Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Advertisements

6 thoughts on “Intune – Require Bitlocker PIN for Windows 10 1703

  1. jasonabeckett

    Is there a log to view errors related to intune policies being applied. I have tried this and my test machine is not getting the prompt. I’m not finding any log that might give me a clue as to why.

    Like

    Reply
    1. nhogarth Post author

      What version of Windows 10 is it? Is it Pro or Enterprise? you can view the event logs on the device here Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin

      Also check in the Intune portal for the policies for any further info.

      Like

      Reply
  2. Daniel C (@DaninouC)

    Does it work on surface devices ? (book or pro ?) cause i can’t make it works on these devices. No matter what I do, I Always have this error “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”
    i have the same settings as you…
    i also add the “OSEnablePrebootInputProtectorsOnSlates” with a PowerShell script to the registry…but no luck !
    win10 pro 1809, managed by intune (standalone)

    Like

    Reply
    1. nhogarth Post author

      Hi Daniel. I haven’t tested it on a Surface. Try this more updated guide from Paul – https://sccmentor.com/2019/01/22/keep-it-simple-with-intune-3-disk-encryption/ . Also Intune recently released support for some Bitlocker settings on Windows 10 Pro. That could be your issue. Make sure that your settings are supported on Pro, the list is here with the supported Win 10 editions – https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-encryption

      Like

      Reply
  3. Tyler Reichelt

    Has the workflow for this changed? I’m seeing the user get the prompt about third party encryption, but now when they click the Yes button, it brings up the Device Encryption section of the Modern Settings app instead of launching the bitlocker wizard.

    Like

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s