Share via

Intune Bitlocker policy "Successful" in Intune but not applied on the device

B3655 20 Reputation points
2025-01-17T18:10:25.81+00:00

My environment has a few devices which are protected by bitlocker requiring a TPM. I am looking to increase security posture on these devices by requiring TPM and a pin. In my device configurations on Intune have made the following configurations under Administrative Templates:

  • Require additional authentication at startup: True
    • Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
    • Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive): False
    • Configure TPM startup: Do not allow TPM
    • Configure TPM startup PIN: Require startup PIN with TPM
    • Configure TPM startup key: Do not allow startup key with TPM

Furthermore, I have triple checked that the devices do not have any conflicting policies, and all policies are listed as "Successful" on the target devices. However, when I force a group policy update and reboot the machine, I am not asked to set up a pin and the bitlocker status still only lists "Key Protectors" as "TPM" notably leaving off the "PIN" part.

Notes:

  • The device does have a TPM Module
  • Intune displays no conflicting policies
  • Local group policy does display any conflicting policies
  • The issue is replicable on multiple new machines of different makes and models
Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,620 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,987 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,491 questions
0 comments
Accepted answer
  1. Crystal-MSFT 51,551 Reputation points Microsoft Vendor
    2025-01-20T02:16:42.15+00:00

    @B3655, Thanks for posting in Q&A. From your description, I know we have deployed policy "Configure TPM startup PIN: Require startup PIN with TPM" to device, it shows successful, but PIN is not prompted.

    Here, please manually run the following command to see if it can work.

    manage-bde.exe -protectors -add c: -TPMAndPIN

    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors

    Meanwhile, we can check the Event log under Applications and Services Logs > Microsoft > Windows > BitLocker-API.to see if any related error existing.

    Please try the above suggestion and if there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.