SOLVED

Force Device Compliance check

%3CLINGO-SUB%20id%3D%22lingo-sub-2690976%22%20slang%3D%22en-US%22%3EForce%20Device%20Compliance%20check%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690976%22%20slang%3D%22en-US%22%3EHi%20guys%3CBR%20%2F%3Ewe%20are%20currently%20rolling%20out%20around%20100%20new%20notebooks%20with%20Intune.%20I%20have%20configured%20Bitlocker%20and%20a%20compliance%20policy%2C%20which%20require%20Bitlocker%20to%20be%20turned%20on%20to%20have%20access%20to%20company%20resources.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20the%20user%20is%20logging%20in%2C%20the%20encryption%20with%20Bitlocker%20is%20finished%20after%20less%20than%20an%20hour.%20I%20checked%20that%20with%20%22manage-bde%20-status%22.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20the%20company%20portal%20it%20shows%20that%20the%20device%20is%20not%20compliant%20for%20mostly%20around%203%20hours.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20tried%20to%20sync%2C%20reboot%2C%20change%20network%20connection%20to%20speed%20it%20up%20but%20its%20a%20miracle%20to%20me%20how%20i'm%20able%20to%20force%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anybody%20know%20a%20good%20way%20to%20do%20that%20even%20if%20it%20is%20a%20manual%20task%20on%20the%20device%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20thanks%20for%20your%20inputs%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3CBR%20%2F%3EMarc%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2690976%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2691409%22%20slang%3D%22en-US%22%3ERe%3A%20Force%20Device%20Compliance%20check%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2691409%22%20slang%3D%22en-US%22%3EHI%2C%20Normally%20the%20bitlocker%20%2F%20tpm%20status%20is%20reported%20after%20a%20reboot.%20You%20have%20got%202%20options%20I%20guess..%20checking%20the%20compliance%20status%20with%20the%20company%20portal%20and%20trying%20to%20synchronize%2Fcheck%20it%20from%20there.%3CBR%20%2F%3E%3CBR%20%2F%3EALso%20maybe%20to%20get%20a%20good%20understanding%20how%20compliance%20works%20icw%20condtional%20access%20please%20read%20my%20new%20blog%20about%20this%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-death-of-compliance%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-death-of-compliance%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2691993%22%20slang%3D%22en-US%22%3ERe%3A%20Force%20Device%20Compliance%20check%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2691993%22%20slang%3D%22en-US%22%3EHi%20Rudy%3CBR%20%2F%3Ethanks%20a%20lot%20for%20your%20feedback%20and%20the%20blog.%20Very%20interesting%20stuff!!%20I%20will%20try%20to%20check%20that%20with%20the%20next%20devoce%20i%20have.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20my%20case%20in%20the%20company%20portal%20itself%20the%20status%20was%20also%20no%20access%20to%20company%20resources.%20Also%20a%20reboot%20didn't%20help.%20So%20i%20think%20the%20first%20who%20knows%20the%20compliance%20status%20is%20the%20company%20portal%2C%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3CBR%20%2F%3EMarc%3C%2FLINGO-BODY%3E
Occasional Contributor
Hi guys
we are currently rolling out around 100 new notebooks with Intune. I have configured Bitlocker and a compliance policy, which require Bitlocker to be turned on to have access to company resources.

After the user is logging in, the encryption with Bitlocker is finished after less than an hour. I checked that with "manage-bde -status".

In the company portal it shows that the device is not compliant for mostly around 3 hours.

We tried to sync, reboot, change network connection to speed it up but its a miracle to me how i'm able to force it.

Does anybody know a good way to do that even if it is a manual task on the device?

Many thanks for your inputs

Best regards
Marc
3 Replies
best response confirmed by marckuhn (Occasional Contributor)
Solution
HI, Normally the bitlocker / tpm status is reported after a reboot. You have got 2 options I guess.. checking the compliance status with the company portal and trying to synchronize/check it from there.

ALso maybe to get a good understanding how compliance works icw condtional access please read my new blog about this

https://call4cloud.nl/2021/08/the-death-of-compliance/
Hi Rudy
thanks a lot for your feedback and the blog. Very interesting stuff!! I will try to check that with the next devoce i have.

In my case in the company portal itself the status was also no access to company resources. Also a reboot didn't help. So i think the first who knows the compliance status is the company portal, right?

Best regards
Marc
The company portal is indeed a good place to start on why the device is not compliant and force a sync attempt to "phone home" the compliance state of the device. But it's weird that it doesn't report back the bitlocker state