SOLVED
Home

Microsoft BitLocker Encryption from Intune on Windows 10 Pro 1903

%3CLINGO-SUB%20id%3D%22lingo-sub-774761%22%20slang%3D%22en-US%22%3EMicrosoft%20BitLocker%20Encryption%20from%20Intune%20on%20Windows%2010%20Pro%201903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-774761%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20Folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20to%20go%20as%20weekend%20arrives%20so%20just%20giving%20you%20one%20more%20question%20to%20resolve%20which%20again%20comes%20up%20from%20Customer's%20end%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20have%20setup%20the%20BitLocker%20Encryption%20from%20Intune%20end%20after%20doing%20the%20Azure%20AD%20Domain%20Join%20and%20once%20we%20login%20with%20the%20new%20profile%20it%20sets%20up%20with%20MFA%20first%20then%20PIN%20but%20is%20it%20necessary%20to%20set%20MFA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20seen%20your%20article%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38297%22%20target%3D%22_blank%22%3E%40Oliver%3C%2FA%3EKindly%20address%20if%20you%20can%20give%20some%20inputs%20on%20this%3C%2FP%3E%3CP%3EThis%20is%20your%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.scconfigmgr.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.scconfigmgr.com%2F2018%2F10%2F23%2Fenabling-bitlocker-on-non-hsti-devices-with-intune%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-774761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows10%20Pro%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777301%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20BitLocker%20Encryption%20from%20Intune%20on%20Windows%2010%20Pro%201903%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777301%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136096%22%20target%3D%22_blank%22%3E%40Mitul%20Sinha%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethe%20MFA%20and%20PIN%20is%20not%20BitLocker%20related.%20The%20PIN%20is%20the%20required%20PIN%20for%20Windows%20Hello%20for%20Business.%20You%20have%20to%20set%20a%20PIN%20as%20minimum%20alternative%20WHfB%20unlock%2C%20in%20addition%20you%20can%20also%20use%20biometrics%20like%20face%20or%20fingerprint.%20The%20PIN%20itself%20can%20only%20be%20set%20when%20you%20identify%20yourself%20with%20strong%20authentication%20details%20and%20this%20means%20MFA%20in%20that%20case.%20So%2C%20the%20MFA%20prompt%20you%20see%20is%20for%20WHfB%20and%20the%20required%20PIN%20there.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20set%20the%20AAD%20configuration%3A%20Azure%20Active%20Directory%20%26gt%3B%20devices%20%26gt%3B%20device%20setting%20%26gt%3B%20require%20MFA%20to%20join%20devices%20to%20AAD%20you%20will%20have%20to%20do%20MFA%20during%20AADJ%20and%20might%20have%20already%20strong%20authentication%20details%20in%20your%20token%20(if%20you%20did%20not%20waited%20to%20long%2C%20tokens%20time%20out%20after%20some%20time).%20If%20this%20is%20the%20case%20and%20your%20details%20are%20valid%2C%20you%20are%20not%20asked%20for%20MFA%20during%20WHfB%20PIN%20creation%20because%20you%20already%20did%20during%20AADJ.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3CBR%20%2F%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Howdy Folks,

 

Good to go as weekend arrives so just giving you one more question to resolve which again comes up from Customer's end:

 

If we have setup the BitLocker Encryption from Intune end after doing the Azure AD Domain Join and once we login with the new profile it sets up with MFA first then PIN but is it necessary to set MFA?

 

I have seen your article @Oliver Kindly address if you can give some inputs on this

This is your article: https://www.scconfigmgr.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/

1 Reply
Solution

Hi @Mitul Sinha,

 

the MFA and PIN is not BitLocker related. The PIN is the required PIN for Windows Hello for Business. You have to set a PIN as minimum alternative WHfB unlock, in addition you can also use biometrics like face or fingerprint. The PIN itself can only be set when you identify yourself with strong authentication details and this means MFA in that case. So, the MFA prompt you see is for WHfB and the required PIN there. 

If you have set the AAD configuration: Azure Active Directory > devices > device setting > require MFA to join devices to AAD you will have to do MFA during AADJ and might have already strong authentication details in your token (if you did not waited to long, tokens time out after some time). If this is the case and your details are valid, you are not asked for MFA during WHfB PIN creation because you already did during AADJ.

 

best,
Oliver

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies