![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 25%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGW%3C/text%3E%3C/svg%3E)
28,661 questions
@Goldberg, William (TIS) Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
You have reached Azure Disk encryption Forum, This forum support Azure Disk encryption issues.
Azure Disk Encryption for Windows virtual machines (VMs) uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disk. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All. For more information refer here
However, based on your scenario let me share some insights on your scenario
There could be several scenarios in which many endpoints report a "BitLocker protection status" set to "Off" despite encryption being enabled. Here are a few possible scenarios:
Group Policy Configuration: If there is a misconfiguration in the Group Policy settings for BitLocker, it can cause the protection status to be reported as "Off" even though encryption is enabled. This can happen if the policy settings are not properly applied or if conflicting policies exist.
Software or System Issues: Certain software or system issues can interfere with the proper functioning of BitLocker and cause the protection status to be reported incorrectly. This could include conflicts with other security software, driver compatibility issues, or even bugs within the BitLocker software itself.
Drive Unlocking or Suspension: In some cases, the BitLocker protection status may be reported as "Off" if the drive has been unlocked or suspended temporarily. For example, if a user manually suspends BitLocker protection or if the system enters a suspended state (such as hibernation or sleep), the protection status may appear as "Off" until the drive is fully reactivated.
Hardware Changes or Failures: Certain hardware changes or failures can cause BitLocker to report the protection status as "Off" even though encryption is enabled. For instance, if there are changes to the system's TPM (Trusted Platform Module) configuration or if there are hardware issues with the TPM module itself, BitLocker may not recognize the encryption state correctly.
When the BitLocker protection status is set to "Off," it generally means that the drive is not currently protected by BitLocker encryption. This can pose a security risk as the data on the drive is not safeguarded. It is essential to investigate and resolve the underlying cause to ensure that encryption is properly enabled and functioning on the affected endpoints.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 40%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)