I'm looking to enhance security on our laptops by transitioning from just encrypting drives in Intune to requiring users to create a PIN for system boot. Currently, our configuration policy handles automatic encryption and saves recovery keys to Active Directory and Entra. However, we need to replace an old Dell HDD boot password with a system that requires a user-defined PIN. This means our team will need elevated access to remove the Dell password as well as set the BitLocker PIN. Should I adjust our existing policy to implement 'Require TPM + PIN' and also set it to 'Do not allow TPM'? Or would it be better to create a new policy and migrate laptops over to it?
2 Answers
The best approach is to create a new policy for this. This way, you can run some test groups to ensure everything works smoothly before rolling it out to all laptops. It allows for easier troubleshooting without affecting the current configuration immediately.
What’s the reason for adding a BitLocker PIN? Some believe it's a solid way to ensure no one can access the laptop without the PIN first, which adds an extra layer of security. Though, just be aware that while TPM protects the drive if someone tries to use a recovery USB tool, it might still pose risks if that tool isn’t well-secured. Just something to keep in mind!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures