In this article by Katy Nicholson, the author explores a solution to enable BitLocker with a required PIN during the Autopilot device deployment process. By default, Microsoft’s disk encryption system, BitLocker, only supports silent configuration with TPM (Trusted Platform Module). However, the author wanted to enable BitLocker with a PIN required at startup without user intervention. To achieve this, the author proposes a PowerShell script that enables encryption using the device serial number as the key, allowing users to change the PIN later.
The solution requires the creation of two configuration profiles in Microsoft Intune. The first profile, an Endpoint Protection profile, configures BitLocker settings such as requiring a startup PIN and disabling the use of TPM alone. The second profile, a Settings Catalog profile, enables enhanced PINs, allowing the use of letters in the PIN. Additionally, the article mentions the need to ensure that the device has Secure Boot and a BIOS password enabled for protection.
The provided PowerShell script queries the BitLocker status of the operating system volume, and if it is fully decrypted, retrieves the device serial number and uses it as the PIN to enable BitLocker. The script also creates a recovery password key protector and backs up the recovery password to Azure AD. The script needs to be uploaded to the Intune portal as a script file and assigned to the target devices.
After running the script silently during Autopilot, the device will require the uppercase serial number as the unlock PIN. Users can change the PIN themselves through the File Explorer. In case of a forgotten PIN, recovery keys can be accessed in Intune to regain access to the device.
The article concludes by suggesting manual execution of the script in PowerShell if any issues arise and advises checking for conflicts with BitLocker policy settings (GPO or CSP) if problems persist.
Read the full article by Katy Nicholson here.