cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Ben Curran
Brass Contributor

‎Mar 16 2020 09:24 AM - edited ‎Mar 16 2020 09:25 AM

‎Mar 16 2020 09:24 AM - edited ‎Mar 16 2020 09:25 AM

Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Hi,

 

I have been testing Bitlocker on my Surface Pro and ran into a small problem. I have configured to to boot with a PIN but it wont enable due to no pre-boot keyboard being avaialble.

 

BitLocker Group Policy Settings("Enable use of BitLocker authentication requiring preboot keyboard input on slates")


I have tested the GPO below which does allow me to decrypt the drive and encrypt again. Is there a way I can push the GPO to the machine automatically from Intune as part of the pre-build?

 

Also the Bitlocker encryption is not encrypting to the correct settings, it is defaulting to 128bit and only active files, rather than the 256 and full drive encryption I have set. Is this due to it not being able to full configure using the Intune settings so it falls back to the default?

 

Regards

Ben

3,506 Views
0 Likes
5 Replies
Reply
5 Replies
Moe_Kinani

‎Mar 17 2020 05:38 PM

‎Mar 17 2020 05:38 PM

Re: Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Hi Ben,

Have you checked Endpoint Protection Config Profile->Windows Encryption or Security Baseline ->Bitlocker in Intune? It should have all the setting you looking for.

0 Likes
Reply
Ben Curran

‎Mar 18 2020 02:35 AM

‎Mar 18 2020 02:35 AM

Re: Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

@Moe_KinaniHi, yes I have checked all Bitlocker settings in Intune but unfortunately am unable to find this GPO.

 

If its not avaialble in Bitlocker, or Administrative Templates, is there a way to deploy a custom Intune policy which targets the local GPO?

0 Likes
Reply
Per Oddvar Skåre

‎Jun 02 2020 05:46 AM - edited ‎Jun 02 2020 05:48 AM

‎Jun 02 2020 05:46 AM - edited ‎Jun 02 2020 05:48 AM

Re: Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

I'm having the same issue with a new MS Surface Laptop 3.

I've configured require TPM and PIN through Intune policy and profile.

The error states clearly that PIN is not possible because the Surface device has no boot-keyboard. I swear that this device has a none detatchable keyboard! :\

The same policy and profile works fine on multiple Lenovo devices. @Moe_Kinani 

0 Likes
Reply
Oliver Kieselbach

‎Jun 03 2020 02:29 AM

‎Jun 03 2020 02:29 AM

Re: Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Hey @Ben Curran,

 

you have to assign your BitLocker Policy to a devices AAD group and ESP must be turned on otherwise you are too late and BitLocker Automatic encryption during AADJ will kick in to encrypt your device with default settings like 128-bit used space etc.

 

See all the detailed references here:

 

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/bitlocker

https://oofhours.com/2019/08/26/bitlocker-esp-and-windows-autopilot-working-in-harmony/

https://techcommunity.microsoft.com/t5/intune-customer-success/setting-256-bit-encryption-for-bitloc...

 

best,
Oliver

0 Likes
Reply
Ben123Digitally

‎Mar 19 2021 12:48 AM

‎Mar 19 2021 12:48 AM

Re: Intune Local GPO Change for Bitlocker Pre-boot Kyeboard Bypass

Hi,

I am re-surfacing this issue as i have the same problem again. I have a Bitlocker policy, using the Endpoint security Disk encryption settings. My problem is the same as before, where I can set the policy to encrypt to 256 XTS, no PIN can be set as the system doesn't see the keyboard of the Suface Pro. I have exhausted all options, the only way I can get it to work is to set the encryption, then manually trigger the PIN settings from the Bilocker portal in Control Panel, once the GPO has been manually changed on the local machine.

My question is, what is the process for enabling PIN protected Bitlocker on machines that do not have a fixed keyboard?

Regards
Ben
0 Likes
Reply