This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 78%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hi Team, I have many devices. Which are showing non compliance under Require Bitlocker. Please help to advise. What action is require from device or from Intune to get it fixed?
Also what is the difference between require bitlocker and require encryption of data storage?
I am noticing a lot of "compliance" issues because secure boot and bitlocker arent enabled (even when they are enabled) but I am not sure if your issue is exactly the same.
-What error message does the compliance policy shows you ?
-I assume you deployed the bitlocker policy with an endpoint security config profile?
To answer the other question.... the require bitlocker uses device health attestation... explaining that whole flow here... and why it "could" give you issues
[https://call4cloud.nl/2021/10/device-health-attestation-age-of-compliance/
Hi Ruby, thank you for your reply. Yes, it is the same case with me. I have checked one of device, which is showing non-compliance under Bit locker require to be enabled. However, in device it is enabled.
Yes, we have one policy for bitlocker using endpoint security>Disk Encryption.
Assuming you rebooted the device and waited some time... what version of tpm do you got? tpmtool getdeviceinformation
Also could you look at the tpm task (task scheduler) tpm-hascertretr and the status (maybe executing it again to know for sure)
Hi Ritesh,
you need in first create a Disk encryption policy, where you set and enable the disk encryption:
The difference between require bitlocker and require encryption of data storage, take a look to this article:
[https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows
"The Encryption of data storage on a device setting generically checks for the presence of encryption on the device. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level."
Have a nice week end.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 33%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
Makes sense. I had the same issue. Then I checked my encryption policy and found out that only bitlocker was enabled. The encryption itself was not enabled on OS, fixed and removable drives.
This makes perfect sense. Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ritesh Sharma, Thanks for posting in Q&A.
For the "Require Bitlocker" setting in compliance policy, it measures at boot time to see if Bitlocker encryption is completed. So, to make it compliant, we need to have BitLocker Drive Encryption enabled. Here is a link with more details:
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ritesh Sharma, Hope things are going well. I am writing to see if there's any update on our issue. If there's anything more we can help, feel free to let us know.