question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked LucaBugeja-9844 commented

Intune - "force" user to enter PIN for Bitlocker after autopilot

Hi, since encrypting drive with BL and PIN as additional protection during Autopilot (Hybrid Azure AD join) is a hassle and not officially doable without custom scripting can I encrypt OS drive with BL during Autopilot and somehow force users to enter PIN as additional protection measure after they receive new machine? I am not sure if GPO later applied with settings regarding PIN can force users to do something about it (enter PIN with at least 8 characters) so I would like to do that with Intune if possible. At the moment we deal with this using MECM and OSD TS (OS drive is encrypted with PIN set to same default value and users later change it) but plan is to scrap that approach and use Windows Autopilot instead as Windows 10 deployment technology.

mem-autopilot
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @BojanZivkovic-7448 - seeing this and our organisation have come across the same situation as yours mentioned - have you been able to find a work around by any chance?

0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@BojanZivkovic-7448 Thanks for posting in our Q&A.

For this issue, I have done some research. I find this blog describes a method that enable PIN for Bitlocker with intune.
https://oliverkieselbach.com/2019/08/02/how-to-enable-pre-boot-bitlocker-startup-pin-on-windows-with-intune/
Note: Non-Microsoft link, just for the reference.
However it requires interaction from the end user and not complete in autopilot.

Given this situation, it is suggested to vote and post our detailed request in intune uservoice. This is a place to collect customers' requirements and problems. With your efforts, we are committed to improving our products.
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39574585-enable-esp-see-policy-for-bitlocker-tpm-pin-and-in

Also, I will try my best to feedback.

Thanks for understanding.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered LuDaiMSFT-0289 commented

Since it is not official MS "workaround" we can not implement this on production when time comes unfortunately so if this can not be done "inside autopilot" I need some "official" way of doing so post-autopilot. Currently policy is that all encrypted devices must have PIN as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BojanZivkovic-7448 Thanks for your reply.

I didn't find any information in our official article about entering PIN for Bitlocker after autopilot. Given this situation, it is better to create an online support ticket to double confirm if there is any MS workaround. It is free. Here is the online support link.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

Hope we will get more effective help.

0 Votes 0 ·
BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered

It does not have to be immediately after autopilot (if not doable) - if entering PIN by end user can be enforced at any time that would suffice.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.