May 02 2024 02:39 PM
Hi,
I have an Hybrid AD deployment and use Intune to deploy security settings to our endpoints.
I set up a Device Configuration policy to deploy Bitlocker on all our Windows devices, and this was done quite some time ago. Now I created a powershell script to audit if the bitlocker keys are in AzureAD and Intune, and found out that around 500 out of 2000 devices do not have keys, so I guess that they are not encrypted. I looked at a couple of cases to analyze and I've got some conflicting information. If I look at the device on Intune, I can see that my Device Configuration policy was "Succeeded", like shown here:
But then if I go to "Endpoint Security" -> "Disk Encryption", I can see my policy named "Bitlocker_All_Devices" there, and entering the policy, looking at "Device Status", I have the list of "Succeeded" devices, and the device is not there.
So on the device, the policy seems to have been applied, but in fact no encryption happened. How can I debug what's going on here? Without having to look individually to 500 devices of course.
Thanks
May 02 2024 03:59 PM
SolutionMay 03 2024 01:21 AM
@rahuljindal-MVP Thanks, I didn't knew that report yet, and it's much more clear now.
Now I can see that I've got around 90 devices which are encrypted, but I have no keys stored and about 60 devices which are ready for encryption, but most of them have this error:
"The encryption method of the OS volume doesn't match the BitLocker policy. The TPM isn't ready for BitLocker."
Now I'll try to find out how to solve this issues.
May 02 2024 03:59 PM
Solution