Device Advice

Teaching you how to be a device management expert

  • Defender / Intune / Security / Windows 10

Configure Microsoft Defender Antivirus with Intune

by Janusz · September 28, 2020

Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.

I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality .

Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more ( which you can read about here ). But Microsoft Defender Antivirus can also be used independent of MDfE.

So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.

Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy :

microsoft endpoint manager assignment status pending

Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.

microsoft endpoint manager assignment status pending

Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.

microsoft endpoint manager assignment status pending

Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:

microsoft endpoint manager assignment status pending

The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.

Starting with Cloud protection , I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).

microsoft endpoint manager assignment status pending

For Exclusions , here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.

microsoft endpoint manager assignment status pending

For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.

microsoft endpoint manager assignment status pending

For Remedation, I use the following:

microsoft endpoint manager assignment status pending

For Scan , we’ll actually be affecting the user experience a lot . Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.

microsoft endpoint manager assignment status pending

For Updates , the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.

microsoft endpoint manager assignment status pending

And then the final settings page, User Experience . So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.

microsoft endpoint manager assignment status pending

And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app .

microsoft endpoint manager assignment status pending

And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:

microsoft endpoint manager assignment status pending

Now you’ve deployed Defender Antivirus in your environment. Happy securing! ?

Tags: antivirus defender defender atp

You may also like...

microsoft endpoint manager assignment status pending

Use Autopilot to lock down a device to your tenant by assigning a user

May 10, 2019

 by  Janusz

microsoft endpoint manager assignment status pending

Exploring Hybrid Azure AD Join with a Provisioning Package

April 6, 2021

microsoft endpoint manager assignment status pending

How to use MMAT to convert DISA STIG GPOs to Intune CSPs

October 18, 2019

24 Responses

  • Comments 22
  • Pingbacks 2

' src=

Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?

Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.

microsoft endpoint manager assignment status pending

I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.

Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.

' src=

Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!

It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.

' src=

Can we use a third-party antivirus Like Trend Micro Apex One with Microsoft Endpoint Manager (intune Device), is there a special setting or exclusions required, because facing performance issues. And it starts after implementing to MEM devices, before it all things working fine. Please reply to my mail id, if possible – [email protected] Anyone please help, thanks in advance.

Yeah, you can absolutely use a third party antivirus with a MEM managed device. It might be worth contacting Trend Micro to troubleshoot performance. Or alternatively take a fresh device and enroll it into Intune before installing Trend Micro Apex One and seeing what is causing the slowdown.

' src=

Thank you so such a detailed post! Would love to see something like this to configure MS defender for endpoint! I know it’s a huge monster of policies but MS does not provide structured guidance on this. I had to fish for info all over the place and still having a hard time understanding what policies fall under what…Can you recommend any resources? Thx!!

Thanks for the feedback! I’ll put that on the to-do list, I think it would make a great post. If you’re still looking for MDfE setup articles I would start with the Tech Community post: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-endpoint-manager-enable-endpoint-protection/ba-p/1801197

' src=

Thank you for this great, clear and thorough post, I had been struggling with this topic and all the different terms but if I not mistaken we can put it this way:

MDFE / MDATP = whole threat protection solution MD = Antivirus solution is is included in the MDFE solution But also works as standalone if we don’t own a MDFE subscription

Yes, that’s right! But just to be picky, I would specify that MDfE isn’t a WHOLE threat protection solution, it’s an endpoint solution. Microsoft’s 365 E5 license that includes the whole suite of security products (MDfE, Sentinel, Azure Defender, Cloud App Security, Defender for Identity, etc.) is the all up solution. If you want to know how all those pieces fit together then take a look at the Microsoft Cybersecurity Reference Architecture

' src=

Hi Janusz, Fantastic write up, i too was unclear on Windows Defender and Microsoft Defender for Endpoint. Just a quick question, is there anyway to put our business Support contact details some where in the Seurity area?

There is not, as far as I know. Closest I can think of is adding your support contact info in the Intune Company Portal app.

' src=

Hi, great sharing! I have a question: After configure Microsoft Defender Antivirus with Intune, can we see the virus alert and AV definition version on intune or somewhere?

Yup, you’ll see it in the MEM console under Reports > Microsoft Defender Antivirus. You can generate a detailed report that has the definition versions and more.

' src=

I want to configure daily quick scan at 11:00 AM everyday and weekly full scan at 12:00 PM every Thursday. But these settings don`t seem to be working as per your explained in the scan section of this article.

Run daily quick scan at : 11:00 AM Scan type : Full Scan Day of week to run a scheduled scan : Thursday Time of day to run a scheduled scan : 12:00 PM

Might be worth opening a case with Microsoft to investigate what’s going on. It should be possible to configure those scans as per the settings you have.

' src=

Have you ever figured out how to do this?

' src=

Have you ever had to disable the Defender temporarily to test if it blocks something? If so, do you have an easy way to do so (ex. PS or cmd)?

' src=

Great summary. We have the issue that the setting “Check for signature updates before running scan” has the status ERROR on a lot of devices – Error Code -2016281112. Any ideas what could cause this? I was not able to find information on the error code. Thanks

' src=

Please Add RSS feeds to this. That will help us to get the latest posts updated. Thanks

Sure – I’ve added the link to our RSS feed in the social media icons area. Can access the feed here: https://deviceadvice.io/feed/

[…] our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it […]

[…] Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

  • Next story  Deploy Microsoft Defender ATP Baseline with Intune (no Defender ATP license required!)
  • Previous story  How to disable the “Your organization requires Windows Hello” prompt during OOBE

Popular Posts

  • How to disable the “Your organization requires Windows Hello” prompt during OOBE 35 comments | 121.58 views per day | by Janusz | posted on September 17, 2020
  • Autopilot Reset – What does it do? How is it different? 26 comments | 32.75 views per day | by Janusz | posted on August 9, 2019
  • Enable Audio and Video Redirection for Windows Virtual Desktop 12 comments | 31.23 views per day | by Janusz | posted on March 20, 2020
  • Configure Microsoft Defender Antivirus with Intune 24 comments | 29.24 views per day | by Janusz | posted on September 28, 2020
  • Export & import your Intune tenant settings 19 comments | 28.53 views per day | by Janusz | posted on July 12, 2019
  • Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM 3 comments | 25.12 views per day | by Janusz | posted on June 28, 2021
  • Windows 10 update rings – the best user experience 12 comments | 24.80 views per day | by Janusz | posted on January 27, 2020
  • Block screenshots using Microsoft Information Protection 2 comments | 22.61 views per day | by Janusz | posted on November 1, 2021
  • How to set up Windows Hello for Business for cloud-only devices 5 comments | 20.63 views per day | by Janusz | posted on June 22, 2020
  • Set Time Zone Automatically during Autopilot 4 comments | 18.87 views per day | by Janusz | posted on October 21, 2021

Recent posts

  • Use DevTools to find the Graph API requests made by MEM
  • Use winget to install Microsoft Store apps on Windows 11
  • Enable 256-bit BitLocker Full Disk Encryption during Autopilot
  • Enable Tamper Protection for Windows Servers
  • Block remote support/assist applications using Windows Defender App Control & MEM

microsoft endpoint manager assignment status pending

Intune / Mobile Device Management

The new Microsoft Endpoint Manager admin center is live!

November 29, 2019

microsoft endpoint manager assignment status pending

Deployment / Security / Windows 10 / Windows 11

Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM

June 28, 2021

microsoft endpoint manager assignment status pending

Deployment / Intune / Microsoft Endpoint Manager / Mobile Device Management / Windows 10

Use Group Policy analytics to convert GPOs to Intune Configuration Profiles

November 23, 2020

microsoft endpoint manager assignment status pending

Intune / Log Analytics / Microsoft Endpoint Manager / Windows 10

Collect Windows Event Logs using Log Analytics and Intune

February 1, 2021

microsoft endpoint manager assignment status pending

Intune / Microsoft Endpoint Manager / Mobile Device Management / Security / Windows 10

Manage and report on Defender Antivirus Signature update versions through Microsoft Endpoint Manager

December 7, 2020

Privacy Overview

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Troubleshooting BitLocker policies from the client side

  • 3 contributors

This article provides guidance on how to troubleshoot BitLocker encryption on the client side. While the Microsoft Intune encryption report can help you identify and troubleshoot common encryption issues, some status data from the BitLocker configuration service provider (CSP) might not be reported. In these scenarios, you will need to access the device to investigate further.

BitLocker encryption process

The following steps describe the flow of events that should result in a successful encryption of a Windows 10 device that has not been previously encrypted with BitLocker.

  • An administrator configures a BitLocker policy in Intune with the desired settings, and targets a user group or device group.
  • The policy is saved to a tenant in the Intune service.
  • A Windows 10 Mobile Device Management (MDM) client syncs with the Intune service and processes the BitLocker policy settings.
  • The BitLocker MDM policy Refresh scheduled task runs on the device that replicates the BitLocker policy settings to full volume encryption (FVE) registry key.
  • BitLocker encryption is initiated on the drives.

The encryption report will show encryption status details for each targeted device in Intune. For detailed guidance on how to use this information for troubleshooting, see Troubleshooting BitLocker with the Intune encryption report .

Initiate a manual sync

If you've determined that there is no actionable information in the encryption report, you'll need to gather data from the affected device to complete the investigation.

Once you have access to the device, the first step is to initiate a sync with the Intune service manually before collecting the data. On your Windows device, select Settings > Accounts > Access work or school > <Select your work or school account> > Info . Then under Device sync status , select Sync .

After the sync is complete, continue to the following sections.

Collecting event log data

The following sections explain how to collect data from different logs to help troubleshoot encryption status and policies. Make sure you complete a manual sync before you collect log data.

Mobile device management (MDM) agent event log

The MDM event log is useful to determine if there was an issue processing the Intune policy or applying CSP settings. The OMA DM agent will connect to the Intune service and attempt to process the policies targeted at the user or device. This log will show success and failures processing Intune policies.

Collect or review the following information:

LOG > DeviceManagement-Enterprise-Diagnostics-Provider admin

  • Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
  • File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx

To filter this log, right-click the event log and select Filter Current Log > Critical/Error/Warning . Then search through the filtered logs for BitLocker (press F3 and enter the text).

Errors in BitLocker settings will follow the format of the BitLocker CSP, so you will see entries like this:

./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation

You can also enable debug logging for this event log using the Event Viewer for troubleshooting.

BitLocker-API management event log

This is the main event log for BitLocker. If the MDM agent processed the policy successfully and there are no errors in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, this is the next log to investigate.

LOG > BitLocker-API management

  • Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs > Microsoft > Windows > BitLocker-API
  • File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx

Usually, errors are logged here if there are hardware or software prerequisites missing that the policy requires such as Trusted Platform Module (TPM) or Windows Recovery Environment (WinRE).

Error: Failed to enable Silent Encryption

As shown in the following example, conflicting policy settings that cannot be implemented during silent encryption and manifest as group policy conflicts are also logged:

Failed to enable Silent Encryption.
Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker.

Solution: Configure the compatible TPM startup PIN to Blocked . This will resolve conflicting Group Policy settings when using silent encryption.

You must set the PIN and TPM startup key to Blocked if silent encryption is required. Configuring the TPM startup PIN and startup key to Allowed and other startup key and PIN setting to Blocked for user interaction and will result in a conflicting Group Policy error in BitLocker-AP event log. Also, if you configure TPM startup PIN or startup key to require user interaction, it will cause silent encryption to fail.

Configuring any of the compatible TPM settings to Required will cause silent encryption to fail.

BitLocker OS Drive Settings that shows Compatible TPM startup set to Required.

Error: TPM not available

Another common error in the BitLocker-API log is that the TPM is not available. The following example shows that TPM is a requirement for silent encryption:

Failed to enable Silent Encryption. TPM is not available.
Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer.

Solution: Ensure there is a TPM available on the device and if it is present, check the status via TPM.msc or the PowerShell cmdlet get-tpm.

Error: Un-Allowed DMA capable bus

If the BitLocker-API log displays the following status, it means that Windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat.

Un-Allowed DMA capable bus/device(s) detected

Solution: To remediate this issue, first verify that the device has no external DMA ports with the original equipment manufacturer (OEM). Then follow these steps to add the device to the allowed list. Note: Only add a DMA device to the allowed list if it is an internal DMA interface/bus.

System event log

If you're having hardware-related issues—such as problems with the TPM—errors will appear in the system event log for TPM from the TPMProvisioningService or TPM-WMI source.

LOG > System event

  • Location: Right-click on Start Menu > Event Viewer > Windows Logs > System
  • File system location: C:\Windows\System32\winevt\Logs\System.evtx

Filtering properties for the System event log.

Filter on these event sources to help identify any hardware-related issues that the device may be experiencing with the TPM and check with the OEM manufacturer whether there are any firmware updates available.

Task scheduler operational event log

The task scheduler operational event log is useful for troubleshooting scenarios where the policy has been received from Intune (has been processed in DeviceManagement-Enterprise), but BitLocker encryption has not successfully initiated. BitLocker MDM policy refresh is a scheduled task that should run successfully when the MDM agent syncs with the Intune service.

Enable and run the operational log in the following scenarios:

  • The BitLocker policy appears in the DeviceManagement-Enterprise-Diagnostics-Provider admin event log, in MDM diagnostics, and the registry.
  • There are no errors (the policy has been picked up successfully from Intune).
  • Nothing is logged in the BitLocker-API event log to show that encryption was even attempted.

LOG > Task scheduler operational event

  • Location: Event Viewer > Applications and Service Logs > Microsoft > Windows > TaskScheduler
  • File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx

Enable and run the operational event log

You must manually enable this event log before logging any data because the log will identify any problems running the BitLocker MDM policy Refresh scheduled task.

To enable this log, right-click on Start Menu > Event Viewer > Applications and Services > Microsoft > Windows > TaskScheduler > Operational .

Screenshot of the TaskScheduler - Operational Logs.

Then enter task scheduler in the Windows search box, and select Task Scheduler > Microsoft > Windows > BitLocker . Right-click on BitLocker MDM policy Refresh and choose Run .

When the run is complete, inspect the Last Run Result column for any error codes and examine the task schedule event log for errors.

Example screenshot of BitLocker tasks in Task Scheduler.

In the example above, 0x0 has run successfully. The error 0x41303 this means the task has never previously run.

For more information about Task Scheduler error messages, see Task Scheduler Error and Success Constants .

Checking BitLocker settings

The following sections explain the different tools you can use to check your encryption settings and status.

MDM Diagnostics Report

You can create a report of MDM logs to diagnose enrollment or device management issues in Windows 10 devices managed by Intune. The MDM Diagnostic Report contains useful information about an Intune enrolled device and the policies deployed to it.

For a tutorial of this process, see the YouTube video How to create an Intune MDM diagnostic report on Windows devices

  • File system location: C:\Users\Public\Documents\MDMDiagnostics

OS build and edition

The first step in understanding why your encryption policy is not applying correctly is to check whether the Windows OS version and edition supports the settings you configured. Some CSPs were introduced on specific versions of Windows and will only work on a certain edition. For example, the bulk of BitLocker CSP settings were introduced in Windows 10, version 1703 but these settings weren't supported on Windows 10 Pro until Windows 10, version 1809.

Additionally, there are settings such as AllowStandardUserEncryption (added in version 1809), ConfigureRecoveryPasswordRotation (added in version 1909), RotateRecoveryPasswords (added in version 1909), and Status (added in version 1903).

Investigating with the EntDMID

The EntDMID is a unique device ID for Intune enrollment. In the Microsoft Intune admin center , you can use the EntDMID to search through the All Devices view and identify a specific device. It is also a crucial piece of information for Microsoft support to enable further troubleshooting on the service side if a support case is required.

You can also use the MDM Diagnostic Report to identify whether a policy has been successfully sent to the device with the settings the administrator configured. By using the BitLocker CSP as a reference, you can decipher which settings have been picked up when syncing with the Intune service. You can use the report to determine if the policy is targeting the device and use the BitLocker CSP documentation to identify what settings have been configured.

MSINFO32 is an information tool that contains device data you can use to determine if a device satisfies BitLocker prerequisites. The required prerequisites will depend on BitLocker policy settings and the required outcome. For example, silent encryption for TPM 2.0 requires a TPM and Unified Extensible Firmware Interface (UEFI).

  • Location: In the Search box, enter msinfo32 , right-click System Information in the search results, and select Run as administrator .
  • File system location: C:\Windows\System32\Msinfo32.exe.

However, if this item doesn't meet the prerequisites, it doesn't necessarily mean that you can't encrypt the device using an Intune policy.

  • If you have configured the BitLocker policy to encrypt silently and the device is using TPM 2.0, it is important to verify that BIOS mode is UEFI. If the TPM is 1.2, then having the BIOS mode in UEFI is not a requirement.
  • Secure boot, DMA protection, and PCR7 configuration are not required for silent encryption but might be highlighted in Device Encryption Support . This is to ensure support for automatic encryption.
  • BitLocker policies that are configured to not require a TPM and have user interaction rather than encrypt silently will also not have prerequisites to check in MSINFO32.

TPM.MSC file

TPM.msc is a Microsoft Management Console (MMC) Snap-in file. You can use TPM.msc to determine whether your device has a TPM, to identity the version, and whether it is ready for use.

  • Location: In the Search box, enter tpm.msc , and then right-click and select Run as administrator .
  • File system location: MMC Snap-in C:\Windows\System32\mmc.exe.

TPM is not a prerequisite for BitLocker but is highly recommended due to the increased security it provides. However, TPM is required for silent and automatic encryption. If you're trying to encrypt silently with Intune and there are TPM errors in the BitLocker-API and system event logs, TPM.msc will help you understand the problem.

The following example shows a healthy TPM 2.0 status. Note the specification version 2.0 in the bottom right and that the status is ready for use.

Example screenshot of a healthy TPM 2.0 status in the Trusted Platform Module console.

This example shows an unhealthy status when the TPM is disabled in the BIOS:

Example screenshot of an unhealthy TPM 2.0 status in the Trusted Platform Module console.

Configuring a policy to require a TPM and expecting BitLocker to encrypt when the TPM is missing or unhealthy is one of the most common issues.

Get-Tpm cmdlet

A cmdlet is a lightweight command in the Windows PowerShell environment. In addition to running TPM.msc, you can verify the TPM using the Get-Tpm cmdlet. You will need to run this cmdlet with administrator rights.

  • Location: In the Search box enter cmd , and then right-click and select Run as administrator > PowerShell > get-tpm .

Example screenshot of a present and active TPM in a PowerShell window.

In the example above, you can see that the TPM is present and active in the PowerShell window. The values equal True. If the values were set to False, it would indicate a problem with the TPM. BitLocker will not be able to use the TPM until it is present, ready, enabled, activated, and owned.

Manage-bde command-line tool

Manage-bde is a BitLocker encryption command-line tool included in Windows. It's designed to help with administration after BitLocker is enabled.

  • Location: In the Search box, enter cmd , right-click and select Run as administrator , and then enter manage-bde -status .
  • File system location: C:\Windows\System32\manage-bde.exe.

Example screenshot of the manage-bde.exe command in a Command Prompt window.

You can use manage-bde to discover the following information about a device:

  • Is it encrypted? If reporting in the Microsoft Intune admin center indicates a device is not encrypted, this command-line tool can identify the encryption status.
  • Which encryption method has been used? You can compare information from the tool to the encryption method in the policy to make sure they match. For example, if the Intune policy is configured to XTS-AES 256-bit and the device is encrypted using XTS-AES 128-bit, this will result in errors in Microsoft Intune admin center policy reporting.
  • What specific protectors are being used? There are several combinations of protectors . Knowing which protector is used on a device will help you understand if the policy has been applied correctly.

In the following example, the device is not encrypted:

Example screenshot of a device not encrypted with BitLocker.

BitLocker registry locations

This is the first place in the registry to look when you want to decipher the policy settings picked up by Intune:

  • Location: Right-click on Start > Run and then enter regedit to open the Registry Editor.
  • Default file system location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker

The MDM agent registry key will help you identify the Globally Unique Identifier (GUID) in the PolicyManager that contains the actual BitLocker policy settings.

BitLocker registry location in the Registry Editor.

The GUID is highlighted in the above example. You can include the GUID (it will be different for each tenant) in the following registry subkey to troubleshoot BitLocker policy settings:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers<GUID>\default\Device\BitLocker

Screenshot of the Registry Editor displaying the BitLocker policy settings configured by the MDM agent

This report shows the BitLocker policy settings that have been picked up by the MDM agent (OMADM client). These are the same settings that you will see in the MDM Diagnostic report, so this is an alternative way of identifying settings that the client has picked up.

Example of EncryptionMethodByDriveType registry key:

Example of SystemDrivesRecoveryOptions :

BitLocker registry key

The settings in the policy provider registry key will be duplicated into the main BitLocker registry key. You can compare the settings to ensure they match what appears in the policy settings in the user interface (UI), MDM log, MDM diagnostics and the policy registry key.

  • Registry key location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

This is an example of the FVE registry key:

Screenshot of the BitLocker registry keys found in the Registry Editor.

  • 3 = AES-CBC 128
  • 4 = AES-CBC 256
  • 6 = XTS-AES 128
  • 7 = XTS-AES 256
  • B: UseTPM, UseTPMKey, UseTPMKeyPIN, USeTPMPIN are all set to 2, which means they are all set to allow.
  • C: Notice that most of the keys are divided into groups of settings for the operating system drive (OS), fixed drive (FDV) and removable drive (FDVR).
  • D: OSActiveDirectoryBackup has a value of 1 and is enabled.
  • E: OSHideRecoveryPage is equal to 0 and not enabled.

Use the BitLocker CSP documentation to decode all of the setting names in the registry.

REAgentC.exe command-line tool

REAgentC.exe is a command-line executable tool that you can use to configure the Windows Recovery Environment (Windows RE). WinRE is a prerequisite for enabling BitLocker in certain scenarios such as silent or automatic encryption.

  • Location: Right-click on Start > Run , enter cmd . Then right-click cmd and select Run as administrator > reagentc /info .
  • File system location: C:\Windows\System32\ReAgentC.exe.

If you see error messages in the BitLocker-API about WinRe not being enabled, run the reagentc /info command on the device to determine the WinRE status.

Output of the ReAgentC.exe command in Command Prompt.

If the WinRE status is disabled, run the reagentc /enable command as an administrator to enable it manually:

Example screenshot to enable ReAgentC.exe in Command Prompt. Run the command reagentc /enable

When BitLocker fails to enable on a Windows 10 device using an Intune policy, in most cases, the hardware or software prerequisites are not in place. Examining the BitLocker-API log will help you identify which prerequisite is not satisfied. The most common issues are:

  • TPM is not present
  • WinRE is not enabled
  • UEFI BIOS is not enabled for TPM 2.0 devices

Policy misconfiguration can also cause encryption failures. Not all Windows devices can encrypt silently so think about the users and devices that you're targeting.

Configuring a startup key or PIN for a policy intended for silent encryption will not work because of the user interaction required when enabling BitLocker. Keep this in mind when configuring the BitLocker policy in Intune.

Verify whether the policy settings have been picked up by the device to determine whether the targeting has been successful.

It is possible to identify the policy settings using MDM diagnostics, registry keys, and the device management enterprise event log to verify if settings were successfully applied. The BitLocker CSP documentation can help you decipher these settings to understand whether they match what has been configured in the policy.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

IMAGES

  1. The new Microsoft Endpoint Manager admin center is live!

    microsoft endpoint manager assignment status pending

  2. Microsoft Endpoint Configuration Manager Archives

    microsoft endpoint manager assignment status pending

  3. Microsoft Endpoint Manager (MEM) Pricing, Features, Reviews

    microsoft endpoint manager assignment status pending

  4. Microsoft Endpoint Manager

    microsoft endpoint manager assignment status pending

  5. Microsoft Endpoint Manager

    microsoft endpoint manager assignment status pending

  6. Understanding readiness for Windows 11 with Microsoft Endpoint Manager

    microsoft endpoint manager assignment status pending

VIDEO

  1. 13 Microsoft Endpoint Manager_App Lifecycle Management by Khaled Rezk Arabic

  2. 14 Microsoft Endpoint Manager_Application Deployment by Khaled Rezk Arabic

  3. 12 Microsoft Endpoint Manager_Device Configuration Profile by Khaled Rezk Arabic

  4. 15 Microsoft Endpoint Manager_Company Portal by Khaled Rezk Arabic

  5. 05 Microsoft Endpoint Manager_Platforms Enrollment Activation by Khaled Rezk Arabic

  6. 01 Microsoft Endpoint Manager (Intune) Intro By Khaled Rezk Arabic

COMMENTS

  1. Support Tip: Configuration Policy Shows as Pending on Windows Devices

    Then, from Settings > Accounts > Access work or school, click on the Connected to <aad_account> > Info > Sync to perform a device sync. While typically you want policies to apply to the user, not the device, this is a quick workaround to ensure policies such as encryption reports back compliance.

  2. Configuration profile state pending on some devices

    If I look under configuration profiles --> device status, I see some devices, where the deployment status is "Pending". I have noticed that all these devices have no "User Principal Name". This column is blank for alle the pending devices. See the attached image. I have tried to manullay sync the computer and restart several times.

  3. Troubleshooting policies and profiles in Microsoft Intune

    Pending: The device hasn't checked into Intune to get the policy. Or, the device received the policy but hasn't reported the status to Intune. Errors: Look up errors and possible resolutions at Troubleshoot company resource access problems. Check tenant status. Check the Tenant Status and confirm the subscription is Active. You can also view ...

  4. Support Tip: Known Issues with Intune policy reports

    When a device has a "pending" status, it means the device has not checked in to receive the policy. There is a known scenario where sometimes the device status can still show as "pending" in a report even after the policy has been delivered to the device.

  5. Intune Policies stuck at Pending : r/Intune

    Mchead22. • 4 yr. ago. not exactly sure as to the exact cause, but I can say in my experience, our policies will get stuck in pending status when they cant be applied for some reason. for instance, if i were to make a typo in the string value of a setting, so Intune therefore cant apply that setting, the policy status will just stay in ...

  6. Support Tip: Intune Co-Managed Windows 10 Device Apps in Pending State

    When the user logs onto the device using a local account, the apps targeted to the user as required will also be shown as Pending or if the apps are deployed as Available and the users have selected install from the app in the Company Portal. For this scenario, all types of apps are impacted, not just MSI and Win32 apps.

  7. Intune policies in pending state : r/sysadmin

    • 1 yr. ago ^ This. Or create a test group that targets devices/users individually and then sync the device manually from the company portal ~15min after applying the policy (depending on the type of policy) Also bear in mind the endpoint analytics take ages to update, so the policy may have applied but hasn't reported back to endpoint manager yet

  8. How to Start Troubleshooting Intune Issues

    Troubleshoot + Support is the tab from the MEM admin center portal. Select one of the users having issues with application or policy deployment. For example, when a user is not getting the application assigned to AAD Group. Another example is the user is not getting the compliance of configuration policies assigned.

  9. Deployment Status

    Remove From My Forums. - We use powereshell to create a local user account and auto-logon reg keys. - The policies apply fine when enrolled, and when the system reboots it automatically logs in to the local account and shows the kiosk mode. I would recommend to perform the following actions. [email protected].

  10. Configure Microsoft Defender Antivirus with Intune

    First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy: Create a Microsoft Defender Antivirus policy Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns. Create Policy screen Notice how it mentions Microsoft Defender ATP in the description.

  11. Tips and tricks for managing Microsoft Endpoint Manager

    Microsoft Endpoint Manager lets you manage a wide set of endpoint platforms by configuring and deploying policies and applications to users and devices from the cloud. This blog post describes best practices to enroll users, set up certificates, assign access and permissions, and multiple applications assignments.

  12. Intune Policy Device Assignment Status Report

    Login to Endpoint Manager Intune portal https://endpoint.microsoft.com/ Navigate to Devices -> Configuration profiles or the Endpoint security node, depending on the policy type you want to view information for. Here I am navigating to the configuration profiles node, selecting the policy which I created.

  13. Troubleshooting policies and profiles in Microsoft Intune

    You may need to leave the policy assigned, and then change the security settings back to the default values.</p>\n<p dir=\"auto\">Depending on the device platform, if you want to change the policy to a less secure value, you may need to reset the security policies.</p>\n<p dir=\"auto\">For example, in Windows 8.1, on the desktop, swipe in from r...

  14. Intune Managed Apps Stuck on Waiting for Install Status : r/Intune

    Scan this QR code to download the app now. Or check it out in the app stores. Halo Infinite. Call of Duty: Warzone. Path of Exile. Watch Dogs: Legion. Atlanta Hawks. Philadelphia 76ers. Walgreens.

  15. Troubleshooting BitLocker policies from the client side

    On your Windows device, select Settings > Accounts > Access work or school > <Select your work or school account> > Info. Then under Device sync status, select Sync. After the sync is complete, continue to the following sections. Collecting event log data

  16. Troubleshooting BitLocker from the Microsoft Endpoint Manager admin

    The device is already encrypted, and the encryption method doesn't match policy settings. To identify the category a failed device encryption falls into, navigate to the Microsoft Endpoint Manager admin center and select Devices > Monitor > Encryption report. The report will show a list of enrolled devices.