Using InTune for BitLocker enabling TPM+PIN+USB

The_Honkler

2/12/23, 2:43 PM

I am tasked with enabling BitLocker via InTune and I am struggling to understand why the following settings are not taking effect on the endpoint.

In the OS drive settings

Compatible TPM Startup - Blocked
Compatible TPM startup PIN - Blocked
Compatible TPM startup key - Blocked
Compatible TPM startup key and PIN - Required

I have had the solution working for TPM and PIN, but the people I work for want TPM, Key and PIN. When I go to turn on BitLocker in "Manager BitLocker", I am greeted with the dreaded "This PC requires a startup option that isn't supported by BitLocker setup."

Trying to research this error led me to 4sysops.com which says:-

"If you see this one, it is usually caused by having more than one required option for additional authentication for an OS Drive at startup.

You can’t require more than one startup type."

Unless my (il)logic is flawed, then with the settings I set above, this condition should be satisfied.

Anyone have any ideas?

215

0 + 0

bitlocker

microsoft-intune

Score:1

Server

Swisstone

2/12/23, 4:21 PM

This is not supported, take a look at the documentation:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors

PIN A user-entered numeric key protector that can only be used in addition to the TPM.

Additionally, the supported authentication methods are listed too:

TPM only
TPM + PIN
TPM + Network key
TPM + startup key
Startup key only

0 + 0

The_Honkler

2/14/23, 10:52 AM

This had crossed my mind, but it begs the question why Microsoft had included it as an option in InTune. I personally think Microsoft need to revise the way BitLocker is configured in InTune. Nonetheless, thanks for your input. :)

Score:0

Server

Greg Askew

2/12/23, 4:25 PM

TPMandPINandStartupKey needs to be configured using the command line. The wizard isn't compatible with that setting.

0 + 0

The_Honkler

2/14/23, 10:47 AM

As it goes, whereas this would be the solution and I had seen this in Group Policy, what my bosses were looking at would not be achievable anyway due to our current usb "tokens" being recognised as smart cards which cannot be currently used in the pre-boot environment. Thanks for your input!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Using InTune for BitLocker enabling TPM+PIN+USB

TH: การใช้ InTune สำหรับ BitLocker เปิดใช้งาน TPM+PIN+USB

RO: Folosind InTune pentru BitLocker, activând TPM+PIN+USB

RU: Использование InTune для BitLocker с включением TPM+PIN+USB

VI: Sử dụng InTune cho BitLocker bật TPM+PIN+USB

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.