How to set the compliance policy to require TPM and PIN for BitLocker?

Sage Mirror 220 Reputation points
2023-10-27T12:54:42.1433333+00:00

Hi,

I have configured a compliance policy to require "4" for the KeyProtectorType, because based on this doc ("GetKeyProtectorType" https://learn.microsoft.com/en-us/windows/win32/secprov/getkeyprotectortype-win32-encryptablevolume), a computer with the TPM and PIN should have this value.

My computer has the PIN set: when I use manage-bde -status, I get:

    Key Protectors:
        Numerical Password
        TPM And PIN

However, my computer is marked as not compliant with the value "3" on KeyProtectorType.

Two questions:

  • What is Numerical Password?
  • (if I need Numerical Password as well) How can I get Intune to see that I have both to make it compliant?
  • (if I don't need Numerical Password) How can I get Intune to see that I have the TPM and PIN enabled?

Thank you.

Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
164 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,056 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nick Eckermann 591 Reputation points
    2023-10-27T20:27:13.1733333+00:00

    I think you are talking about a custom compliance policy you have built.

    https://learn.microsoft.com/en-us/mem/intune/protect/compliance-custom-script

    You can try something like this for checking for pin.

    CustomCompliance.ps1

    # Get-BitlockerTPMPinStatus Function
    function Get-BitlockerTPMPinStatus() {
    
        if ($(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.KeyProtectorType -contains 'TpmPin' -eq $true) {
            Write-Output -InputObject "TPMPINSET"
        }
        elseif(($(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.KeyProtectorType -contains 'TpmPin' -eq $false)) {
            Write-Output -InputObject "TPMPINNOTSET"
        }else {
            Write-Output -InputObject $LASTEXITCODE
        }
    
    }
    
    # Return Bitlocker TPM Pin status to Intune in JSON format
    $BitlockerPinStatus = Get-BitlockerTPMPinStatus
    $hash = @{BitlockerTPMPinStatus = $BitlockerPinStatus}
    return $hash | ConvertTo-Json -Compress
    
    
    
    

    CustomCompliance.json

    {
    "Rules":[ 
        { 
           "SettingName":"BitlockerTPMPinStatus",
           "Operator":"IsEquals",
           "DataType":"String",
           "Operand":"TPMPINSET",
           "MoreInfoUrl":"https://PlaceholderForKB.com",
           "RemediationStrings":[ 
              { 
                 "Language":"en_US",
                 "Title":"Bitlocker startup pin is required.",
                 "Description": "Bitlocker startup pin is required."
              }
           ]
        }
    ]
    }
    

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.