Unable to Enforce BitLocker Pre-Boot PIN via Intune on Windows 11 Pro (Azure AD Joined)Hello, I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My

Question

Hello,

I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My goal is to enforce BitLocker encryption on the OS drive with TPM + pre-boot PIN authentication using Intune's Disk Encryption policy.

Here’s what I’ve done so far:

• Devices are confirmed as Azure AD joined and show as compliant in Intune.
• BitLocker policy is configured to require TPM + PIN with a minimum 8-character PIN.
• No on-prem AD or local Group Policy is in use—Intune is the only policy source.
• Despite correct policy settings, the devices do not prompt for a pre-boot PIN, and BitLocker either does not enable or enables without the required authentication method.

Questions:

1. Does Windows 11 Pro support enforcing TPM + PIN via Intune alone, or is Windows 11 Enterprise required for this functionality?
2. Is there an official Microsoft document that outlines this limitation?
3. Are there any workarounds or best practices for enforcing pre-boot PIN on Pro devices via Intune?

Any guidance or documentation links would be greatly appreciated!

Thanks in advance.Hello,

I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My goal is to enforce BitLocker encryption on the OS drive with TPM + pre-boot PIN authentication using Intune's Disk Encryption policy.

Here’s what I’ve done so far:

• Devices are confirmed as Azure AD joined and show as compliant in Intune.
• BitLocker policy is configured to require TPM + PIN with a minimum 8-character PIN.
• No on-prem AD or local Group Policy is in use—Intune is the only policy source.
• Despite correct policy settings, the devices do not prompt for a pre-boot PIN, and BitLocker either does not enable or enables without the required authentication method.

Questions:

1. Does Windows 11 Pro support enforcing TPM + PIN via Intune alone, or is Windows 11 Enterprise required for this functionality?
2. Is there an official Microsoft document that outlines this limitation?
3. Are there any workarounds or best practices for enforcing pre-boot PIN on Pro devices via Intune?

Any guidance or documentation links would be greatly appreciated!

Thanks in advance.

Answer 1

Hello @StackAble ,

Sorry that you ran into this issue. Checking to see if you are still facing this. If yes, check the device encryption status or the encryption status on the device itself to figure out what is happening. Also, a point to note, if you are trying silent encryption, TPM+PIN should not be set.

For troubleshooting, refer to: https://learn.microsoft.com/en-us/intune/intune-service/protect/encryption-monitor

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/troubleshoot-bitlocker-policies

For more details on silent encryption, refer to: https://learn.microsoft.com/en-us/intune/intune-service/protect/encrypt-devices#tpm-startup-authentication-for-silent-encryption

Hope this helps!

If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.