Hi, since encrypting drive with BL and PIN as additional protection during Autopilot (Hybrid Azure AD join) is a hassle and not officially doable without custom scripting can I encrypt OS drive with BL during Autopilot and somehow force users to enter PIN as additional protection measure after they receive new machine? I am not sure if GPO later applied with settings regarding PIN can force users to do something about it (enter PIN with at least 8 characters) so I would like to do that with Intune if possible. At the moment we deal with this using MECM and OSD TS (OS drive is encrypted with PIN set to same default value and users later change it) but plan is to scrap that approach and use Windows Autopilot instead as Windows 10 deployment technology.