question

35820245 avatar image
0 Votes"
35820245 asked LuchuanDeng-MSFT commented

Intune complance error

We are experiencing issues with a number of pcs whereas intune in marking them non-compliant due to secure boot not being enabled but it is enabled

mem-intune-general
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NigelPrattley-0904, hope everything goes well with you.
Have you tried to check the TPM version of the device? please feel free to let me know for any concern.

0 Votes 0 ·

1 Answer

LuchuanDeng-MSFT avatar image
0 Votes"
LuchuanDeng-MSFT answered LuchuanDeng-MSFT commented

@NigelPrattley-0904 Thanks for posting in our Q&A. From your description, I know the devices that have enabled secure boot are still shown as Not Compliant in Intune.

Based as I know, the “Require Secure Boot to be enabled on the device” setting is supported on TPM 1.2 and 2.0 devices. For devices that don't support TPM 2.0 or later, the policy status in Intune may show as Not Compliant. For our issue, the possible reason is the TPM version of the devices don't meet the requirements of Intune. So we suggest to check if the TPM version of these devices are supported by Intune or not. We can get a detailed procedure in this document.
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/secure-boot-enabled-device-shows-not-compliant
Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi yes i have checked it is TPM.20 msinfo32 shows UEFI bios mode and secure boot state on, all out other machines are fine it is just this particular model (HP Prodesk 400 G6 Mini PC)

0 Votes 0 ·

Hi, thanks for the update.
May i know that have you verified if PCR7 Configuration is Bound in msinfo32?
111796-image.png


0 Votes 0 ·
image.png (37.1 KiB)

Hi no it is not bound but none of our other pcs are and they are fine, is that not for encryption ?

0 Votes 0 ·
Show more comments