SOLVED

Endpoint security - Device encryption policy shows error

%3CLINGO-SUB%20id%3D%22lingo-sub-2639308%22%20slang%3D%22en-US%22%3EEndpoint%20security%20-%20Device%20encryption%20policy%20shows%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2639308%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20around%20100%20new%20HP%20Elitebooks%20which%20i%20want%20to%20configure%20with%20Bitlocker.%20We%20would%20like%20to%20accomplish%20this%20in%20the%20Endpoint%20security%20section%20and%20created%20a%20Device%20encryption%20policy%20according%20to%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fpetri.com%2Fbest-practices-for-deploying-bitlocker-with-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EBest%20Practices%20for%20Deploying%20BitLocker%20with%20Intune%20%7C%20Petri%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20issue%2C%20that%20in%20Intune%20it%20shows%20that%20the%20policy%20has%20an%20error.%20When%20i%20click%20on%20the%20error%2C%20everything%20shows%20successful%20(see%20printscreen%20intune1)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20i%20check%20the%20report%2C%20i%20have%20as%20far%20as%20i%20can%20say%20everything%20correct%20there%20for%20my%20Test%20Device%20(see%20printscrren%20Intune2).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20i%20check%20on%20the%20device%20i%20see%20the%20only%20the%20used%20space%20is%20encrypted%20(see%20printscreen%20bitlocker).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anybody%20know%20how%20i%20could%20correct%20the%20error%20as%20well%20is%20that%20the%20recommended%20configuration%20to%20have%20only%20the%20used%20space%20encrypted%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20your%20feedback%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EMarc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2639308%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBitlocker%20Encryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edevice%20encryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEndpoint%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2640287%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20security%20-%20Device%20encryption%20policy%20shows%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2640287%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20does%20your%20assignment%20look%20like%3F%20Did%20you%20apply%20this%20policy%20on%20user-%20or%20device%20groups%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2640321%22%20slang%3D%22en-US%22%3ERe%3A%20Endpoint%20security%20-%20Device%20encryption%20policy%20shows%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2640321%22%20slang%3D%22en-US%22%3EHi%20Marc%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20did%20you%20create%20the%20endpoint%20security%20profile%3F%20Sometimes%20it%20can%20take%20some%20time%20before%20the%20status%20changes.%20I've%20seen%20in%20the%20past%20that%20the%20status%20returned%2C%20is%20not%20always%20up%20to%20date.%20And%20indeed%2C%20you%20should%20apply%20this%20policy%20to%20device%20groups.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20give%20an%20answer%20to%20your%20question%20regarding%20device%20group%20assignment%20of%20user%20group%20assignment%2C%20it%20depends%20on%20the%20configuration%2C%20but%20choose%20for%20device%20group%20assignment%20if%20you%20want%20to%20apply%20settings%20on%20a%20device%2C%20regardless%20of%20who's%20signing%20in%2C%20it%20will%20always%20apply%20the%20configuration.%20Choose%20a%20user%20group%20assignment%20if%20you%20want%20to%20apply%20profile%20settings.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%20Bilal%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all

 

i have around 100 new HP Elitebooks which i want to configure with Bitlocker. We would like to accomplish this in the Endpoint security section and created a Device encryption policy according to this article: Best Practices for Deploying BitLocker with Intune | Petri

 

I have the issue, that in Intune it shows that the policy has an error. When i click on the error, everything shows successful (see printscreen intune1)

 

When i check the report, i have as far as i can say everything correct there for my Test Device (see printscrren Intune2).

 

When i check on the device i see the only the used space is encrypted (see printscreen bitlocker).

 

Does anybody know how i could correct the error as well is that the recommended configuration to have only the used space encrypted?

 

Many thanks for your feedback

 

Best regards,

Marc

 

 

8 Replies
Hi Marc,

How does your assignment look like? Did you apply this policy on user- or device groups?
Hi Bilalel

i assigned it to the device group of all Windows devices. I'm not a 100% sure when to use device and when user policy.

What would you recommend?

Best regards
Marc
Hi Marc,

When did you create the endpoint security profile? Sometimes it can take some time before the status changes. I've seen in the past that the status returned, is not always up to date. And indeed, you should apply this policy to device groups.

To give an answer to your question regarding device group assignment of user group assignment, it depends on the configuration, but choose for device group assignment if you want to apply settings on a device, regardless of who's signing in, it will always apply the configuration. Choose a user group assignment if you want to apply profile settings.

Regards, Bilal
Hi Bilal

i'm working already with the device a couple of days. In the eventlog i don't see any issues for Bitlocker.

Thanks for your feedback on this. I will keep an eye on it, probably it will solve it one time.

So then probably that isn't an issue, just shows the error there.

Is it normal for the Bitlocker to have the used space encrypted only?

Or shouldn't this be the whole drive?

Many thanks and best regards
Marc
Hi Marc,

Are you sure that there are no duplicates within the Bitlocker settings? You don't have any device configuration set that also configures Bitlocker settings?

When I run the command manage-bde -status it shows me that the drive is Fully Encrypted instead of "Used space only". When I have a look at the blogpost you've shared and my own configuration, we have nearly the same settings, nothing special. So it's strange that it behaves differently at your side.

More then welcome and regards, Bilal

Hi @BilalelHadd 

 

thanks for your update. I removed all Configuration Profiles and Compliance Profiles, even all Endpoint Security profiles i had in place and did a fresh start with my Test Device.

 

I recognized, that the error in the device encryption policy is already there even before the device has finished with the encryption of the drive.

 

You mentioned that you have almost the same settings for your devices. Can you let me know, which settings are different? I read also somewhere that when the setting "Hide prompt about third-party encryption" is set to yes, this means silent config, which uses "Used space only".

 

Many thanks for your feedback.

 

Best regards,

Marc 

best response confirmed by marckuhn (Occasional Contributor)
Solution

Hi Marc,

 

Check if you can re-image the Windows 10 client to be sure.


Below the settings that difference from yours:
- BitLocker - Base Settings
Require storage cards to be encrypted (mobile only): Yes
Configure client-driven recovery password rotation: Azure AD-Joined devices only

BitLocker - Fixed Drive Settings
Enable BitLocker after recovery information to store: Not configured

BitLocker - OS Drive Settings
Compatible TPM startup : Allowed
Compatible TPM startup PIN: Blocked
Compatible TPM startup key: Blocked
Compatible TPM startup key and PIN: Blocked
Enable BitLocker after recovery information to store: Not configured
Block the use of certificate-based data recovery agent (DRA): Yes

BitLocker - Removable Drive Settings
Block write access to removable data-drives not protected by BitLocker: Yes

Hope this helps, and keep me posted.

Regards, Bilal

Hi Bilal

many thanks for your details, i did a Fresh Start again and see now, that the policy has been successfully applied :-). The status in the cmd is a little slow still showing "Encryption in Progress" but i'm optimistic now, that this is better.

 

I will play around a little more after i see that everything is okey now to find the setting, which was causing that issue.

 

Thanks already for your help, much appreciated!

 

Best regards,

Marc