508 questions
Have you considered using a scheduled grace period for non-compliance: https://learn.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance#add-actions-for-noncompliance
It takes about 30 minutes before device is compliant
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 53%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
ChielD1975
141
Reputation points
When we enroll an Windows 10 device with autopilot and the user signs in for the first it takes about 30 minutes before the device is flagged as compliant. Because we use conditional access policies with a compliancy check, the user is not able to use MS Teams or OneDrive for example before that.
The compliancy policy is assigned to devices not users, and requires Bitlocker, code integrity, firewall, TPM, Antivirus, Antispyware, Defender and real-time protection.
Mostly the device is not compliant because of the Bitlocker check, sometimes the encrypted process is still running.
Can somebody give me some tips about what's the safest way to accomplish this case? We want to send the devices as pre-provisioned devices, but then the process needs to be 100% bullet proof so that the user can start using the apps immediately after signin for the first time.
Thanks for reading and hopefully someone can put me in the right direction.
Microsoft Security | Windows Autopilot
Microsoft Security | Intune | Other
5,571 questions
Accepted answer
-
Jason Sandys 31,411 Reputation points Microsoft Employee Moderator2020-11-02T01:56:14.22+00:00 -
ChielD1975 141 Reputation points
2020-11-02T07:52:04.927+00:00 I will try setting Jason, much apricated!
Community ROCKS!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Crystal-MSFT 53,991 Reputation points Microsoft External Staff2020-11-03T02:25:52.63+00:00 @ChielD1975 , Thanks for the reply. If there's any update, feel free to let us know.
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
Crystal-MSFT 53,991 Reputation points Microsoft External Staff
2020-11-02T02:49:49.207+00:00 @ChielD1975 , Based on my research, I find that Bitlocker encryption gets triggered in the User Phase during ESP when post completing Device Setup before ESP enters the Account Setup phase which will cost time of the user for the Bitlocker encryption.
We can try Jason's suggestion to add a scheduled grace period to see if the condition access policy can be passed and if the MS Teams or OneDrive can access successfully.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.