Company logoHelp Center
Visit oncld.io

Intune script To Enforces The Enhanced PIN Policy For BitLocker

2 min. readlast update: 09.22.2024

These two scripts are designed to work together in Intune for detecting and remediating the configuration of the Enhanced PIN feature for BitLocker:

  • The Detection script checks whether the Enhanced PIN policy is enabled by looking at the system’s registry settings.
  • The Remediation script enforces the policy if it is not already enabled, ensuring that the Enhanced PIN feature is properly configured for BitLocker, improving system security.

By automating this process through Intune, administrators can ensure that devices across the organization are configured correctly without manual intervention

1. Detection Script: Allow-enhancedPIN-Detection.ps1

  • Purpose: The script checks if the Enhanced PIN (UseEnhancedPin) policy is enabled for BitLocker.
  • How It Works:
    • The script looks for the registry key located at HKLM:\Software\Policies\Microsoft\FVE and checks if the UseEnhancedPin property is set to a value of 1, which indicates that the enhanced PIN feature is enabled for BitLocker.
    • If the value is not equal to 1, the script exits with code 1, indicating that the policy is not properly set.
    • If the value is set correctly, it exits with code 0, meaning the policy is enabled as expected.

2. Remediation Script: Allow-enhancedPIN-Remediation.ps1

  • Purpose: This script enforces the Enhanced PIN (UseEnhancedPin) policy for BitLocker by updating the relevant registry setting.
  • How It Works:
    • The script directly modifies the registry key at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE, setting the UseEnhancedPin value to 1 using the reg add command.
    • If the change is successful, the script exits with code 0, indicating success.
    • If an error occurs during the process, the script catches the error, logs the exception, and exits with code 1.

Here are the scripts:

Detection:

$Path = "HKLM:\Software\Policies\Microsoft\FVE"
$Property = "UseEnhancedPin"
$Value = '1'
try{
    $Item = Get-Item -Path $Path | Get-ItemProperty -Name $Property -ErrorAction SilentlyContinue
    If (($Item.$Property) -ne $Value){
        Exit 1
    }Else{
        
        Exit 0
    }
}catch{
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    exit 1
}

Remediation:

try{
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE /v UseEnhancedPin /t REG_DWORD /d 1 /f
    Exit 0 
}catch{
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    exit 1
}

Was this article helpful?