Forum Discussion

Mitul Sinha's avatar
Mitul Sinha
Iron Contributor
Jul 26, 2019

Microsoft BitLocker Encryption from Intune on Windows 10 Pro 1903

Howdy Folks,

 

Good to go as weekend arrives so just giving you one more question to resolve which again comes up from Customer's end:

 

If we have setup the BitLocker Encryption from Intune end after doing the Azure AD Domain Join and once we login with the new profile it sets up with MFA first then PIN but is it necessary to set MFA?

 

I have seen your article Oliver Kindly address if you can give some inputs on this

This is your article: https://www.scconfigmgr.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/

microsoft intune
Windows10 Pro
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    Jul 29, 2019

    Hi Mitul Sinha,

     

    the MFA and PIN is not BitLocker related. The PIN is the required PIN for Windows Hello for Business. You have to set a PIN as minimum alternative WHfB unlock, in addition you can also use biometrics like face or fingerprint. The PIN itself can only be set when you identify yourself with strong authentication details and this means MFA in that case. So, the MFA prompt you see is for WHfB and the required PIN there. 

    If you have set the AAD configuration: Azure Active Directory > devices > device setting > require MFA to join devices to AAD you will have to do MFA during AADJ and might have already strong authentication details in your token (if you did not waited to long, tokens time out after some time). If this is the case and your details are valid, you are not asked for MFA during WHfB PIN creation because you already did during AADJ.

     

    best,
    Oliver

  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    MVP
    Jul 29, 2019

    Hi Mitul Sinha,

     

    the MFA and PIN is not BitLocker related. The PIN is the required PIN for Windows Hello for Business. You have to set a PIN as minimum alternative WHfB unlock, in addition you can also use biometrics like face or fingerprint. The PIN itself can only be set when you identify yourself with strong authentication details and this means MFA in that case. So, the MFA prompt you see is for WHfB and the required PIN there. 

    If you have set the AAD configuration: Azure Active Directory > devices > device setting > require MFA to join devices to AAD you will have to do MFA during AADJ and might have already strong authentication details in your token (if you did not waited to long, tokens time out after some time). If this is the case and your details are valid, you are not asked for MFA during WHfB PIN creation because you already did during AADJ.

     

    best,
    Oliver

Resources