Using InTune for BitLocker enabling TPM+PIN+USB

Question

I am tasked with enabling BitLocker via InTune and I am struggling to understand why the following settings are not taking effect on the endpoint.

In the OS drive settings

Compatible TPM Startup - Blocked
Compatible TPM startup PIN - Blocked
Compatible TPM startup key - Blocked
Compatible TPM startup key and PIN - Required

I have had the solution working for TPM and PIN, but the people I work for want TPM, Key and PIN. When I go to turn on BitLocker in "Manager BitLocker", I am greeted with the dreaded "This PC requires a startup option that isn't supported by BitLocker setup."

Trying to research this error led me to 4sysops.com which says:-

"If you see this one, it is usually caused by having more than one required option for additional authentication for an OS Drive at startup.

You can’t require more than one startup type."

Unless my (il)logic is flawed, then with the settings I set above, this condition should be satisfied.

Anyone have any ideas?

Answer 1

This is not supported, take a look at the documentation:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors

PIN A user-entered numeric key protector that can only be used in addition to the TPM.

Additionally, the supported authentication methods are listed too:

TPM only
TPM + PIN
TPM + Network key
TPM + startup key
Startup key only

Answer 2

TPMandPINandStartupKey needs to be configured using the command line. The wizard isn't compatible with that setting.