question

RogerHendrikse-7977 avatar image
0 Votes"
RogerHendrikse-7977 asked saldana-msft edited

SCCM - BitLocker Compliant Machines showing as Non Compliant

We are using SCCM 2010 to manage our machines, including applying a BitLocker Policy that enables BitLocker encryption. We have set OS drive encryption to require TPM chip, and have set Fixed Drive encryption to auto unlock.

The waay i understand it, the settings for Fixed Drive apply to all internal fixed drives that are NOT the OS drive.

For some reason, 90% of our devices are showing up as non compliant in the BitLocker Compliance Dashboard report, even though they ARE BitLocker encrypted. If I go to these devices, they all show the same as below

73765-noncompliant.jpg



As you can see, the Operating system drive is showing as compliant, but it shows as non compliant for Fixed Data Drive Compliance. I do not see why this would show as such, when the computer only has one drive (and this is the OS drive, which is compliant). For some machines (about 10%) the machines show as compliant for both Operating System AND Fixed Data Drive.

Please can someone explain why this is happening and how to remedy it, because at the moment, the BitLocker Compliance reports are useless

mem-cm-generalwindows-10-security
noncompliant.jpg (67.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RogerHendrikse-7977 avatar image
0 Votes"
RogerHendrikse-7977 answered

So the 2010 HFRU seems to have resolved the issue - https://support.microsoft.com/en-us/topic/update-rollup-for-microsoft-endpoint-configuration-manager-current-branch-version-2010-403fa677-e418-e39d-6eb6-f279ea991a95

Installed this and after machiens updated their client, they seem to be showing as properly compliant now :-)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered FionaYan-MSFT commented

@RogerHendrikse-7977

Thank you for posting in Microsoft Q&A forum.

Maybe we could check the status of the bitlocker policy on client side like the image shown below:
74245-image.png

Have a good day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (63.5 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi. Here is the report from one of the machines. This has one drive, that IS BitLocker encrypted. SCCM shows OS Drive as compliant, but Fixed drive non compliant
74272-compliance-report.png


0 Votes 0 ·

@RogerHendrikse-7977

Thank you for the update.

Yes, what we provided seems that the problem is caused by the noncompliant of fixed drive, which seems not very reasonable.

In this case, to help the customer solve problems, Microsoft also attaches great importance to the voice of users. It's recommended that we could use the following user voice link to submit our suggestion:
https://configurationmanager.uservoice.com/forums/300492-ideas

At the same time, I will try the best to deliver the information to the product team to see if they have some additional comments, but not guaranteed. once there is a reply, i will get back to you at the first time.

Thank you for your kind understanding and have a nice weekend!

0 Votes 0 ·

Hi. i just saw that there is a hotfix available for SCCM 2010, and this includes a fix for the issue I described here - https://support.microsoft.com/en-us/topic/update-rollup-for-microsoft-endpoint-configuration-manager-current-branch-version-2010-403fa677-e418-e39d-6eb6-f279ea991a95

I will be implementing this hotfix net week to see if it resolves the issue

0 Votes 0 ·

@RogerHendrikse-7977

Thanks for the kindly reply and we're looking forward to hearing the good news!
If there is any other assistance we could provide, please feel free to let us know, we will do our best to help you.

Have a good day!

0 Votes 0 ·