This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 94%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
I'm having some issues with certain devices not applying bitlocker policy through Intune. Most devices receive policy without issue and apply. Bitlocker encrypts right away and everything looks good. On a small section of computers, the policy is showing as succeeded in Intune and I can see on the computer that it's not applying. I've looked through all the obvious locations in Event Viewer:
DeviceManagement-Enterprise-Diagnostics-Provider
Bitlocker-API
These couple messages are all I can find but don't know what they refer to.
BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates OSV is not compliant with returned status 0x2
CSP URI: (./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption), Result: (The device is not ready.).
These devices are no different than any other device that has received the policy without issue. They meet all pre-reqs and from the Intune side, everything looks good. No issues with TPM, WinRE is enabled. Are there any other places to look for logs to see what is happening?
What does it say in BitLocker API in event viewer? Can you share the export? Also, anything in system information?
Below is the log from Bitlocker-API. It shows this for every time stamp that I think correlates to a windows startup.
"The description for Event ID 4122 from source Microsoft-Windows-BitLocker-API cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."
Can't pull the system information until tomorrow but will update when I have that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 17%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
@Kaczmarek, David B,
Did you ever figure this out? Im having the same problem with the same stuff in the logs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 63%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
I am getting the same:
Any info on this would be awesome.
Rob
If you open up System Information with admin credentials, you can find some further information. Mine pointed to a DMA capable device not being reported as secure. I tracked it down to some users who were plugged into docking stations they bought off amazon. These devices were showing as external DMA capable devices that weren't secure, so Bitlocker wouldn't apply the "Require Device Encryption" setting. Once the users unplugged from the docking stations, I was able to push a sync out and had no issues. I would recommend looking at what they are plugged into, and also checking out their System Information for additional details that weren't showing in the event viewer logs.
Yeah, system information is showing my PCR7 Configuration as Binding Not Possible, looking into that now.
Thanks,
Rob