Is there a method to force users to change their PIN? Currently, MBAM is not prompting for a PIN after we move it to the production OU (to apply the GPO after the MDT staging OU) and the end user is not the first person to see the MBAMClientUI when it is executed to prompt for PIN (workaround to enable end user to enter PIN). In addition, I would prefer to enforce periodic changes when desired by policy. Is this possible?Michael

Hi, There seems no group policy setting can achieve the goal. But we may try using script. I am doing research and will update you once I found such a script. Thanks, SpencerPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Great! I look forward to hearing from you.Michael

Hi, I did research but cannot find that script. I send an e-mail to the engineer who has ever mentioned that script before. But the engineer is OOF now. Once he replied to me. I will update you here. :) Thanks, Spencer Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I too am wondering if I push the bilocker software client to the machine via GPO and the setting are also configured through GPO, is there a way to force the users to change the PIN. I have TPM + PIN enabled. I understand that if the user is not connected to the domain they will not get the policy but once they connect is there a ways to force the pin change?

Look for the Compliance reporting of the machine on MBAM Console to check the protectors type for the encryption. It should reflect as TPM+PIN. Make Sure that the GPO has been applied correctly by running the command "gpresult /scope computer /v". If hte GPO were not applied make sure to update the GPO by running the command "gpupdate /force". I would rather suggest to restart the client machine. Then start the encryption. i have faced the same problem and this is how I troubleshooted the issue. Let me know if it has resolved the issue. Else we will try to figure it out in some other way. Quick Question : Are you all trying to change the PIN for the already encrypted Drive or is it an unencrypted drive?? ThanksGaurav Ranjan

Look for the Compliance reporting of the machine on MBAM Console to check the protectors type for the encryption. It should reflect as TPM+PIN. Make Sure that the GPO has been applied correctly by running the command "gpresult /scope computer /v". If hte GPO were not applied make sure to update the GPO by running the command "gpupdate /force". I would rather suggest to restart the client machine. Then start the encryption. i have faced the same problem and this is how I troubleshooted the issue. Let me know if it has resolved the issue. Else we will try to figure it out in some other way. Are you all trying to change the PIN for the already encrypted Drive or is it an unencrypted drive?? Thanks Gaurav Ranjan