Fixing Intune BitLocker Compliance Issues: Step-by-Step Solutions
BitLocker compliance in Intune can sometimes be frustrating. Even when policies are correctly set up, a few devices may stubbornly show “Remediation failed” and remain non-compliant.
If you’re facing this, you’re not alone—many admins have run into the same problem. The good news: there are several proven fixes.
Common Scenario
- Intune compliance policies require BitLocker drive encryption.
- Recovery keys must be uploaded to Microsoft Entra ID.
- Most devices encrypt successfully, but a handful fail with Remediation failed, even though TPM and Windows Recovery Environment (WinRE) look fine.
Solutions That Work
1. Use the Endpoint Protection Policy
BitLocker works best when managed through the Endpoint Protection profile in Intune.
- Go to Intune Admin Center → Endpoint Security → Disk Encryption.
- Create a BitLocker profile instead of relying on Device Configuration profiles.
- Assign the policy to your target device group.
This ensures consistency and reduces conflicts with other settings.
2. Restart the Device
It may sound too simple, but a reboot often clears compliance errors. Encryption or key upload processes sometimes hang, and restarting the device forces them to retry.
3. Enable “Allow Standard User Encryption”
If non-admin users can’t trigger encryption, devices may sit unencrypted indefinitely.
- In the BitLocker profile, set Allow standard user encryption to Yes.
- This allows regular users (without admin rights) to start encryption.
4. Verify Recovery Key Upload
If encryption happens but the recovery key isn’t uploaded to Entra ID, compliance still fails.
- Run the following PowerShell command on the device:
(Get-BitLockerVolume -MountPoint "C:").KeyProtector
Check if a RecoveryPassword entry exists.
- Then confirm the key is visible in the user’s Entra ID device record.
5. Use a Remediation Script
For stubborn cases, use a custom remediation script to check encryption status and upload keys if missing.
Example (simplified check):
$BitLocker = Get-BitLockerVolume -MountPoint "C:"
if ($BitLocker.ProtectionStatus -eq "On" -and $BitLocker.KeyProtector) {
Write-Output "Compliant"
} else {
Write-Output "Non-Compliant"
}
Deploy this as a Proactive Remediation in Intune to automatically catch and fix non-compliant devices.
A detailed walkthrough is available at Mike’s MDM Blog.
Final Thoughts
BitLocker compliance in Intune usually works smoothly, but a few devices may resist encryption. The key fixes are:
- Use Endpoint Protection for BitLocker policies.
- Restart affected devices.
- Allow standard user encryption.
- Verify recovery key upload.
- For persistent failures, deploy a remediation script.
With these steps, you’ll resolve most BitLocker compliance headaches and keep your fleet secure.
