There is no official way to do this, if you follow the Microsoft documentation then it requires a user to set the PIN themselves, and they require local admin to do it. Best way is to use Oliver's link posted above or https://www.nicklasahlberg.se/2021/11/16/bitlocker-startup-pin-the-modern-way/ , so you can prompt a GUI for the user to set it themselves.
Deploy Bitlocker with MEM and Prompt user to enter a Startup Pin
I am looking for information on the recommended method of deploying Bitlocker TPM and PIN (the pin is the focus here), to workstations, using MEM, and prompting a user to enter a pin.
I have read through the entire internet twice now, and can't seem to find any information about how to do this (besides using some script some guy wrote a few years ago).
Does Microsoft have a official response on how to deploy Bitlocker in TPM and Pin Mode using MEM/Intune?
1 additional answer
Sort by: Most helpful
-
Dillon Silzer 57,586 Reputation points
2022-07-01T03:25:34.82+00:00 To deploy BitLocker use the article below. Ensure that your device has TPM 2.0 and is attestation ready. I personally ran into some devices that were TPM 1.2 and I was able to an upgrade that virtualized the upgrade (the chip was not TPM 2.0 but was virtually upgrade from 1.2>2.0).
Setup BitLocker
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
Setup PIN Enforcement
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-configure