Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
Why doesn’t Intune support forcing BitLocker PIN after deployment like MBAM did?
Belan Marek
56
Reputation points
Hello,
We used MBAM for years because it had a unique feature: it could enforce TPM+PIN after a certain time or immediately after deployment. This was critical for our security policy.
Now that MBAM is deprecated and we are moving to Intune/ConfigMgr BitLocker Management, we noticed that Intune cannot force users to set a BitLocker PIN interactively after OS installation. The only options are:
- Require TPM+PIN from the start (static policy).
- No built-in mechanism to prompt the user later or enforce PIN rotation.
Questions:
- Why doesn’t Intune have this functionality? Is there a roadmap for adding it?
- What is the recommended way to achieve similar behavior now?
- GPO can require TPM+PIN, but it doesn’t prompt the user.
- We can script it with
Add-BitLockerKeyProtector -TpmAndPinProtector, but that feels like a workaround.
- We can script it with
- GPO can require TPM+PIN, but it doesn’t prompt the user.
Has anyone implemented a clean solution for this in an Intune-managed environment? Any official guidance from Microsoft on replacing MBAM’s PIN enforcement feature?
Thanks!
Microsoft Security | Intune | Configuration
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Rahul Jindal 11,501 Reputation points2025-12-03T11:32:02.73+00:00 This is by design and very much intentional. The rationale is that the Windows OS relies to use TPM backed protector as default. The startup PIN adds no additional cryptographic protection against most practical cloud-managed threat models therefore does not align with Modern Zero trust model
-
Belan Marek 56 Reputation points
2025-12-04T07:04:07.9233333+00:00 When some one stole NB, all data is decrypted when he turn it on. This is why PIN is there !!!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 5%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mohammed Sajid 6 Reputation points2025-12-04T10:00:15.0533333+00:00 Hi Belan,
Not natively as forcing a BitLocker Pin is note a native capability, built into Microsoft Intune. You can combine Intune config and PowerShell Script to possibly achieve this.
I have come across this blog post before that might offer you some insight.
https://localerror.com/intune/deploying-bitlocker-with-a-startup-pin-through-intune-and-powershell/
Sign in to comment
Sign in to answer