Deploying BitLocker with a Startup PIN through Intune and PowerShell

By /

Goal

The goal of this blog post is simple: I want to walk you through the process of deploying BitLocker Drive Encryption with a startup PIN using PowerShell in Microsoft Intune. By the time you finish reading, you’ll have a clear roadmap to beef up your organization’s data security, ensuring that even if a device falls into the wrong hands, your sensitive information stays locked down tight.

The Intune Conundrum

Now, here’s where things get a bit tricky. Microsoft Intune is fantastic for managing devices, but when it comes to setting up BitLocker with a startup PIN, it falls short. You can’t do it natively through the Intune interface. Frustrating? You bet. But don’t worry – this is where we roll our sleeves and get creative with PowerShell. I also wanted to get a fancy UI to look more appealing for corporate devices.

If all goes well you will get a fancy UI prompt for users with options to add your company logo. The splash screen below is fullscreen.

PowerShell to the Rescue: Script Overview

I’ve put together a PowerShell script that automates the whole process of setting up BitLocker with a startup PIN. Here’s what it does:

  1. Creates a Home: Sets up a folder for logs and files.
  2. Keeps a Diary: Logs everything it does, which is a lifesaver for troubleshooting.
  3. Plays Bouncer: Checks that the PIN is complex enough to keep the bad guys out.
  4. User-Friendly Interface: Prompts users to enter their PIN with a simple GUI.
  5. Sets Up the Fort: Configures BitLocker with the PIN and backs up the recovery key to Azure AD.

The full script at the GitHub repo – https://github.com/nivikolatte/PowerShell/blob/main/Set-BitlockerStartupPIN

Deploying the Script from Intune

Deploy this script as a Win32 app through Microsoft Intune with a requirement rule so that it does not break Autopilot. Make sure the app is deployed under the system context with the below requirement rule

$ProcessActive = Get-Process "WWAHost" -ErrorAction silentlycontinue
$CheckNull = $ProcessActive -eq $null
$CheckNull

By implementing this requirement rule, you can control the timing of your BitLocker deployment, ensuring it occurs under the right conditions and does not interfere with other critical processes.

ServiceUI for Intune app deployment

To bring the UI into the user context we need to use ServiceUI. Here is a write-up on how to get hold of it and the details – https://www.anoopcnair.com/intune-to-user-interaction-using-serviceui/

Once you have downloaded it, you have to package it with the script and install.bat. I will also be using an install.bat file to call the script using Service UI.

The bat file code below will be saved as install.bat

%windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Executionpolicy bypass -file .\Scriptname.ps1

In the Intune app install command use the below

ServiceUI.exe -process:explorer.exe Install.bat

In the Intune app install command use the below

cmd.exe /c del%ProgramData%\Company\BitlockerSetupComplete.tag

Bitlocker configuration

To make all of this work make sure you have the below setting enabled in Intune for BitLocker policy

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top