BitLocker Startup Pin – the Modern Way

Yaay, time for another post on BitLocker! I saw a uservoice on this topic and the idea to allow users to set their own pin after autopilot, was born.

Inspired by Oliver Kieselbachs post on setting startup pin by using a win32app I was ready to give the proactive remediation approach a try.
By utilizing proactive remediation we are able to get a somewhat automated process and we will get a pretty good report on our hands as well.

A while back I wrote a blog series on how to move from a traditional to a modern BitLocker management.
Check it out 🙂 Move Bitlocker Management to Microsoft EndPoint Manager Part 1

Our goal here will be to:

  • Enable BitLocker during autopilot.
  • Use proactive remediation to detect BitLocker KeyProtectorType and download a tool from an Azure storage account if remediation is needed.
  • The tool is used to set the BitLocker startup pin.

About the tool

The tool is used to allow the user to set the BitLocker startup pin in a user friendly and secure way. It works perfectly along-side your organizational BitLocker policies by querying the registry for minimum allowed pin and enhanced pin (special characters).

So… here is the deal… I am one of those who enjoy high contrast and colorful stuff… But I am well aware that not everyone agrees with my crazy logos so I have made the tool customizable which allows us to brand it with our own logo. Create your own logo/banner with 380x80px and you will end up with a good looking tool! 😍😃

Good to know: The pin is never saved locally to the device.

… psst, it all works on both Windows 10 and Windows 11.

Pre-requisites

To make this work it is important to allow TPM startup PIN from policy. I recommend that you use “Allowed” and not “Required”.


If you want use Enhanced PIN (allow characters and not only numbers) you will find that setting in the Settings Catalog:

Let’s rock enroll!

  1. We will start off by downloading the content from my GitHub BitLocker-Startup-Pin (github.com). Download the two PowerShell scripts and the zip-file.
    Have a look at the psf-file, if you are interested in the tool’s source code.

    This is what your downloaded files should look like
  2. Optional: Extract the zip-file and run the tool manually on a test device to try it out.
    Replace logo.png to brand the tool with corporate logo/banner (380x80px for best result).
    Re-zip with same file name when you are done. Note! Just zip the contents and not the folder itself – or the path will be broken going forward.

    Optional: Here is the full file path to the executable (tool) if you need to manage ASR.
    C:\Windows\Temp\Bitlocker-Startup-Pin-Tool\Bitlocker-Startup-Pin-Tool.exe
  3. Now it is time to upload the zip-file to an Azure storage account and create the SAS URL.
  4. Check out this post to get started if you do not already have a storage account Create an Azure Storage Account
  5. Save: the SAS URL in notepad, we are going to need it soon.
  6. Open: Remediate-Bitlocker-Startup-Pin.ps1 with a PowerShell editor such as PowerShell ISE and paste the SAS URL at row 34.
  7. Save and close: the PowerShell editor.
  8. Now it is time create Proactive Remediation.
  9. Open MEM: https://endpoint.microsoft.com/
  10. ClickReports -> Endpoint analytics -> Proactive remediations.
  11. Click+Create script package
  12. NameBitLocker Startup Pin (or by your preference).
  13. ClickNext
  14. Detection script file: Select Detect-Bitlocker-Startup-Pin.ps1
  15. Remediation script file: Select Remediate-Bitlocker-Startup-Pin.ps1
  16. Click: Next twice
  17. Assign: as per your need.
    In this demo I will assign it to all Windows 10 and Windows 11-devices but will exclude all Cloud PC’s. I am going to schedule it to run on a daily basis but you might want to turn it down to run hourly while running initial tests.
  18. Click: Next
  19. Click: Create

Behind the scenes

Let’s have a look at the user experience and do a sneak peak behind the scenes at the same time.

  • This is what the tool looks like at startup.
  • The tool will query the registry for “minimumPin” and “useEnhancedPin” values – this reflects your BitLocker policy.

  • Notice how the tool updates based on policy/registry values.
  • The user is asked to only use 0-9 if “useEnhancedPin” is not enabled

  • Pin must match! 😉
  • Success! The Exit button is revealed and both textboxes are set to read-only ⭐

4 thoughts on “BitLocker Startup Pin – the Modern Way

  1. Hi Niklas, I really like your work – Awesome! 🙂
    I am trying to get the logo as big as you show in this article, but I am not able to get the height as you are showing. I believe the space available to use for the logo is limited in the Window. Do you don’t mind helping me out?
    Thank you!

    1. Hi Michael, thanks for reaching out!
      You are correct – the logo is set to a fixed size.
      The best way to get it to look as good as possible is to create a banner in 380x80px could you please try that?

      Let me know if this does not solve the issue and we will dig deeper to make it fit your needs

      //Nicklas

  2. Hi Nicklas. I am trying to run this in Windows 11. The scripts run fine, I also see a windows open and close very quickly. Any idea what could be wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *