This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.
In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile
Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.
Under Windows Experience, select Require next to Encrypt Devices.
Select Enable next to Configure encryption methods if you would like to configure the encryption methods.
Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM
You can read more about these startup policies in this GPO “Require additional authentication at startup” description:
If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”
Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy
The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.
The user is prompted to enter a PIN:
After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:
Is there a log to view errors related to intune policies being applied. I have tried this and my test machine is not getting the prompt. I’m not finding any log that might give me a clue as to why.
LikeLike
What version of Windows 10 is it? Is it Pro or Enterprise? you can view the event logs on the device here Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin
Also check in the Intune portal for the policies for any further info.
LikeLike
Thanks for the reply. That gives me something to go on. I’m working on a Win 10 Pro 1803 device.
LikeLike
Does it work on surface devices ? (book or pro ?) cause i can’t make it works on these devices. No matter what I do, I Always have this error “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”
i have the same settings as you…
i also add the “OSEnablePrebootInputProtectorsOnSlates” with a PowerShell script to the registry…but no luck !
win10 pro 1809, managed by intune (standalone)
LikeLike
Hi Daniel. I haven’t tested it on a Surface. Try this more updated guide from Paul – https://sccmentor.com/2019/01/22/keep-it-simple-with-intune-3-disk-encryption/ . Also Intune recently released support for some Bitlocker settings on Windows 10 Pro. That could be your issue. Make sure that your settings are supported on Pro, the list is here with the supported Win 10 editions – https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-encryption
LikeLike
Has the workflow for this changed? I’m seeing the user get the prompt about third party encryption, but now when they click the Yes button, it brings up the Device Encryption section of the Modern Settings app instead of launching the bitlocker wizard.
LikeLike