Windows 10: Bitlocker TPM and PIN Intune

Discus and support Bitlocker TPM and PIN Intune in AntiVirus, Firewalls and System Security to solve the problem; Hi All, I've tried setting up TPM and PIN in SCCM via MBAM and it all works fine and is really good! However for Tamper protection for Defender... Discussion in 'AntiVirus, Firewalls and System Security' started by FirstVoid, Mar 8, 2020.

  1. FirstVoid Win User

    Bitlocker TPM and PIN Intune


    Hi All,


    I've tried setting up TPM and PIN in SCCM via MBAM and it all works fine and is really good! However for Tamper protection for Defender Antivirus you need to use Intune. This means you can switch the workload, all well and good however it seems in intune there is no support at all for pin complexity or for a standard user to enter the pin. On a small scale this is fine but once you run into 1000's of systems or more it no longer becomes practical to manage.


    How are you handling TPM and PIN in intune? All i can find is a blog from a Microsoft Partner where they have wrote an effective workaround.

    :)
     
    FirstVoid, Mar 8, 2020
    #1

  2. FingerPrint With TPM and Bitlocker

    I want to use fingerprint as bitlocker/TPM's password/PIN. Please Guide me step by step

    [Moved from: Windows / Windows 10 / Windows settings]
     
    ManjeetDhariwal, Mar 8, 2020
    #2
  3. lx07 Win User
    Bitlocker...TPM + PIN vs Password?


    Using TPM is undoubtable more secure. Some advantages are (compared to using USB and PIN):

    You can't copy it - the TPM key is unique.
    Like you say you can configure timeout.
    Can check boot files for tampering.

    Trusted Platform Module Technology Overview (Windows 10)

    Using a PIN as a logon to your account (nothing to do with bitlocker PIN) can also be more secure than using a password incidentally. Why a PIN is better than a password (Windows 10)


    No it doesn't. It asks you if you want to. In fact it asks you if you want to print it, save it (to another disk), save it to your MS account. or your AD. Depending what your group policy allows you can do some, all or none of these. BitLocker Group Policy settings (Windows 10)
     
    lx07, Mar 8, 2020
    #3
  4. Bitlocker TPM and PIN Intune

    Bitlocker with TPM


    TAMO,
    you are NOT wrong in what you want to do. TPM is SUPPOSED to protect this stuff. BUT, I have a samsung tabPro S (windows), and have even written to samsung PRESIDENT in s. Korea, and no reply. They institute this stuff, and then never have details about it.

    You ARE correct that RELYING solely on the TPM is problematic. BUT, you CoULD edit the group policy for Bitlocker and allow a PIN; you then get protection of "TPM plus PIN", which requires that PIN for ANY windows boot-up, including hibernation (I have my notebooks set up for TPM plus PIN). You THEN could leave the actual windows user as not requiring a password (first, test to verify)

    HOWEVER (and again, I may post a more detailed thread on this question), your machine may have an actual BIOS ADMINISTRATOR PASSWORD. From my understandings from SOME threads (although still not clear), this BIOS ADMINISTRATOR PASSWORD is controlled by TPM also.

    In my scenario (I am not totally comfortable with it yet), I start the tablet (the samsung), and ON-screen keyboard comes up, and I can enter the BIOS ADMINISTRATOR PASSWORD. If this is NOT entered corectly, it shuts down. IF it IS entered corectly, then Boot-up continues, Bitlocker unlocks (its key is stored with the TPM), and it boots up to my Username/p[assword for windows.
    I DID WANT to have "bitlocker PLUS PIN", but the problem with the samsung is that the On-screen keyboard does NOT work for Bitlocker, it only works for the BIOS ADMINISTRATOR PASSWORD. REPEATED requests to samsung have been fruitless for an answer about the on-screen keyboard.

    In the above scenario, if someone STOLE the computer, lets assume they can't break the BIOS ADMINISTRATOR PASSWORD. if they got to the BIOS, and somehow CLEARED the TPM, then the Bitlocker key gets wiped out, and bitlocker owuld need entry of the 46-character actual recovery key.

    Anyway, for your situation, explore the BIOS ADMINISTRATOR PASSWORD, and the GPEDIT.msc (group policy) to allow Bitlocker to have a PIN.

    hope this helps
     
    astormyday, Mar 8, 2020
    #4
Thema:

Bitlocker TPM and PIN Intune

Loading...
  1. Bitlocker TPM and PIN Intune - Similar Threads - Bitlocker TPM PIN

  2. Intune Bitlocker Key Unable to saved on Intune

    in Windows 10 Gaming
    Intune Bitlocker Key Unable to saved on Intune: We enabled the BitLocker policy and we are encrypting the device. the device getting encrypted but unable to save the Encryption recovery Key on Intune.There is no error. The Key is generating...
  3. Intune Bitlocker Key Unable to saved on Intune

    in Windows 10 Software and Apps
    Intune Bitlocker Key Unable to saved on Intune: We enabled the BitLocker policy and we are encrypting the device. the device getting encrypted but unable to save the Encryption recovery Key on Intune.There is no error. The Key is generating...
  4. Intune Bitlocker Key Unable to saved on Intune

    in Windows 10 Installation and Upgrade
    Intune Bitlocker Key Unable to saved on Intune: We enabled the BitLocker policy and we are encrypting the device. the device getting encrypted but unable to save the Encryption recovery Key on Intune.There is no error. The Key is generating...
  5. Windows Hello Pin + Bitlocker & TPM 2.0

    in Windows Hello & Lockscreen
    Windows Hello Pin + Bitlocker & TPM 2.0: Hello, I wanted to protect both my device and my hard drive from any thief that could have physical access to them. I've searched a bit of information regarding these features, and I've got a question regarding Windows Hello Pin vs Local Password: - In order to add a Windows...
  6. Windows Hello Pin + Bitlocker & TPM 2.0

    in Windows 10 Gaming
    Windows Hello Pin + Bitlocker & TPM 2.0: Hello, I wanted to protect both my device and my hard drive from any thief that could have physical access to them. I've searched a bit of information regarding these features, and I've got a question regarding Windows Hello Pin vs Local Password: - In order to add a Windows...
  7. Windows Hello Pin + Bitlocker & TPM 2.0

    in Windows 10 Software and Apps
    Windows Hello Pin + Bitlocker & TPM 2.0: Hello, I wanted to protect both my device and my hard drive from any thief that could have physical access to them. I've searched a bit of information regarding these features, and I've got a question regarding Windows Hello Pin vs Local Password: - In order to add a Windows...
  8. BitLocker with TPM and PIN - Laptop shuts down after 60 seconds

    in AntiVirus, Firewalls and System Security
    BitLocker with TPM and PIN - Laptop shuts down after 60 seconds: Whenever I use BitLocker with a TPM+PIN, at the BitLocker PIN entry prompt, my Dell E6440 shuts down after 60 seconds. Is this just an added security measure or what? Do you guys ever run across this same issue? Thx! 103966
  9. Bitlocker with TPM

    in AntiVirus, Firewalls and System Security
    Bitlocker with TPM: Hi , I,m not sure if this is the right place to post this . Anyway , My query is about encryption on win10 pro . Previously I had a laptop with no TPM so I had to us the group policy editor to allow encryption to work , fine ,all was working and I had to type a password...
  10. Bitlocker...TPM + PIN vs Password?

    in AntiVirus, Firewalls and System Security
    Bitlocker...TPM + PIN vs Password?: I have seen this question asked elsewhere several times, but with different answers...so I just want to make sure my understanding of BitLocker is correct. In the past, I had used BitLocker on several computers that did Not have a TPM...therefore I had to use a strong...