This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 75%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Intune portal app in physical ubuntu 20.04LTS says disk is not encrypted while checking for complainace but the drives are already encrypted with luks.Have tried uninstall/reinstall/restart and also the user is found in appropriate AD group but intune reports that the device is not evaluated. How to troubleshoot this issue? Have attached the intune portal app error message and also disk encryption status.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
We have the same issue currently: After Linux devices are joined via the Intune Portal, they cannot establish device compliance because the compliance check for Device Encryption fails. (even though they are encrypted)
Only workaround we found currently:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 42%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
I did same workaround last week. Device are now compliant yes but I still have a state "unknown" for Disk encryption check:
:/
I have opened a ticket to microsoft support, and waiting for help...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
We have the same issue and found another workaround: Force install intune-portal to the previous version ("apt install intune-portal=1.2303.10"), start the portal and let sit for a few minutes - when you retry you should now be compliant. And you'll stay compliant even after upgrading intune-portal to newest again :-)
We found this by using strace on intune-portal, and it seems that this newest version does indeed try to access the disk as normal user, which it definitely should not do.
An incident was created TrackingID#2306291420000932 and after some time they acknowledged that this issue exists and that it will be resolved in a future update. No ETA on that update though.
For the record, the currently accepted workaround to allow normal user access to the block device is quite unsafe, as it allows simple mistakes to completely wipe the filesystem. The above workaround (downgrade+wait+upgrade) is much safer, and should be enough until MS gets their bug fixed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 63%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERU%3C/text%3E%3C/svg%3E)
Does your user have a read permission to access those device files such as /dev/nvme0n1p?
In my case, the following command and rebooting solved the issue.
sudo usermod -a -G disk <USER_ACCOUNT>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 77%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
The same issue with permissions
Yes, of course user has read access to the disk. Anyways will try this command and see.
@Denys Semeniuk any luck with the command?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 49%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
worked for me. thanks
sudo usermod -a -G disk <username>
Then reboot.
@Andrei Niculescu state unknown disappear? and it marks Compliant for "Require Device Encryption"
@Thomas Driou sorry for confusion.
Yes, that is correct. Intune was reporting status unknown. The disk was already encrypted, and when I ran that command, the Intune was reporting that is Compliant for the "Require Device Encryption"
I had to follow these steps.
sudo usermod -a -G disk <username>
sudo rm -f /home/[username]/.config/intune
Reboot and then open Intune app and then it showed complaint.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 79%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Security implications
The group disk can be very dangerous, since hard drives in /dev/sd* and /dev/hd* can be read and written bypassing any file system and any partition, allowing a normal user to disclose, alter and destroy both the partitions and the data of such drives without root privileges. Users should never belong to this group.
see https://wiki.debian.org/SystemGroups for more info
Following the advise of Anders Pilegaard is the safer option :)
For the record, the currently accepted workaround to allow normal user access to the block device is quite unsafe, as it allows simple mistakes to completely wipe the filesystem. The above workaround (downgrade+wait+upgrade) is much safer, and should be enough until MS gets their bug fixed.
Solution that works:
sudo usermod -a -G disk <username>
sudo rm -f /home/[username]/.config/intune
Reboot and then open app and check complaint.
Hi,
Thank you for posting in Microsoft Q&A forum.
To troubleshoot this issue, it is suggested to check the compliance policies in use for Ubuntu devices in Intune. Intune provides a built-in encryption report that gives encryption status details across all managed devices, including encryption status of Windows and Linux devices. If the policy contains specific requirements or criteria that are not met, such as the Linux flavor or version that is unsupported, the device may be marked as non-compliant.
You can view the compliance issues by signing into the Intune portal, selecting the device and clicking "View Issues" on the device details page. The app shows the reason for non-compliance, such as the device's operating system is not supported.
Use custom compliance policies and settings for Linux and Windows devices with Microsoft Intune
Check status in Microsoft Intune app for Linux
Thanks for your time. Have a nice day!
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 44%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
This is also happening to our company and the actual issue is that Intune portal, on all linux devices that we tried to enroll last week, is unable to check the status of encryption.
We run Intune portal from the terminal, to monitor the tasks it performs while checking status and we see the following error: Failed to assess device encryption: Checking encryption state of /
Stuck there for days and refresh/check status, provides the same result.
All Ubuntu 22.04 LTS devices are encrypted during installation
Any help would be appreciated.
This is what you see on the server side of Intune portal
Can you share sudo lsblk
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hi, I am also getting the same error. Require Device Encryption status is Unknown. I tested this on Multiple Laptop but result is same.
Please suggest how we can fix this.
any updates on this issue plz?