates within the Bitlocker settings? You don't have any device configuration set that also configures Bitlocker settings?
When I run the command manage-bde -status it shows me that the drive is Fully Encrypted instead of "Used space only". When I have a look at the blogpost you've shared and my own configuration, we have nearly the same settings, nothing special. So it's strange that it behaves differently at your side.
More then welcome and regards, BilalHi BilalelHadd
thanks for your update. I removed all Configuration Profiles and Compliance Profiles, even all Endpoint Security profiles i had in place and did a fresh start with my Test Device.
I recognized, that the error in the device encryption policy is already there even before the device has finished with the encryption of the drive.
You mentioned that you have almost the same settings for your devices. Can you let me know, which settings are different? I read also somewhere that when the setting "Hide prompt about third-party encryption" is set to yes, this means silent config, which uses "Used space only".
Many thanks for your feedback.
Best regards,
Marc
Hi Marc,
Check if you can re-image the Windows 10 client to be sure.
Below the settings that difference from yours:
- BitLocker - Base Settings
Require storage cards to be encrypted (mobile only): Yes
Configure client-driven recovery password rotation: Azure AD-Joined devices only
BitLocker - Fixed Drive Settings
Enable BitLocker after recovery information to store: Not configured
BitLocker - OS Drive Settings
Compatible TPM startup : Allowed
Compatible TPM startup PIN: Blocked
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Enable BitLocker after recovery information to store: Not configured
Block the use of certificate-based data recovery agent (DRA): Yes
BitLocker - Removable Drive Settings
Block write access to removable data-drives not protected by BitLocker: Yes
Hope this helps, and keep me posted.
Regards, Bilal