Forum Discussion
Intune compliance issues Windows 11 22H2
We have unboxed several new "HP ProBook 450 G9" devices and connected them to MDM with AutoPilot. We installed these devices and they should be marked compliant based on the settings we have applied to other devices as well. But these devices are all having the same issue with compliance, because they get "Require BitLocker" and "Require Secure Boot" failed.
We have installed all updates, we upgraded these devices to W11 22H2. We have checked but the disk is encrypted and we also checked the steps written on this page Secure boot enabled Windows 10 device shows Not Compliant in Intune - Intune | Microsoft Learn.
"manage-bde -protectors -get C:" returns
TPM:
PCR Validation Profile:
7, 11
"Get-Tpm" returns
TpmPresent : True
TpmReady : True
TpmEnabled : True
TpmActivated : True
TpmOwned : True
RestartPending : False
ManufacturerVersion : 7.2.3.0
ManufacturerVersionFull20 : 7.2.3.0
"Get-BitLockerVolume -MountPoint C" returns
VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
---------- ----- ---------- ------------ ---------- ------------ ---------- ----------
OperatingSystem C: 237,29 FullyEncrypted 100 {RecoveryPassword, Tpm} On
"Confirm-SecureBootUEFI" returns
True
What can we do to fix this?
- buckbaggenBrass ContributorHere the same issue, 15 new HP Probook 440 G9, impossible to get compliant with Intune. Tried with Windows 10 22H2 and Windows 11 22H2 (x64, pro).
Keeps saying not compliant because device encryption needed and secure boot needs to be enabled. But both are activated and working fine.
I hope Microsoft or HP fixes this very fast... - rahuljindal-MVPBronze ContributorWhat does bitlocker management events says? Also, check the status under DMA in system information.
- josvdsBrass Contributor
Thanks for your response. Not sure what you meen by `bitlocker management events`, but looking at `BitLocker-API` events inside event viewer, I see this:
---
BitLocker Drive Encryption recovery information for volume C: was backed up successfully to your Azure AD.
---
BitLocker Drive Encryption recovery information for volume C: was backed up successfully to your Azure AD.
---
A trusted WIM file has been added for volume C:.
--
BitLocker resealed boot settings to the TPM for volume C:.
--Regarding the MSInfo question, it shows Enabled.
- rahuljindal-MVPBronze Contributor
Seems about right. Is the recovery key escrowing in Azure AD?
- Moe_KinaniBronze ContributorI think it will correct itself, it might need time. How long did you wait?
Moe- josvdsBrass ContributorThanks for your reply. We currently are trying this for about a week, so time shouldn't be the issue anymore I would say.
- josvdsBrass ContributorWe have played around (so time consuming issue) with different updates. So one of the devices was reinstalled with a new Windows drive by USB. One was updated with adding the latest quality update inside MEM. One was updated to the preview build of MS.
Now we see that one with the preview seems to become compliant. When looking at the difference in updates, we see KB5022360. We found https://blogs.windows.com/windows-insider/2023/01/17/releasing-windows-11-build-22621-1192-to-the-release-preview-channel/ with :
We fixed an issue that affected certain systems that had firmware Trusted Platform Modules. (TPM). This issue stopped you from using AutoPilot to set up those systems.
So perhaps this preview will fix the issue, so trying this on one more device. - buckbaggenBrass ContributorPossible solutions received from HP:
https://urldefense.com/v3/__https:/scloud.work/en/hp-driver-intune/__;!!J748QdifiTU!iO9Pj9Bu9P6xUjS4pz9aD_kU3ehvaZ2EwA8kLw5rW0BE8pUlcfOONNBqd8LdxP55qcZqxDw6tMZZ_w-We9Pq9Go$
Or use manually the HP Image Assistant:
https://urldefense.com/v3/__https:/ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html__;!!J748QdifiTU!iO9Pj9Bu9P6xUjS4pz9aD_kU3ehvaZ2EwA8kLw5rW0BE8pUlcfOONNBqd8LdxP55qcZqxDw6tMZZ_w-WDdON9jU$
Both not tested, but gonna try the second solution, i'm now enroling a device to test with.- josvdsBrass ContributorThanks for sharing, the first link isn't working, the second one I'm trying as well.
- buckbaggenBrass ContributorFor the first link google: scloud hp driver intune
then the first hit
- buckbaggenBrass ContributorAlso tried in another tenant but same issue.
HP (in the Netherlands) said: they have another organisation with the same issue with this type of notebook. Today or tomorrow they going onsite and try to fix it!
When i have feedback from HP i post it here.- josvdsBrass ContributorNice, we had it also on two tenants with the HP ProBook 450. We are in contact with Microsoft, but until now no solution that worked. Keep me posted please.
- buckbaggenBrass ContributorOke, i keep you posted.
When Microsoft finds something, keep me posted to please 🙂
- SK1Copper Contributor
buckbaggen - I have the same issue here in the UK.
Brand new 1040 Gen 9 - HP Corp Ready Win 10 Image - Autopilot Pre-provisioned devices. HPIA runs during build so all latest drivers and BIOS are installed.
After Autopilot, device marked non-compliant. Compliance fails on Windows Code Integrity and Secure Boot. Both features are enabled in the OS.
It seems after several reboots and then Windows Updates (which include some HP firmware updates) it resolves itself. But this can take a long time.
The strange thing....I can then rebuild/reset/wipe and load the same device and that problem never occurs again. It only occurs the very first time the device is provisioned. We are escalating to HP too but at this point it is not being acknowledged as a known issue.- buckbaggenBrass ContributorNo luck here 😞 Installed all Windows updates including the optional updates. Installed al drivers/bios/firmwares from the HPIA, several reboots, hours online, but still not compliant.
- Hi.... Could you check if the Tpm-HASCertRetr task in the microsoft\windows\tpm task has been run successfully lately?
I had the same issue and I stumbled upon this task somehow missing in action.. after manually restoring that service it worked- buckbaggenBrass ContributorHi, the tasks fails! How did you fixed the task?
Currently reinstalling the device with English Windows, so i can post screenshots /error codes.
The strange thing was, i allready added English US language pack, deleted the other languages, setted everything to English US... Everything except the error message in task scheduler is Enlgish... That's why i'n reinstalling it with an English ISO.- Ahhhh thats somehow nice to hear...I am looking with the IDA tool right now what exactly happens when launching that task .. as mentioned here... that task is indeed responsible;e for sending out the dha data to the dha service (that is forwarded to intune later on.. )
https://call4cloud.nl/2021/10/device-health-attestation-age-of-compliance/#part5
Inside that dha data... your bitlocker /secure boot/codeintegrity status exists...
- Rafal_FittIron Contributora random idea:
try
TpmTool.exe GetDeviceInformation - gmoney202Copper ContributorJust wanted to chime in and I have this issues on a Surface Laptop 5. Downgraded from win11 to win10 via usb. Using autopilot/intune. Bitlocker on, secure boot on, PCR, bios and tpm all good. Seems like DHA service is the problem.
- Hi.. could you check what tpm that surface exactly has? I am trying to find similarities between the devices that are having the issue 🙂
- gmoney202Copper Contributor
Rudy_Ooms_MVP Believe it is 7.2.3.0 . I did receive it as Windows 11 and had to downgrade manually to win10.
- josvdsBrass ContributorWe still have about 15 devices out of 20 which are not compliant. In the mean time we have collected device logs and sent these to Microsoft. So we are working on this as well in the back ground. Thanks for the good work guys.
- Just send you a pm.. 😛