BitLocker Startup Pin – the Modern Way

Yaay, time for another post on BitLocker! I saw a uservoice on this topic and the idea to allow users to set their own pin after autopilot, was born.

Inspired by Oliver Kieselbachs post on setting startup pin by using a win32app I was ready to give the proactive remediation approach a try.
By utilizing proactive remediation we are able to get a somewhat automated process and we will get a pretty good report on our hands as well.

A while back I wrote a blog series on how to move from a traditional to a modern BitLocker management.
Check it out 🙂 Move Bitlocker Management to Microsoft EndPoint Manager Part 1 (nicklasahlberg.se)

Our goal here will be to:

  • Enable BitLocker during autopilot.
  • Use proactive remediation to detect BitLocker KeyProtectorType and download a tool from an Azure storage account if remediation is needed.
  • The tool is used to set the BitLocker startup pin.

About the tool

The tool is used to allow the user to set the BitLocker startup pin in a user friendly and secure way. It works perfectly along-side your organizational BitLocker policies by querying the registry for minimum allowed pin and enhanced pin (special characters).

So… here is the deal… I am one of those who enjoy high contrast and colorful stuff… But I am well aware that not everyone agrees with my crazy logos so I have made the tool customizable which allows us to brand it with our own logo. Create your own logo/banner with 380x80px and you will end up with a good looking tool! 😍😃

Good to know: The pin is never saved locally to the device.

… psst, it all works on both Windows 10 and Windows 11.

Pre-requisites

To make this work it is important to allow TPM startup PIN from policy. I recommend that you use “Allowed” and not “Required”.

Let’s rock enroll!

  1. We will start off by downloading the content from my GitHub BitLocker-Startup-Pin (github.com). Download the two PowerShell scripts and the zip-file.
    Have a look at the psf-file, if you are interested in the tool’s source code.

    This is what your downloaded files should look like
  2. Optional: Extract the zip-file and run the tool manually on a test device to try it out.
    Replace logo.png to brand the tool with corporate logo/banner (380x80px for best result).
    Re-zip with same file name when you are done. Note! Just zip the contents and not the folder itself – or the path will be broken going forward.


    This is what it should look like after you have re-zipped the content.
  3. Optional: Here is the full file path to the executable (tool) if you need to manage ASR.
    C:\Windows\Temp\Bitlocker-Startup-Pin-Tool\Bitlocker-Startup-Pin-Tool.exe
  4. Now it is time to upload the zip-file to an Azure storage account and create the SAS URL.
  5. Check out this post to get started if you do not already have a storage account Create an Azure Storage Account
  6. Save: the SAS URL in notepad, we are going to need it soon.
  7. Open: Remediate-Bitlocker-Startup-Pin.ps1 with a PowerShell editor such as PowerShell ISE and paste the SAS URL at row 34.
  8. Save and close: the PowerShell editor.
  9. Now it is time create Proactive Remediation.
  10. Open MEM: https://endpoint.microsoft.com/
  11. ClickReports -> Endpoint analytics -> Proactive remediations.
  12. Click+Create script package
  13. NameBitLocker Startup Pin (or by your preference).
  14. ClickNext
  15. Detection script file: Select Detect-Bitlocker-Startup-Pin.ps1
  16. Remediation script file: Select Remediate-Bitlocker-Startup-Pin.ps1
  17. Click: Next twice
  18. Assign: as per your need.
    In this demo I will assign it to all Windows 10 and Windows 11-devices but will exclude all Cloud PC’s. I am going to schedule it to run on a daily basis but you might want to turn it down to run hourly while running initial tests.
  19. Click: Next
  20. Click: Create

Behind the scenes

Let’s have a look at the user experience and do a sneak peak behind the scenes at the same time.

  • This is what the tool looks like at startup.
  • The tool will query the registry for “minimumPin” and “useEnhancedPin” values – this reflects your BitLocker policy.

  • Notice how the tool updates based on policy/registry values.
  • The user is asked to only use 0-9 if “useEnhancedPin” is not enabled

  • Pin must match! 😉
  • Success! The Exit button is revealed and both textboxes are set to read-only ⭐

Leave a Reply

Your email address will not be published. Required fields are marked *