This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 53%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
When we enroll an Windows 10 device with autopilot and the user signs in for the first it takes about 30 minutes before the device is flagged as compliant. Because we use conditional access policies with a compliancy check, the user is not able to use MS Teams or OneDrive for example before that.
The compliancy policy is assigned to devices not users, and requires Bitlocker, code integrity, firewall, TPM, Antivirus, Antispyware, Defender and real-time protection.
Mostly the device is not compliant because of the Bitlocker check, sometimes the encrypted process is still running.
Can somebody give me some tips about what's the safest way to accomplish this case? We want to send the devices as pre-provisioned devices, but then the process needs to be 100% bullet proof so that the user can start using the apps immediately after signin for the first time.
Thanks for reading and hopefully someone can put me in the right direction.
Have you considered using a scheduled grace period for non-compliance: https://learn.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance#add-actions-for-noncompliance
I will try setting Jason, much apricated!
Community ROCKS!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@ChielD1975 , Thanks for the reply. If there's any update, feel free to let us know.
@ChielD1975 , Based on my research, I find that Bitlocker encryption gets triggered in the User Phase during ESP when post completing Device Setup before ESP enters the Account Setup phase which will cost time of the user for the Bitlocker encryption.
We can try Jason's suggestion to add a scheduled grace period to see if the condition access policy can be passed and if the MS Teams or OneDrive can access successfully.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.