Forum Discussion

Ben Curran's avatar
Ben Curran
Brass Contributor
Mar 16, 2020

Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Hi,   I have been testing Bitlocker on my Surface Pro and ran into a small problem. I have configured to to boot with a PIN but it wont enable due to no pre-boot keyboard being avaialble.   BitLo...
Intune
mobile device management (mdm)
Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Jun 03, 2020

Hey Ben Curran,

 

you have to assign your BitLocker Policy to a devices AAD group and ESP must be turned on otherwise you are too late and BitLocker Automatic encryption during AADJ will kick in to encrypt your device with default settings like 128-bit used space etc.

 

See all the detailed references here:

 

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/bitlocker

https://oofhours.com/2019/08/26/bitlocker-esp-and-windows-autopilot-working-in-harmony/

https://techcommunity.microsoft.com/t5/intune-customer-success/setting-256-bit-encryption-for-bitlocker-during-autopilot-with/ba-p/323791

 

best,
Oliver

Ben123Digitally's avatar
Ben123Digitally
Copper Contributor
Mar 19, 2021
Hi,

I am re-surfacing this issue as i have the same problem again. I have a Bitlocker policy, using the Endpoint security Disk encryption settings. My problem is the same as before, where I can set the policy to encrypt to 256 XTS, no PIN can be set as the system doesn't see the keyboard of the Suface Pro. I have exhausted all options, the only way I can get it to work is to set the encryption, then manually trigger the PIN settings from the Bilocker portal in Control Panel, once the GPO has been manually changed on the local machine.

My question is, what is the process for enabling PIN protected Bitlocker on machines that do not have a fixed keyboard?

Regards
Ben

Resources