SOLVED

False compliance status

%3CLINGO-SUB%20id%3D%22lingo-sub-191421%22%20slang%3D%22en-US%22%3EFalse%20compliance%20status%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191421%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%20this%20problem%20quite%20often%20-%20that%20Intune%20reports%20that%20a%20device%20is%20missing%20BitLocker%20or%20Secure%20Boot%2C%20even%20though%20it%20is%20turned%20on.%20What%20am%20I%20missing%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20514px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F33727i35577EEAE96A48A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-191421%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-296759%22%20slang%3D%22en-US%22%3ERe%3A%20False%20compliance%20status%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296759%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20an%20Intune%20Support%20Team%20blog%20on%20exactly%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Using-Device-Health-Attestation-Settings-as-Part-of%2Fba-p%2F282643%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIntune-Customer-Success%2FSupport-Tip-Using-Device-Health-Attestation-Settings-as-Part-of%2Fba-p%2F282643%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20the%20Intune%20compliance%20checks%20come%20from%20the%20HSTI%20check%20rather%20than%20a%20direct%20check%20of%20the%20OS.%20In%20the%20case%20of%20Require%20BitLocker%20-%20If%20HSTI%20marks%20the%20device%20with%20a%20BitLocker%20not%20enabled%20flag%20then%20Require%20BitLocker%20will%20fail%20the%20compliance%20check%20even%20if%20BitLocker%20is%20enabled.%3CBR%20%2F%3E%3CBR%20%2F%3EHSTI%20support%20is%20an%20ongoing%20issue%20with%20the%20OEMs.%20New%20devices%20should%20fully%20support%20HSTI%20but%20implementation%20is%20still%20patchy.%20Some%20of%20the%20OEMs%20are%20retrofitting%20the%20firmware%20of%20older%20machines%20to%20support%20HSTI%20but%20some%20OEMs%20are%20ignoring%20the%20problems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20of%20at%20least%20one%20mainstream%20vendor%20where%20HSTI%20support%20is%20sub-optimal%20even%20on%20brand%20new%20devices%20with%20the%20latest%20firmware.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BAnd%20Oliver%20was%20spot%20on%20about%20checking%20the%20TPM%20version.%20There%20are%20still%20machines%20coming%20from%20factory%20with%20TPM%201.2%20firmware.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-296696%22%20slang%3D%22en-US%22%3ERe%3A%20False%20compliance%20status%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296696%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20supposedly%20a%20bug%20with%20BitLocker%20reporting%20with%201709%20when%20using%20%22Require%20BitLocker%22.%20You%20should%20get%20a%20more%20reliable%20result%20with%20%22Encryption%20of%20data%20storage%20on%20device%22.%20I%20believe%20this%20is%20resolved%20in%201803...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20too%20sure%20about%20Secure%20Boot...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191436%22%20slang%3D%22en-US%22%3ERe%3A%20False%20compliance%20status%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191436%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Henrik%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eare%20you%20using%20newer%20hardware%20or%20older%20hardware%3F%20On%20older%20hardware%20did%20you%20check%20firmware%20versions%20for%20an%20update%3F%20Maybe%20it's%20related%20to%20some%20misinterpretation%20of%20TPM%20state%20and%20this%20might%20be%20fixable%20with%20newer%20firmware.%20Are%20the%20devices%20configured%20to%20TPM%202.0%20or%201.2%3F%20Just%20a%20guess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%2C%3C%2FP%3E%3CP%3EOliver%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

I see this problem quite often - that Intune reports that a device is missing BitLocker or Secure Boot, even though it is turned on. What am I missing? :)

 

Capture.PNG

3 Replies

Hi Henrik,

 

are you using newer hardware or older hardware? On older hardware did you check firmware versions for an update? Maybe it's related to some misinterpretation of TPM state and this might be fixable with newer firmware. Are the devices configured to TPM 2.0 or 1.2? Just a guess.

 

best,

Oliver 

Hi,

 

There is supposedly a bug with BitLocker reporting with 1709 when using "Require BitLocker". You should get a more reliable result with "Encryption of data storage on device". I believe this is resolved in 1803...

 

Not too sure about Secure Boot...

 

Solution

There is an Intune Support Team blog on exactly this issue.

 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attes...

 

Some of the Intune compliance checks come from the HSTI check rather than a direct check of the OS. In the case of Require BitLocker - If HSTI marks the device with a BitLocker not enabled flag then Require BitLocker will fail the compliance check even if BitLocker is enabled.

HSTI support is an ongoing issue with the OEMs. New devices should fully support HSTI but implementation is still patchy. Some of the OEMs are retrofitting the firmware of older machines to support HSTI but some OEMs are ignoring the problems.

 

I know of at least one mainstream vendor where HSTI support is sub-optimal even on brand new devices with the latest firmware.

 

 And Oliver was spot on about checking the TPM version. There are still machines coming from factory with TPM 1.2 firmware.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies