Tag Archives: windows 10

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile


Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM


You can read more about these startup policies in this GPO “Require additional authentication at startup” description:


If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”


Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy


The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.





The user is prompted to enter a PIN:




After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:



Intune – Windows 10 Device Configuration

This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.

In the Intune blade, select Device Configuration


Select Profiles, then select Create Profile


Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions


For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.


I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp


Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.


Select the group and click Save.


Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password


And the custom wallpaper has been set