Hey team,
I'm currently rolling out Windows Hello for Business in my organization, and while I'm excited about the benefits, I've hit a bit of a snag. Our laptops are encrypted with BitLocker, which requires a PIN at boot. Now, on top of that, users must also set a separate PIN for Windows Hello for Business. I have the option to enforce an Intune policy to ensure these pins remain different, but I foresee users forgetting the WHfB PIN or writing them down somewhere unsafe. I understand that biometrics aren't foolproof; the system prompts for the PIN if biometric authentication fails.
After doing some research, it seems like personal data encryption could be the right path. This would allow BitLocker to auto-unlock the drive, effectively removing the need for the first PIN, while still keeping user data encrypted until they authenticate with biometrics or the WHfB PIN. The catch? It requires an E3 license.
So, I'd love to hear how you all are handling this situation. Are you managing with both PINs, or have you found a better solution? Any third-party tools that allow for folder encryption without needing an E3 upgrade? Looking forward to your insights! Thanks!
1 Answer
You might want to consider ditching the boot PIN unless you have specific security standards that require it. The drive is already encrypted with a key you control, which is usually sufficient if you have good account management and processes like MFA in place.
That makes sense! Plus, with Intune now, you’ve got the ability to remotely wipe devices if they’re lost, which could support the case for dropping the boot PIN while still using TPM.