Unable to Enforce BitLocker Pre-Boot PIN via Intune on Windows 11 Pro (Azure AD Joined)Hello, I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 39%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
StackAble
0
Reputation points
Hello,
I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My goal is to enforce BitLocker encryption on the OS drive with TPM + pre-boot PIN authentication using Intune's Disk Encryption policy.
Here’s what I’ve done so far:
- Devices are confirmed as Azure AD joined and show as compliant in Intune.
- BitLocker policy is configured to require TPM + PIN with a minimum 8-character PIN.
- No on-prem AD or local Group Policy is in use—Intune is the only policy source.
- Despite correct policy settings, the devices do not prompt for a pre-boot PIN, and BitLocker either does not enable or enables without the required authentication method.
Questions:
- Does Windows 11 Pro support enforcing TPM + PIN via Intune alone, or is Windows 11 Enterprise required for this functionality?
- Is there an official Microsoft document that outlines this limitation?
- Are there any workarounds or best practices for enforcing pre-boot PIN on Pro devices via Intune?
Any guidance or documentation links would be greatly appreciated!
Thanks in advance.Hello,
I'm managing a fleet of Windows 11 Pro devices that are Azure AD joined and fully managed via Microsoft Intune under a Microsoft 365 Business Premium tenant. My goal is to enforce BitLocker encryption on the OS drive with TPM + pre-boot PIN authentication using Intune's Disk Encryption policy.
Here’s what I’ve done so far:
- Devices are confirmed as Azure AD joined and show as compliant in Intune.
- BitLocker policy is configured to require TPM + PIN with a minimum 8-character PIN.
- No on-prem AD or local Group Policy is in use—Intune is the only policy source.
- Despite correct policy settings, the devices do not prompt for a pre-boot PIN, and BitLocker either does not enable or enables without the required authentication method.
Questions:
- Does Windows 11 Pro support enforcing TPM + PIN via Intune alone, or is Windows 11 Enterprise required for this functionality?
- Is there an official Microsoft document that outlines this limitation?
- Are there any workarounds or best practices for enforcing pre-boot PIN on Pro devices via Intune?
Any guidance or documentation links would be greatly appreciated!
Thanks in advance.
Microsoft Security | Intune | Configuration
Sign in to answer