Forum Discussion
False compliance status
There is an Intune Support Team blog on exactly this issue.
Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.
HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.
And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.
There is an Intune Support Team blog on exactly this issue.
Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.
HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.
I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.
And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.
