Troubleshooting
Why BitLocker Encryption Status Differs Between Cloud Capsule and Your RMM
Learn why BitLocker shows as encrypted in your RMM but non-compliant in Cloud Capsule, including protection suspension, key escrow, cipher mismatch, and CSP failures.
Why BitLocker Encryption Status Differs Between Cloud Capsule and Your RMM
If you notice that a device shows as encrypted in your RMM but reports as non-compliant or unprotected in Cloud Capsule, the two tools are measuring different things. This article explains how Cloud Capsule reads BitLocker status, why discrepancies occur, and what each scenario means for your endpoints.
How Cloud Capsule and RMMs Read Encryption Status
Cloud Capsule retrieves device encryption data from Microsoft Intune, which evaluates BitLocker status through the BitLocker CSP and measures policy conformance. RMM tools typically read the raw volume state directly from WMI (Win32_EncryptableVolume), which reports whether a drive is physically encrypted regardless of how it was configured or managed.
This means both sources can be technically correct while reporting different outcomes. A drive can be fully encrypted at the disk level while still failing Intune's compliance evaluation.
Common Causes of Discrepancies
Protection suspended, not off
A drive can be 100% encrypted (the RMM's conversion status reads "encrypted") while BitLocker protection is temporarily suspended, pending a TPM or firmware update, or a staged reboot. Intune evaluates Protection Status = On, so it reports the device as not protected even though the disk is fully converted.
Recovery key not escrowed to Entra ID
If BitLocker was enabled manually, by the RMM, or by the OEM and the recovery key was never stored in Entra ID, Intune flags the device as not Intune-managed. If your compliance policy requires key escrow, the device will be marked non-compliant even though the volume is genuinely encrypted.
Cipher or scope mismatch with the disk encryption profile
If your BitLocker configuration profile requires XTS-AES 256 and full-disk encryption, but the drive was encrypted using XTS-AES 128 or used-space-only, Intune sees a policy mismatch. The RMM reports a boolean "encrypted = true" while Intune reports "does not match configured policy." The same applies if the profile evaluates fixed data drives and one of those drives is unencrypted.
Reporting lag or CSP failure
Intune encryption status only updates on MDM check-in. The BitLocker CSP or WMI provider can return errors, particularly when a conflicting BitLocker Group Policy Object is still in place or FixedDrivesRecoveryOptions is managed via GPO. In these cases, Intune may show a device as unknown or not encrypted while the local RMM agent reads it correctly in real time.
Summary of Scenarios
| Scenario | RMM Reports | Intune / Cloud Capsule Reports |
|---|---|---|
| Protection suspended | Encrypted | Not protected |
| Key not escrowed to Entra ID | Encrypted | Non-compliant (not Intune-managed) |
| Cipher or scope mismatch | Encrypted | Non-compliant (policy mismatch) |
| CSP failure or GPO conflict | Encrypted | Unknown or not encrypted |
When to Contact Support
If you have reviewed the scenarios above and are still unable to explain the discrepancy for a specific device or tenant, please contact support with the following:
- The name of the affected tenant
- The device name and Intune device ID if available
- What your RMM is reporting versus what Cloud Capsule is showing
- Whether a BitLocker configuration profile or compliance policy is assigned to the device in Intune
Email: support@cloudcapsule.io
In-app: Navigate to Support and open a new ticket.