Intune-managed CoreImage - How to resolve compliance failures in Company Portal


Introduction

An Intune-CoreImage device must pass a few checks before it is marked as compliant.

  1. The Trusted Platform Module (TPM) must be enabled and at v2.0 or greater.
  2. Secure Boot must be enabled.
  3. BitLocker encryption must be active and have encrypted the device's internal storage.
  4. The Windows firewall must be enabled.
  5. Antivirus software must be installed and enabled.
  6. The Windows operating system must be patched.

If one of these is not true, Company Portal will show a warning indicator and list the specific items that need resolution.  For example, in the following screenshot, you can see that the compliance check failed because the Windows operating system is not patched.

Intune-CoreImage devices will be in a "grace period" for up to 24 hours if anything other than the operating system patches check is not compliant.  If one of those other items' checks is still not compliant after 24 hours, the device will be marked as non-compliant and will* be blocked from Michigan Medicine resources.  If only the operating system patch check fails, then the device remains in a "grace period" for up to 7 days.  If the operating system isn't fully patched after those 7 days elapse, then the device will be marked as non-compliant.

*As of Summer 2023, HITS has not implemented any restrictions due to non-compliance.  This will change in the future.

Instructions

Update Windows

  • Make sure all patches are applied (Settings > Update & Security > Windows Update) and reboot the device.  This typically addresses any underlying issues (e.g., TPM, SecureBoot, Firewall, etc.) that may be preventing BitLocker from starting.

  • Proceed to checking BitLocker's status.

Check BitLocker's status

  1. Search for BitLocker in the start menu and open it.
    Windows 10 Windows 11



  2. Note its status.
    Windows 10 Windows 11



  3. If it is encrypting, be patient and wait for it to complete.  Then reboot.

  4. If it is off, submit a ticket for assistance.

 

Once BitLocker is enabled and the Operating System is updated...

Have Company Portal check-in with the Intune management system to notify it of the changes.

  1. Reboot and log in.

  2. Open Company Portal from the start menu.

  3. Click on the devices icon in the sidebar menu.


  4. Click THIS DEVICE.


  5. Click Check Access.


  6. The check will present the following message during the scan and communication with the Intune management system.


  7. Once the Intune management system reports that the device has cleared all checks, the red warning message will disappear, and the device status will say that it can access company resources.


  8. If the device remains in a non-compliant state, note the reason and submit a ticket for assistance.