Forum Discussion

Deleted's avatar
Deleted
May 08, 2018

False compliance status

I see this problem quite often - that Intune reports that a device is missing BitLocker or Secure Boot, even though it is turned on. What am I missing? :)

 

  • There is an Intune Support Team blog on exactly this issue.

     

    https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attestation-Settings-as-Part-of/ba-p/282643

     

    Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.

    HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.

     

    I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.

     

     And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.

  • Hi Henrik,

     

    are you using newer hardware or older hardware? On older hardware did you check firmware versions for an update? Maybe it's related to some misinterpretation of TPM state and this might be fixable with newer firmware. Are the devices configured to TPM 2.0 or 1.2? Just a guess.

     

    best,

    Oliver 

  • Baljit Aujla's avatar
    Baljit Aujla
    Copper Contributor

    Hi,

     

    There is supposedly a bug with BitLocker reporting with 1709 when using "Require BitLocker". You should get a more reliable result with "Encryption of data storage on device". I believe this is resolved in 1803...

     

    Not too sure about Secure Boot...

     

  • There is an Intune Support Team blog on exactly this issue.

     

    https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attestation-Settings-as-Part-of/ba-p/282643

     

    Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.

    HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.

     

    I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.

     

     And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.

Resources