2025-02-25 update: The tool has updated with a new look-and-feel and bug fixes.
2021-11-16: I saw a uservoice on this topic and the idea to allow users to set their own BitLocker PIN after Windows Autopilot, was born. Use it with Windows 10 or Windows 11!
Our goal:
- Use remediation to detect BitLocker KeyProtectorType and download our tool from an Azure storage account if remediation is needed.
- The tool is used to set the BitLocker startup PIN as soon as possible after a device has been provisioned. This allows our users to pick and set a BitLocker PIN of their choice (as long as it follows our policy).
About the tool
The tool is used to allow users to set the BitLocker startup PIN in a user friendly and secure way. It works perfectly along-side your BitLocker policies by querying the registry for minimum allowed PIN, and it checks if enhanced PIN (special characters) is required.
BitLocker Startup PIN – Prerequisites
The disk encryption policy should be configured to allow TPM and and startup PIN. If you want to use Enhanced PIN (allow characters and not only numbers) you will find that in the disk encryption policy as well. 
🛡️Let’s rock and roll!
- We will start off by downloading the content from my GitHub BitLocker-Startup-Pin (github.com). Download the two PowerShell scripts and the zip-file.
This is what your downloaded files should look like
- Optional: Extract the zip-file and replace logo.png to brand the tool with corporate logo (380x80px for best result).
Re-Zip with same file name when you are done. Note! Just zip the contents and not the folder – or the path will be broken going forward.
Optional: Here is the full file path to the executable (tool) if you need to manage ASR.
C:\Windows\Temp\Bitlocker-Startup-Pin-Tool\Bitlocker-Startup-Pin-Tool.exe - Now it is time to upload the zip-file to an Azure storage account and create the SAS URL.
- Check out this post to get started if you do not already have a storage account Create an Azure Storage Account
- Save: the SAS URL in notepad, we are going to need it soon.
- Open: Remediate-Bitlocker-Startup-Pin.ps1 with a PowerShell editor such as PowerShell ISE and paste the SAS URL at row 36.
- Save and close: the PowerShell editor.
- Now it is time create Proactive Remediation.
- Open the Intune portal
- Click: Devices -> Scripts and remediations
- Click: +Create script package
- Name: BitLocker Startup PIN (or by your preference).
- Click: Next
- Detection script file: Select Detect-Bitlocker-Startup-PIN.ps1
- Remediation script file: Select Remediate-Bitlocker-Startup-PIN.ps1
- Click: Next twice
- Assign: as per your need.
In this demo I will assign it to all Windows 10 and Windows 11-devices but will exclude all Cloud PC’s. I am going to schedule it to run on a daily basis but you might want to turn it down to run hourly while running initial tests.
- Click: Next
- Click: Create
Behind the scenes
Let’s have a look at the user experience and do a sneak peak behind the scenes at the same time.
- The detection script will check if a PIN has been set.
- The tool will query the registry for “minimumPIN” and “useEnhancedPIN” values – this reflects your BitLocker policy.
- Notice how the tool adapts to your policy/registry values.
- PIN must match! 😉
- Success! The Exit button is revealed and both text boxes are set to read-only ⭐
- Let’s run the detection script again to make sure the PIN has been successfully set:
Hi Niklas, I really like your work – Awesome! 🙂
I am trying to get the logo as big as you show in this article, but I am not able to get the height as you are showing. I believe the space available to use for the logo is limited in the Window. Do you don’t mind helping me out?
Thank you!
Hi Michael, thanks for reaching out!
You are correct – the logo is set to a fixed size.
The best way to get it to look as good as possible is to create a banner in 380x80px could you please try that?
Let me know if this does not solve the issue and we will dig deeper to make it fit your needs
//Nicklas
Hi Nicklas. I am trying to run this in Windows 11. The scripts run fine, I also see a windows open and close very quickly. Any idea what could be wrong?
Hi Chris,
Have you checked your antivirus log?
//Nicklas
Hey there Nicklas, just wondering if you have released the code for the set-bitlocker app anywhere at all? I like seeing how things work!
Hi,
The source code has not been released. Is there any specific part of the code you want to view?
//Nicklas
Hej Nicklas,
I don’t find any “Proactive remediations” in Intune: Reports -> Endpoint analytics -> ?
Hello Hedi!
Proactive remediations has been renamed and relocated. You will find it here: Intune portal -> Devices -> Remediations
Let me know how it goes!
//Nicklas
Hi Nicklas,
Is this multi-language solution? Is it possible to translate text inside the pop-up?
Hi, multi-language is not supported as for now but I will look into it!
Thanks for the feedback!
br
Nicklas
I am experience something I’d say that is a bug (at least under Win11 23h2).
Enhanced Pin Enabled + Minimum Pin = 8.
The user cannot enter more then 8 characters… but it should be at least 8 characters.
Hi Nico,
Thanks for the feedback. I am currently working on a new version and will include a fix for this bug.
Br,
Nicklas