Event banner
Event details
Hello to all. thank you for this session. Would it be possible to ask 2 questions please.
- Are there any furture plans to allow Bitlocker pin options to be applied during the autopilot setup. set to set a pin ?
- Are there any further plans when requesting device event logs to pull down the entire event logs or specific event logs. IE I need to apply Controlled folder manager this is being blocked instead of me remoting into a device i could request the logs.
- Marco, this would be great if the PIN was fully supported. At the moment, through searching the interwebs. we came across a blog where you can prompt the user to enter the PIN using serviceUI and some PowerShell scripts, we also made sure that it has a level of security. We then took that and took it a step further. We made it so that when the system get's encrypted via Intune during or after AutoPilot it prompts the user for a pin and then the user is able to set the PIN, if the user doesn't and closes the window it prompts the user every 1 hour until the PIN is set. It works flawlessly for our use and also satisfies our security departments needs.
- Hi Jessie. Thank you for your response. This has been mentioned to me as well when i logged a call with MS support that the Pin feature is not fully supported. Unfortunately our org has requested for this option to be enabled. I have trolled the net and have come accross a few sites which i've tried to replicate their steps and there are issues one way our another. So i have had to come up with my own little plan idea. If you have the opportunity to share the steps that you have taken i would be more then happy to replicate this on my end as well. This will be really appreciated as well.
- Jason_Sandys
Microsoft
Hi Marcos, For the BitLocker PIN, it's an item of interest for the Windows team as the limitation isn't really specific to Intune. Also, the PIN, as it exists today has other limitations that present challenges to many orgs. With that in mind, there is a solution being designed to address the actual business case here (adding an additional protector to mitigate hardware-based attacks on the TPM). For collecting additional logs, we consider adding items regularly. Which log specifically are you looking for? I'll pass this feedback onto the feature PM responsible. Keep in mind though that there is balance of what we can and should collect as we don't want to collect everything as there is a resource impact and cost associated with this activity.- Hi Jason. thank you for your response and for taking the time to look into this. During the call it was mentioned that we should setup and config Windows Hello. Our current Enviroment is a Hyrbid we did attempt to setup the windows hello but caused other issues so we have disabled this. Our company Sec team requests that the device does have a bitlocker pin. I have been able to create a "workaround" but was hoping that this would be something MS could possibly inplement. Logs - I agree that the need to collect every log is unecessary Fully agree. The logs that i'm more specifically looking for are is. Logname - Microsoft-Windows-Windows Defender/Operational Source - Windows Defender When controlled folder access is configured to audit all the audit logs are located in the above location. This log file basically logs ASR attempts. It would be ready uselless if at all possible to include this in the system diagnostics download. Orgs that wants to enble Controlled folder access need to run the audit first. Thank you for your assistance.
- Jason_Sandys> Our current Enviroment is a Hyrbid we did attempt to setup the windows hello but caused other issues so we have disabled this. You should pursue this further with a support case, consultant, or further internal effort as Windows Hello for Business is the gateway to many current and future security improvements including getting rid of the biggest vulnerability in IT: user passwords. As for requiring a BitLocker PIN, as noted, we are looking at ways to address the core challenge which is mitigating hardware-based attacks. This is most likely aligned with your security team's requirement as well.
- Rachelle_Blanchard
Admin response: This question was answered live. Please refer to the recording for more details.
