SOLVED

Bitlocker encryption issues over Intune

Iron Contributor

Hi,

I have an Hybrid AD deployment and use Intune to deploy security settings to our endpoints.

I set up a Device Configuration policy to deploy Bitlocker on all our Windows devices, and this was done quite some time ago. Now I created a powershell script to audit if the bitlocker keys are in AzureAD and Intune, and found out that around 500 out of 2000 devices do not have keys, so I guess that they are not encrypted. I looked at a couple of cases to analyze and I've got some conflicting information. If I look at the device on Intune, I can see that my Device Configuration policy was "Succeeded", like shown here:

Screenshot_2.png

But then if I go to "Endpoint Security" -> "Disk Encryption", I can see my policy named "Bitlocker_All_Devices" there, and entering the policy, looking at "Device Status", I have the list of "Succeeded" devices, and the device is not there.

So on the device, the policy seems to have been applied, but in fact no encryption happened. How can I debug what's going on here? Without having to look individually to 500 devices of course.

 

Thanks

2 Replies
best response confirmed by dmarquesgn (Iron Contributor)
Solution
A successful compliance of the policy doesn’t necessarily mean that it applied successfully all the way. I would check the device encryption report to identify devices that have not encrypted and start from there. If the report says that devices are encrypted but missing recovery key, then it should easy enough push a script to force the backup of the recovery key to Entra ID.

@rahuljindal-MVP Thanks, I didn't knew that report yet, and it's much more clear now.

Now I can see that I've got around 90 devices which are encrypted, but I have no keys stored and about 60 devices which are ready for encryption, but most of them have this error:

"The encryption method of the OS volume doesn't match the BitLocker policy. The TPM isn't ready for BitLocker."

Now I'll try to find out how to solve this issues.

1 best response

Accepted Solutions
best response confirmed by dmarquesgn (Iron Contributor)
Solution
A successful compliance of the policy doesn’t necessarily mean that it applied successfully all the way. I would check the device encryption report to identify devices that have not encrypted and start from there. If the report says that devices are encrypted but missing recovery key, then it should easy enough push a script to force the backup of the recovery key to Entra ID.

View solution in original post