cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

False compliance status

Deleted
Not applicable

‎May 08 2018 04:30 AM

‎May 08 2018 04:30 AM

False compliance status

I see this problem quite often - that Intune reports that a device is missing BitLocker or Secure Boot, even though it is turned on. What am I missing? :)

 

Capture.PNG

4,069 Views
0 Likes
3 Replies
Reply
3 Replies
Oliver Kieselbach

‎May 08 2018 05:17 AM

‎May 08 2018 05:17 AM

Re: False compliance status

Hi Henrik,

 

are you using newer hardware or older hardware? On older hardware did you check firmware versions for an update? Maybe it's related to some misinterpretation of TPM state and this might be fixable with newer firmware. Are the devices configured to TPM 2.0 or 1.2? Just a guess.

 

best,

Oliver 

0 Likes
Reply
Baljit Aujla

‎Dec 06 2018 03:49 AM

‎Dec 06 2018 03:49 AM

Re: False compliance status

Hi,

 

There is supposedly a bug with BitLocker reporting with 1709 when using "Require BitLocker". You should get a more reliable result with "Encryption of data storage on device". I believe this is resolved in 1803...

 

Not too sure about Secure Boot...

 

0 Likes
Reply
best response confirmed by Oliver Kieselbach (MVP)
Andrew Matthews

‎Dec 06 2018 05:24 AM

‎Dec 06 2018 05:24 AM

Solution

Re: False compliance status

There is an Intune Support Team blog on exactly this issue.

 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attes...

 

Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.

HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.

 

I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.

 

 And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Oliver Kieselbach (MVP)
Andrew Matthews

‎Dec 06 2018 05:24 AM

‎Dec 06 2018 05:24 AM

Solution

Re: False compliance status

There is an Intune Support Team blog on exactly this issue.

 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attes...

 

Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.

HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.

 

I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.

 

 And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.

View solution in original post

0 Likes
Reply