This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 94%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I am looking for information on the recommended method of deploying Bitlocker TPM and PIN (the pin is the focus here), to workstations, using MEM, and prompting a user to enter a pin.
I have read through the entire internet twice now, and can't seem to find any information about how to do this (besides using some script some guy wrote a few years ago).
Does Microsoft have a official response on how to deploy Bitlocker in TPM and Pin Mode using MEM/Intune?
@jaybird283 Thanks for posting in our Q&A.
Honestly, I have done a lot of research and I didn't find that there is any official article.
The following link may describe more details, but it still needs scripts.
https://oliverkieselbach.com/2019/08/02/how-to-enable-pre-boot-bitlocker-startup-pin-on-windows-with-intune/
Note: Non-Microsoft link, just for the reference.
If you want to have a Microsoft official article about it, it is suggested to post in intune feedback portal. It is a place to collect customers' requirements and problems. Here is the link:
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472
Thanks for your understanding.
@Lu Dai-MSFT Thank you for your response. Its unfortunate that Microsoft doesn't publish any publicly available information for customers that require a pin. I do appreciate your honesty and that you took the time to respond here though.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
The startup PIN is for protection, it should not be guessable. If you allow users to set it, it will be set to their date of birth, which is guessable.
So instead, use my script to set a randomized PIN.
https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
There is no official way to do this, if you follow the Microsoft documentation then it requires a user to set the PIN themselves, and they require local admin to do it. Best way is to use Oliver's link posted above or https://www.nicklasahlberg.se/2021/11/16/bitlocker-startup-pin-the-modern-way/ , so you can prompt a GUI for the user to set it themselves.
To deploy BitLocker use the article below. Ensure that your device has TPM 2.0 and is attestation ready. I personally ran into some devices that were TPM 1.2 and I was able to an upgrade that virtualized the upgrade (the chip was not TPM 2.0 but was virtually upgrade from 1.2>2.0).
Setup BitLocker
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
Setup PIN Enforcement
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
@DillonS-2060 The first link you sent is helpful for people trying to deploy bitlocker without a pin. But that article specifically mentions this "A device must not require use of a startup PIN or startup key." So that's not really helpful in my situation. I am looking for a Microsoft recommended solution to enable a pin using MEM/Intune.
Also, the Second link appears to have nothing to do with bitlocker. i think that may be a link about "Windows Hello".