Report if Bitlocker startup pin is set on workstations

Question

Report if Bitlocker startup pin is set on workstations

jaybird283 621

I am looking for a way to report which workstations do/don't have a bitlocker startup pin set. i would like to be able to pull this information either with configruation manager or intune.

Rahul Jindal [MVP] 10,911 Reputation points MVP

2023-05-07T05:18:20.74+00:00

Should be possible through custom reporting in ConfigMgr, custom compliance in Intune and\or Graph
jaybird283 621 Reputation points

2023-05-07T05:23:39.6+00:00

@Rahul Jindal [MVP] Do you have any info on how this might be accomplished?
Lu Dai-MSFT 28,496 Reputation points

2023-05-08T02:10:55.3+00:00

@jaybird283 Thanks for posting in our Q&A.

For this issue, the encryption report will view details about a device's encryption status.

https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor

Hope you can find what you want in this report.
jaybird283 621 Reputation points

2023-05-08T22:13:44.2266667+00:00

@Lu Dai-MSFT I was able to pull an encryption report using the Devices/Monitor/Encryption report. But it doesn't look like it has any information regarding protectors that are enabled. (It won't tell me if a pin is set).

Am i looking at the correct report?
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2023-05-09T05:40:33.0666667+00:00

@jaybird283, For the Encrption report, it only includes the Encrption status and TPM version and etc. It dose not include BitLocker startup PIN. setting

https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor

And currently, Intune report does not have the built in report can get the information.

For your request, I have a thought. You can confirm with windows support to see if there's any registry key or PowerShell script can be used to identity if BitLocker start up PIN. If yes, then we can consider use custom compliance policy to mark these devices as non-compliant

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-use-custom-settings

1 answer

Your answer

Rahul Jindal [MVP] 10,911 Reputation points MVP

2023-05-07T05:18:20.74+00:00

Should be possible through custom reporting in ConfigMgr, custom compliance in Intune and\or Graph
jaybird283 621 Reputation points

2023-05-07T05:23:39.6+00:00

@Rahul Jindal [MVP] Do you have any info on how this might be accomplished?
Lu Dai-MSFT 28,496 Reputation points

2023-05-08T02:10:55.3+00:00

@jaybird283 Thanks for posting in our Q&A.

For this issue, the encryption report will view details about a device's encryption status.

https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor

Hope you can find what you want in this report.
jaybird283 621 Reputation points

2023-05-08T22:13:44.2266667+00:00

@Lu Dai-MSFT I was able to pull an encryption report using the Devices/Monitor/Encryption report. But it doesn't look like it has any information regarding protectors that are enabled. (It won't tell me if a pin is set).

Am i looking at the correct report?
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2023-05-09T05:40:33.0666667+00:00

@jaybird283, For the Encrption report, it only includes the Encrption status and TPM version and etc. It dose not include BitLocker startup PIN. setting

https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor

And currently, Intune report does not have the built in report can get the information.

For your request, I have a thought. You can confirm with windows support to see if there's any registry key or PowerShell script can be used to identity if BitLocker start up PIN. If yes, then we can consider use custom compliance policy to mark these devices as non-compliant

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-use-custom-settings

Answer 1

I ended up using Intune Remedition (formerly proactive remediation) for this. it's actually pretty nice, and lets you filter based on status, and export the report.

I only created a detection script (no remediation script).

Here is the detection script i used.

Credit to this website for the script, (although i didn't end up doing everything on that page).

https://endpointcave.com/enforce-bitlocker-startup-pin-on-windows-with-intune/

$pin = (Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector  | Where { $_.KeyProtectorType -eq 'TpmPin' }

if (((Get-BitLockerVolume -MountPoint $env:SystemDrive).VolumeStatus) -ne "FullyDecrypted")
    {
    Write-Output "Encryption enabled"
    if ($pin -ne $null)
        {
            Write-Output "TPM Pin set"
            Exit 0
        }
    else
        {
            Write-Output "TPM Pin is not set"
            Exit 1
        }

    }
else
    {
        Write-Output "Encryption not yet started"
        Exit 0
    }

Share via

Report if Bitlocker startup pin is set on workstations

1 answer

Your answer