Yaay, time for another post on BitLocker! I saw a uservoice on this topic and the idea to allow users to set their own pin after autopilot, was born.
Inspired by Oliver Kieselbachs post on setting startup pin by using a win32app I was ready to give the proactive remediation approach a try.
By utilizing proactive remediation we are able to get a somewhat automated process and we will get a pretty good report on our hands as well.
A while back I wrote a blog series on how to move from a traditional to a modern BitLocker management.
Check it out 🙂 Move Bitlocker Management to Microsoft EndPoint Manager Part 1
Our goal here will be to:
- Enable BitLocker during autopilot.
- Use proactive remediation to detect BitLocker KeyProtectorType and download a tool from an Azure storage account if remediation is needed.
- The tool is used to set the BitLocker startup pin.
About the tool
The tool is used to allow the user to set the BitLocker startup pin in a user friendly and secure way. It works perfectly along-side your organizational BitLocker policies by querying the registry for minimum allowed pin and enhanced pin (special characters).
So… here is the deal… I am one of those who enjoy high contrast and colorful stuff… But I am well aware that not everyone agrees with my crazy logos so I have made the tool customizable which allows us to brand it with our own logo. Create your own logo/banner with 380x80px and you will end up with a good looking tool! 😍😃
Good to know: The pin is never saved locally to the device.
… psst, it all works on both Windows 10 and Windows 11.
Pre-requisites
The disk encryption policy should be configured to allow TPM and and startup PIN. If you want to use Enhanced PIN (allow characters and not only numbers) you will find that in the disk encryption policy as well.
See configuration example below:
Let’s rock enroll!
- We will start off by downloading the content from my GitHub BitLocker-Startup-Pin (github.com). Download the two PowerShell scripts and the zip-file.
Have a look at the psf-file, if you are interested in the tool’s source code.
This is what your downloaded files should look like
- Optional: Extract the zip-file and run the tool manually on a test device to try it out.
Replace logo.png to brand the tool with corporate logo/banner (380x80px for best result).
Re-zip with same file name when you are done. Note! Just zip the contents and not the folder itself – or the path will be broken going forward.
Optional: Here is the full file path to the executable (tool) if you need to manage ASR.
C:\Windows\Temp\Bitlocker-Startup-Pin-Tool\Bitlocker-Startup-Pin-Tool.exe - Now it is time to upload the zip-file to an Azure storage account and create the SAS URL.
- Check out this post to get started if you do not already have a storage account Create an Azure Storage Account
- Save: the SAS URL in notepad, we are going to need it soon.
- Open: Remediate-Bitlocker-Startup-Pin.ps1 with a PowerShell editor such as PowerShell ISE and paste the SAS URL at row 34.
- Save and close: the PowerShell editor.
- Now it is time create Proactive Remediation.
- Open MEM: https://endpoint.microsoft.com/
- Click: Reports -> Endpoint analytics -> Proactive remediations.
- Click: +Create script package
- Name: BitLocker Startup Pin (or by your preference).
- Click: Next
- Detection script file: Select Detect-Bitlocker-Startup-Pin.ps1
- Remediation script file: Select Remediate-Bitlocker-Startup-Pin.ps1
- Click: Next twice
- Assign: as per your need.
In this demo I will assign it to all Windows 10 and Windows 11-devices but will exclude all Cloud PC’s. I am going to schedule it to run on a daily basis but you might want to turn it down to run hourly while running initial tests.
- Click: Next
- Click: Create
Behind the scenes
Let’s have a look at the user experience and do a sneak peak behind the scenes at the same time.
- This is what the tool looks like at startup.
- The tool will query the registry for “minimumPin” and “useEnhancedPin” values – this reflects your BitLocker policy.
- Notice how the tool updates based on policy/registry values.
- The user is asked to only use 0-9 if “useEnhancedPin” is not enabled
- PIN must match! 😉
- Success! The Exit button is revealed and both textboxes are set to read-only ⭐
12 thoughts on “BitLocker Startup PIN – the Modern Way”
Hi Niklas, I really like your work – Awesome! 🙂
I am trying to get the logo as big as you show in this article, but I am not able to get the height as you are showing. I believe the space available to use for the logo is limited in the Window. Do you don’t mind helping me out?
Thank you!
Hi Michael, thanks for reaching out!
You are correct – the logo is set to a fixed size.
The best way to get it to look as good as possible is to create a banner in 380x80px could you please try that?
Let me know if this does not solve the issue and we will dig deeper to make it fit your needs
//Nicklas
Hi Nicklas. I am trying to run this in Windows 11. The scripts run fine, I also see a windows open and close very quickly. Any idea what could be wrong?
Hi Chris,
Have you checked your antivirus log?
//Nicklas
Hey there Nicklas, just wondering if you have released the code for the set-bitlocker app anywhere at all? I like seeing how things work!
Hi,
The source code has not been released. Is there any specific part of the code you want to view?
//Nicklas
Hej Nicklas,
I don’t find any “Proactive remediations” in Intune: Reports -> Endpoint analytics -> ?
Hello Hedi!
Proactive remediations has been renamed and relocated. You will find it here: Intune portal -> Devices -> Remediations
Let me know how it goes!
//Nicklas
Hi Nicklas,
Is this multi-language solution? Is it possible to translate text inside the pop-up?
Hi, multi-language is not supported as for now but I will look into it!
Thanks for the feedback!
br
Nicklas
I am experience something I’d say that is a bug (at least under Win11 23h2).
Enhanced Pin Enabled + Minimum Pin = 8.
The user cannot enter more then 8 characters… but it should be at least 8 characters.
Hi Nico,
Thanks for the feedback. I am currently working on a new version and will include a fix for this bug.
Br,
Nicklas