This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
Hello, i have problem of domain joined devices in encypting them through bitlocker, i have a security baseline configuration on intune that applies to the devices, the configuration shows that all are successful meanwhile the bitlocker on the drive is not enabling , looks like its not forcing the devices to start encypting even though i have done multiple syncs, to mention that we have had this security baseline implemented on devices for along time.
Are the devices Entra Hybrid? Also, how are they enrolled into Intune? What is the status in the BitLocker API event logs?
yes and the devices are enrolled through Microsoft Entra ID, the bitlocker log shows :The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Van M, Thanks for posting in Q&A. From your description, I know the policy has deployed to devices successfully. And we get error when enable on the device side. The error message is "The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:".
For this error, based on my researching, it seems windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat. Please verify that the device has no external DMA ports with the original equipment manufacturer (OEM). And add the device to the allowed list to see if it works.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Van M, Hope things are going well. If there's any update, feel free to let us know.