This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 38%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
I have some company devices that are marked as non-compliant. The report shows some are not secure boot enabled, some are not Bitlocker encrypted. But when I check on these computers, all conditions are compliant. And when I look at the report in Devices -> Monitor -> Noncompliant devices, I see that the Management agent column of those computers is in Not Available status. I checked the Microsoft Intune Management Extension services and all the log files in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs but found nothing unusual. I'm looking forward to your support in resolving this issue. Thank you.
Are these newly provisioned or enrolled devices? Intune requires a sync for BitLocker encryption to be captured and in some cases a reboot. Is the sync successful on the machines?
Those devices have been enrolled in Intune for a very long time ago.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 89%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
I have the same problem - devices were enrolled a long time ago, have been rebooted, synced, and otherwise are working fine. Looking forward to a solution to this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@hieunm2411 Thanks for your update.
Based on my research, Secure Boot is supported on some TPM 1.2 and 2.0 devices. For devices that don't support TPM 2.0 or later, the policy status in Intune shows as Not Compliant. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
Please follow these steps to confirm:
1.Check the TPM version.
Type tpm.msc in the Run box, and then check the value in Specification Version.
2.Open an elevated command prompt, and run the msinfo32 command.
3.In System Summary, verify that BIOS Mode is UEFI, and PCR7 Configuration is Bound.
For "Encryption of data storage on a device", please try to reboot the devices and then check if the compliance status will be changed.
Hope it will help
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Xenia,
Thank you for your response, After your reply I checked again and realized that some devices are stuck at 75% encryption and a very strange situation is that the "Secure Boot" option is enabled in BIOS settings but somehow "System Information" still shows as Off.
After your reply I checked again and realized that some devices are stuck at 75% encryption and a very strange situation is that the "Secure Boot" option is enabled in BIOS settings but somehow "System Information" still shows as Off.
@hieunm2411 It seems needed to check some logs on your device to find the root cause. With Q&A limitation, Q&A is not a good channel for such log analysis issue. Given this situation, it is suggested to create an online support ticket to do the troubleshooting. Here is the support link:
https://zcusa.951200.xyz/en-us/mem/get-support
Thanks for your understanding and hope everything goes well with you.
Hi Xenia,
Thank you for being so supportive, I found the solution to this problem.
@hieunm2411 You're welcome. I'm glad to discuss with you. If you have any problem in the future, welcome to post in our Q&A.
@hieunm2411 Thanks for posting in our Q&A.
Based on checking in my environment, the compliant device's management agent also shows "Not Available". So, it seems not related to this reason.
For this issue, could you please show us the screen shot of detailed error under Devices > the target device > Device compliance > the compliance policy shows not compliant in intune portal.
Then we will continue to discuss this issue.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Xenia,
Thank you for answering my question. For example, we already enabled the Secure Boot option for this device a month ago, but the compliance policy is still not updated.
And another example, we troubleshot the Bitlocker issue for this device a month ago, the Bitlocker key was synced to AzureAD but it still marked this device as non-compliant even though the Bitlocker has completed the encryption process.