Conditional access (CA) and compliance policy (CP) seems to be failing when enabling secure boot on an older hardware thats runs Windows 10 1607 or later with Embedded Security Trusted Module (TPM 1.2) Security Chip. The device in this test is enrolled with AutoPilot and Windows 10 1803.
Microsoft also writes that this is an know issue, quote:
The Require Secure Boot to be enabled on the device setting is supported on some TPM 1.2 and 2.0 devices. For devices that don’t support TPM 2.0 or later, the policy status in Intune shows as Not Compliant.
This means that if companies have older devices running TPM 1.2 with Windows 10 1607 or later and wants to use CA, to measure if secure boot is enabled before the device can be compliant with the companies IT security policy that ain’t possible.
Let’s take another thing that’s often use the TPM technology, Bitlocker. Bitlocker in this case also fails on older devices with TPM 1.2 chip when trying to be activated with an Intune device configuration policy (End Point protection). Because of Bitlocker not being activated, the compliance policy also report failure on not been able to mark the device compliant as well.
If Bitlocker gets activated on the older device manually or with Powershell, Intune reports back that the device now are in compliant regarding encryption with Bitlocker.
When trying to enable Bitlocker with device policy setting “Bitlocker non-compatible TPM module chip” enabled, Intune still can`t automatic activate Bitlocker and compliance failure still an issue.
So the conclusion and recommendation must be use devices with Windows 10 1809 with TPM 2.0 to get the device running with higher security level and in compliance with the company IT security policies regarding devices.