How to configure/setup "Enable 'Require additional authentication at startup'" on Windows devices via Intune?

Question

How to configure/setup "Enable 'Require additional authentication at startup'" on Windows devices via Intune?

Vinod Survase 4,801

See below screenshots.

User's image

Answer accepted by question author

2 additional answers

Your answer

Answer 1

Crystal-MSFT 54,191 Microsoft External Staff

@Vinod Sur, Thanks for posting in Q&A. For the setting "Require additional authentication at startup'". Based on my researching, it will set

"Configure TPM startup"

"Configure TPM startup PIN"

"Configure TPM startup key"

"Configure TPM startup key and PIN"

User's image

https://www.prajwaldesai.com/enable-bitlocker-encryption-windows-10/

Note: Non-Microsoft link, just for the reference.

For such setting, in Intune, we can configure a similar setting named "Startup authentication required" under Endpoint security disk encryption policy or endpoint protection policy:

User's image

https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#tpm-startup-pin-or-key

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Vinod Survase 4,801 Reputation points

2023-06-13T11:45:22.8033333+00:00

Thanks @Crystal-MSFT

I will check these links and work on this.
Crystal-MSFT 54,191 Reputation points Microsoft External Staff

2023-06-14T02:11:52.81+00:00

@Vinod Sur, Thanks for the reply. If anything else we can help, feel free to let us know.
Vinod Survase 4,801 Reputation points

2023-06-20T11:48:27.8333333+00:00

Thanks for reply. @Crystal-MSFT

Wanted to know do we need to configure below options as well or not required or keep them as default?
Pavel yannara Mirochnitchenko 13,426 Reputation points MVP

2023-06-20T13:31:09.1833333+00:00

For compatibility, set those to Allowed
Crystal-MSFT 54,191 Reputation points Microsoft External Staff

2023-06-21T02:13:26.23+00:00
@Vinod Survase, Thanks for your reply. These are all settings related to configuring BitLocker to use the Trusted Platform Module (TPM) chip for additional security. Whether you need to set these settings or not depends on your organization's security requirements.

If you want to enable the use of TPM as an additional authentication factor in BitLocker, you need to configure these settings.

Here's what each setting does:

"Configure TPM startup": Allows or requires the use of the TPM chip for startup authentication.

"Configure TPM startup PIN": Allows, requires, or blocks the use of a startup PIN in addition to the TPM chip for authentication.

"Configure TPM startup key": Allows, requires, or blocks the use of a startup key in addition to the TPM chip for authentication.

"Configure TPM startup key and PIN": Allows, requires, or blocks the use of both a startup key and a startup PIN in addition to the TPM chip for authentication.

Please note that these settings are mutually exclusive. If one is required, the others are blocked. If you want them, you can consider set them as allow.
Vinod Survase 4,801 Reputation points

2023-06-22T12:32:57.9566667+00:00

Thanks @Crystal-MSFT I will make this settings.

Answer 2

Pavel yannara Mirochnitchenko 13,426 MVP

You should find these settings under Endpoint Security \ Disk Encryption. If you will not manage this yourself, I could drop you a screenshot tomorrow of my Bitlocker settings which do cover this requirement.

Vinod Survase 4,801 Reputation points

2023-06-13T11:47:07.38+00:00

Thanks @Pavel yannara Mirochnitchenko

Please share the screenshot
Pavel yannara Mirochnitchenko 13,426 Reputation points MVP

2023-06-13T11:53:24.8966667+00:00

@Vinod Survase
Vinod Survase 4,801 Reputation points

2023-06-19T13:39:55.4333333+00:00

Thanks @Pavel yannara Mirochnitchenko
Vinod Survase 4,801 Reputation points

2023-06-23T14:32:48.06+00:00

Hi @Pavel yannara Mirochnitchenko

I have configured same as yours but I am getting this error message. When I don't select any option in last this option it gets saved

And when selected it does not get save and throwing this below error.
Pavel yannara Mirochnitchenko 13,426 Reputation points MVP

2023-06-23T17:52:46.95+00:00

Try to save it in parts, configure smaller amount of settings at once.
Vinod Survase 4,801 Reputation points

2023-06-26T09:59:48.7033333+00:00

Hi @Pavel yannara Mirochnitchenko

I made these settings and saved it but its not working at all. Do I need to restart shutdown the device and this setting should kick in? or when this settings takes place?
Pavel yannara Mirochnitchenko 13,426 Reputation points MVP

2023-06-26T10:15:25.4233333+00:00

You need to go through Bitlocker-API node in Event Viewer, those logs will show you what is really happening. Also it is not bad idea to create new Bitlocker policies from scratch. Editing policies might break things.
Vinod Survase 4,801 Reputation points

2023-06-28T11:19:15.2733333+00:00

Hi @Pavel yannara Mirochnitchenko

I have created brand new policy from Endpoint security but it was giving me above error and it did not pick or work yet.

Can you suggest me more on this? How to resolve or make it to work as expected.

Answer 3

Pavel yannara Mirochnitchenko 13,426 MVP

Bitlocker-API is the key element here for troubleshoting (in Event Viewer). I suggest you open new thread because you already accepted the answer here. You can tag me in there then.

Vinod Survase 4,801 Reputation points

2023-06-30T10:32:31.68+00:00

Hi @Pavel yannara Mirochnitchenko

Sure I will create new question and add you there.

Share via

How to configure/setup "Enable 'Require additional authentication at startup'" on Windows devices via Intune?

2 additional answers

Your answer