Share via

Microsoft Intune configuration profile settings producing a constant status state conflict code 0x87d101f8

Luca Brunner 0 Reputation points
2026-06-11T11:04:02.17+00:00

I am managing a pool of enterprise laptops via Intune configuration Baselines. The monitoring dashboard indicates that a specific BitLocker encryption policy setting is throwing a status conflict code 0x87d101f8 against an identical endpoint security policy assigned to the same computer group.

How to resolve it? Any ideas?

Windows for business | Windows 365 Enterprise
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 35,285 Reputation points Independent Advisor
    2026-06-11T11:40:22.9266667+00:00

    Hi Luca Brunner,

    Error 0x87d101f8 is a policy conflict caused by two different Intune profiles attempting to set the same BitLocker configuration, which forces the MDM agent to reject both instructions. To resolve this, you must identify the overlapping policies in the Intune Admin Center and set the redundant one to Not Configured. This clears the contradiction from the local device registry and allows the agent to synchronize the correct, singular policy successfully.

    VPHAN

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-11T11:04:34.0966667+00:00

    The conflict occurs because the same BitLocker setting is configured with different values in two configuration policy types (a security baseline and an endpoint security policy) that target the same devices. Intune treats these as equal-precedence configuration policies, so the setting can’t be resolved automatically and is marked as Conflict with code 0x87d101f8.

    To resolve it:

    1. Identify the exact setting and all source profiles
      1. In Intune, open the Device configuration report for an affected device (Devices > All devices > select device > Device configuration).
      2. Locate the BitLocker setting that shows Conflict or Error.
      3. Select that setting to open Settings details and review:
        • Setting – the BitLocker option name.
        • State – shows Conflict.
        • Source Profiles – lists each baseline/profile (including the endpoint security policy) that configures this setting with a different value.
    2. Drill into each conflicting profile
      1. From Source Profiles, select each profile to open its Overview.
      2. Go to Properties and review the BitLocker configuration in that profile.
      3. Note which profile is intended to be the authoritative source for that BitLocker setting.
    3. Decide which policy type should own the BitLocker setting
      • Best practice is to avoid configuring the same setting in both a security baseline and an endpoint security policy.
      • Choose either:
        • The security baseline as the primary source for that BitLocker setting, or
        • The endpoint security BitLocker policy as the primary source.
    4. Remove or align the duplicate configuration Option A – Remove the duplicate setting:
      1. In the profile that should not manage this BitLocker setting (for example, the baseline):
        • Set the conflicting BitLocker setting to Not configured, or
        • Remove that profile assignment from the affected device group if it’s not needed.
      Option B – Align values:
      1. If both policies must remain, edit the conflicting setting in each profile so they use the same value.
      2. Save and re-deploy so Intune no longer sees a value mismatch.
    5. Verify resolution via per-setting status
      1. In Intune, go to Endpoint security > Security baselines > select the baseline > Profiles > select the profile.
      2. Under Monitor, open Per-setting status and confirm the BitLocker setting now shows Succeeded instead of Conflict.
      3. Alternatively, from Devices > All devices > select device > Device configuration, confirm the BitLocker setting status is Succeeded.
    6. Use MDM diagnostics on a device if needed If the conflict persists:
      1. On the Windows device, go to Settings > Accounts > Access work or school.
      2. Select the account > Info > Advanced Diagnostic Report > Create report.
      3. Export and open the report, then look for the BitLocker setting in sections like Enrolled configuration sources and target resources to see which policy is winning or causing the conflict.

    Going forward, plan policy architecture so BitLocker is configured by a single policy type per device group (either baseline or endpoint security), and avoid overlapping configurations to prevent recurring 0x87d101f8 conflicts.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.