Require additional authentication at startup

Question

Hello Everyone,

I am using Windows Autopilot to enroll devices and have configured a disk encryption policy. Additionally, I have enabled the setting for "Require additional authentication at startup." While the policy deploys successfully, the option to configure a startup PIN during the setup process does not appear.

Could you please assist in identifying why the PIN configuration prompt is not triggered and provide guidance on any additional steps or settings required to enable this functionality?

Thank you in advance for your support.

Answer 1

Hi Ritesh, we'd love to help you! Could you clarify the following so we can better assist you?

• Are you trying to configure Silent Encryption or would like to use PIN or Startup Key?
• Is the device actually getting encrypted? If so, what algorithm is it encrpted with? 
• If the device meets either Modern Standy or HSTI security requirement, it will encrypt automatically. However, this will be encrypted with the default algorithm: XTS-AES 128-bit. For more details around this, refer: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ and https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
• You can validate this by running the following command: manage-bde -status and prevent Automatic Encryption by following the steps recommended here: https://techcommunity.microsoft.com/discussions/microsoft-entra/how-to-disable-automatic-bitlocker-implementation-when-using-autopilot-oobe-expe/4179775
• If you're trying to do a Silent Encryption, refer this article for the settings you'd need to configure: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

Keep us posted if you need any further help!

Answer 2

@Crystal-MSFT It's not working.

Answer 3

@Ritesh Chaudhary, Thanks for posting in Q&A. For your issue, could you confirm if we configure the settings which silently enable BitLocker. Based as I know, if you're using silent encryption, it will bypass the startup PIN configuration and won't prompt the user to configure the PIN.

https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#required-settings-to-silently-enable-bitlocker

To set the PIN, you can try the script mentioned in Oliver's blog

https://oliverkieselbach.com/2019/08/02/how-to-enable-pre-boot-bitlocker-startup-pin-on-windows-with-intune/

https://oliverkieselbach.com/2022/10/14/post-esp-intune-win32-apps-installations/

Note: Non-Microsoft link, just for the reference.

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.