Yaay, time for another post on BitLocker! I saw a uservoice on this topic and the idea to allow users to set their own pin after autopilot, was born.
Inspired by Oliver Kieselbachs post on setting startup pin by using a win32app I was ready to give the proactive remediation approach a try.
By utilizing proactive remediation we are able to get a somewhat automated process and we will get a pretty good report on our hands as well.
A while back I wrote a blog series on how to move from a traditional to a modern BitLocker management.
Check it out 🙂 Move Bitlocker Management to Microsoft EndPoint Manager Part 1
Our goal here will be to:
- Enable BitLocker during autopilot.
- Use proactive remediation to detect BitLocker KeyProtectorType and download a tool from an Azure storage account if remediation is needed.
- The tool is used to set the BitLocker startup pin.
About the tool
The tool is used to allow the user to set the BitLocker startup pin in a user friendly and secure way. It works perfectly along-side your organizational BitLocker policies by querying the registry for minimum allowed pin and enhanced pin (special characters).
So… here is the deal… I am one of those who enjoy high contrast and colorful stuff… But I am well aware that not everyone agrees with my crazy logos so I have made the tool customizable which allows us to brand it with our own logo. Create your own logo/banner with 380x80px and you will end up with a good looking tool! 😍😃
Good to know: The pin is never saved locally to the device.
… psst, it all works on both Windows 10 and Windows 11.
To make this work it is important to allow TPM startup PIN from policy. I recommend that you use “Allowed” and not “Required”.
If you want use Enhanced PIN (allow characters and not only numbers) you will find that setting in the Settings Catalog:
Let’s rock enroll!
- We will start off by downloading the content from my GitHub BitLocker-Startup-Pin (github.com). Download the two PowerShell scripts and the zip-file.
Have a look at the psf-file, if you are interested in the tool’s source code.
This is what your downloaded files should look like
- Optional: Extract the zip-file and run the tool manually on a test device to try it out.
Replace logo.png to brand the tool with corporate logo/banner (380x80px for best result).
Re-zip with same file name when you are done. Note! Just zip the contents and not the folder itself – or the path will be broken going forward.
Optional: Here is the full file path to the executable (tool) if you need to manage ASR.
- Now it is time to upload the zip-file to an Azure storage account and create the SAS URL.
- Check out this post to get started if you do not already have a storage account Create an Azure Storage Account
- Save: the SAS URL in notepad, we are going to need it soon.
- Open: Remediate-Bitlocker-Startup-Pin.ps1 with a PowerShell editor such as PowerShell ISE and paste the SAS URL at row 34.
- Save and close: the PowerShell editor.
- Now it is time create Proactive Remediation.
- Open MEM: https://endpoint.microsoft.com/
- Click: Reports -> Endpoint analytics -> Proactive remediations.
- Click: +Create script package
- Name: BitLocker Startup Pin (or by your preference).
- Click: Next
- Detection script file: Select Detect-Bitlocker-Startup-Pin.ps1
- Remediation script file: Select Remediate-Bitlocker-Startup-Pin.ps1
- Click: Next twice
- Assign: as per your need.
In this demo I will assign it to all Windows 10 and Windows 11-devices but will exclude all Cloud PC’s. I am going to schedule it to run on a daily basis but you might want to turn it down to run hourly while running initial tests.
- Click: Next
- Click: Create
Behind the scenes
Let’s have a look at the user experience and do a sneak peak behind the scenes at the same time.
- This is what the tool looks like at startup.
- The tool will query the registry for “minimumPin” and “useEnhancedPin” values – this reflects your BitLocker policy.
- Notice how the tool updates based on policy/registry values.
- The user is asked to only use 0-9 if “useEnhancedPin” is not enabled
- Pin must match! 😉
- Success! The Exit button is revealed and both textboxes are set to read-only ⭐