How to set the compliance policy to require TPM and PIN for BitLocker?

Sage Mirror 220 Reputation points
2023-10-27T12:54:42.1433333+00:00

Hi,

I have configured a compliance policy to require "4" for the KeyProtectorType, because based on this doc ("GetKeyProtectorType" https://video2.skills-academy.com/en-us/windows/win32/secprov/getkeyprotectortype-win32-encryptablevolume), a computer with the TPM and PIN should have this value.

My computer has the PIN set: when I use manage-bde -status, I get:

    Key Protectors:
        Numerical Password
        TPM And PIN

However, my computer is marked as not compliant with the value "3" on KeyProtectorType.

Two questions:

  • What is Numerical Password?
  • (if I need Numerical Password as well) How can I get Intune to see that I have both to make it compliant?
  • (if I don't need Numerical Password) How can I get Intune to see that I have the TPM and PIN enabled?

Thank you.

Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
143 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,646 questions
0 comments
Accepted answer
  1. Nick Eckermann 466 Reputation points
    2023-10-27T20:27:13.1733333+00:00

    I think you are talking about a custom compliance policy you have built.

    https://video2.skills-academy.com/en-us/mem/intune/protect/compliance-custom-script

    You can try something like this for checking for pin.

    CustomCompliance.ps1

    # Get-BitlockerTPMPinStatus Function
function Get-BitlockerTPMPinStatus() {

    if ($(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.KeyProtectorType -contains 'TpmPin' -eq $true) {
        Write-Output -InputObject "TPMPINSET"
    }
    elseif(($(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.KeyProtectorType -contains 'TpmPin' -eq $false)) {
        Write-Output -InputObject "TPMPINNOTSET"
    }else {
        Write-Output -InputObject $LASTEXITCODE
    }

}

# Return Bitlocker TPM Pin status to Intune in JSON format
$BitlockerPinStatus = Get-BitlockerTPMPinStatus
$hash = @{BitlockerTPMPinStatus = $BitlockerPinStatus}
return $hash | ConvertTo-Json -Compress

    CustomCompliance.json

    {
"Rules":[ 
    { 
       "SettingName":"BitlockerTPMPinStatus",
       "Operator":"IsEquals",
       "DataType":"String",
       "Operand":"TPMPINSET",
       "MoreInfoUrl":"https://PlaceholderForKB.com",
       "RemediationStrings":[ 
          { 
             "Language":"en_US",
             "Title":"Bitlocker startup pin is required.",
             "Description": "Bitlocker startup pin is required."
          }
       ]
    }
]
}

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest