Hello everyone,
I've been trying to apply BitLocker to an Azure AD joined device (InTune enrolled) via a custom profile from Endpoint Manager -> Endpoint security -> Disk encryption.
I couldn't understand very clearly what was stated in this article about the startup password and/or PIN requirements, so this is how I set them in the encryption profile:

The documentation states that startup PIN and password must not be set to "Required", thus I enabled them and set "Allowed" just in case.
The profile rules get applied smoothly (in fact, you can see that the BitLocker policy is deployed succesfully):

However, if I run the command "manage-dbe -status" on cmd, it can't find the BitLocker version, encryption percentage is at 0%, there is no protection whatsoever.
Basically, it looks like the rules (which seem applied correctly from the Endpoint security profile), fail to be applied on the device.
I have tried with another user and the hard drive got encrypted succesfully.
My question is: how can I see where the rules get blocked? The encryption report is not helping since it isn't that verbose, and the profile (from the InTune interface) seems to have no problems.
Thank you very much.
A kind regard,
Sim