Intune BitLocker Policy Not Working? You Might Be Testing It Wrong
If your Intune BitLocker policy seems to do nothing after you manually disable encryption, you’re not alone — but the policy probably isn’t broken. The test method is.
This is a common trap, and a recent r/Intune thread shows exactly how it plays out.
The Setup
A user assigned an Intune BitLocker policy to a laptop that already had BitLocker manually enabled. The recovery key showed up in Entra ID, which looked like a good sign. So they manually disabled BitLocker to test whether Intune would re-enable it.
It didn’t. Multiple syncs later, nothing happened. PowerShell confirmed the drive was fully decrypted and protection was off. Task Manager showed error 0x80070032 — The request is not supported.
Why Intune Didn’t Re-Enable BitLocker
Intune is not a continuous remediation engine for BitLocker. It enforces the policy at enrollment or on initial policy application — it does not watch for manual changes and undo them.
When you manually disable BitLocker after a policy has already been applied, Intune has no built-in trigger to restart encryption. The policy is still assigned and still “succeeds” from Intune’s perspective, because it already did its job.
Bottom line: manually decrypting a device after policy assignment is not a valid test.
What the 0x80070032 Error Means
This error — “The request is not supported” — typically appears when BitLocker attempts to run but hits a condition it can’t resolve. In this case, the drive was already fully decrypted, so there was no valid state for the policy to act on.
To confirm what’s actually happening on the drive, run this in an admin Command Prompt:
textmanage-bde -status
This gives you the real encryption state, independent of what Intune reports. If the drive shows Protection Off and Fully Decrypted, Intune won’t touch it.
A Note on Recovery Keys in Entra
Seeing the BitLocker recovery key in Entra ID does not mean Intune pushed the encryption. Entra-joined devices automatically back up BitLocker keys to Entra ID — this happens regardless of whether an Intune policy exists. It’s a good thing, but it’s not proof your Intune policy is working end-to-end.
How to Test BitLocker Policy Correctly
If you want to verify your policy actually enforces encryption, here’s the right approach:
1. Use a clean device
Start with a freshly imaged or factory-reset machine that has never had BitLocker enabled. Apply your policy and observe from scratch.
2. Make sure the policy is set to “Required”
A common miss — the policy needs to be configured to require encryption, not just configure settings. Check your endpoint protection profile or disk encryption profile in Intune.
3. Give it time
Policy propagation is not instant. Wait 8–24 hours before concluding something is broken. You can also force a sync via:Settings > Accounts > Access work or school > Info > Sync
4. Add a Compliance Policy
Create a compliance policy that checks for BitLocker status. This gives you device-level visibility into which machines are encrypted and which are out of compliance — without relying solely on the configuration profile.
Intune BitLocker Behavior at a Glance
| Scenario | What Intune Does |
|---|
| Scenario | What Intune Does |
|---|---|
| Fresh device, policy assigned | Enables BitLocker automatically |
| Device already encrypted, policy assigned | Reads and escrows the key to Entra — nothing else |
| User manually decrypts after policy applied | Does not re-encrypt the device |
| Device marked non-compliant via compliance policy | Flags the device — but still no forced re-encryption |
Key Takeaway
Intune’s BitLocker policy is designed to configure and enforce at the point of enrollment, not to repair changes made after the fact. If you want to validate your policy, always test on a clean device. And if you need ongoing enforcement and visibility, a compliance policy paired with Conditional Access is the right tool for that job.
These are multiple choice, suitable for a quiz or certification prep:
1. You manually disable BitLocker on a device that already has an Intune BitLocker policy applied. What happens?
- A) Intune re-enables BitLocker within 15 minutes
- B) Intune re-enables BitLocker after the next sync
- C) Intune does nothing — it does not re-encrypt after a manual decryption ✅
- D) Intune removes the policy and flags the device
2. A BitLocker recovery key appears in Entra ID. What does this confirm?
- A) The Intune BitLocker policy applied successfully
- B) The device is Entra-joined and automatically escrowed the key ✅
- C) The device was enrolled via Autopilot
- D) The compliance policy is enforcing encryption
3. What does error 0x80070032 mean in the context of BitLocker?
- A) TPM is not available on the device
- B) The recovery key failed to upload to Entra
- C) The request is not supported — BitLocker cannot act on the current drive state ✅
- D) The Intune policy failed to deploy
4. What is the correct command to check the actual encryption state of a drive?
- A)
Get-BitLockerVolume - B)
manage-bde -status✅ - C)
bdehdcfg -status - D)
cipher /status
5. What is the difference between a BitLocker configuration policy and a compliance policy in Intune?
- A) They are interchangeable
- B) Configuration policy enforces encryption; compliance policy checks if encryption is on ✅
- C) Compliance policy enforces encryption; configuration policy checks if encryption is on
- D) Both enforce encryption but on different drive types
6. How long should you typically wait before concluding an Intune BitLocker policy has failed to apply?
- A) 5–10 minutes
- B) 1–2 hours
- C) 8–24 hours ✅
- D) 48–72 hours
7. Which setting must be disabled in the Intune policy to enable silent BitLocker encryption without user prompts?
- A) Require startup PIN
- B) Allow Warning For Other Disk Encryption ✅
- C) Require device encryption
- D) Allow standard user encryption
8. Intune’s BitLocker policy should be targeted to which of the following?
- A) User groups
- B) Device groups ✅
- C) Either user or device groups — it makes no difference
- D) Security groups only
9. A device is marked non-compliant because BitLocker is off. What does Intune do automatically?
- A) Re-enables BitLocker immediately
- B) Wipes the device
- C) Flags the device as non-compliant but does not force re-encryption ✅
- D) Disables the user’s Entra account
10. What is the best way to test whether an Intune BitLocker policy enforces encryption correctly?
- A) Disable BitLocker on an existing enrolled device and sync
- B) Check if the recovery key appears in Entra ID
- C) Apply the policy to a freshly imaged or factory-reset device ✅
- D) Run
manage-bde -offand wait for Intune to re-enable it
