none
Forcing PIN change RRS feed

  • Question

  • Hi Guys,

    MBAM Version : 2.5.1

    Can anyone tell me if there is a way to force users to change their MBAM PIN regularly and more often than default?

    All I see in GPOs is an option to allow users to change it

    If there is no standard method has anyone tried to find a creative solution with scripts or something?

    thanks for any help

    Monday, October 14, 2019 9:51 AM

Answers

  • Sure.

    1st, make perfectly sure, that you have the recovery key backed up somewhere.

    Then use an immediate scheduled task that runs as system account and deletes the PIN like this:

    manage-bde -protectors -delete c: -type TPMAndPIN

    then, use my powershell script from my article to set a new random PIN:

    $pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
    echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
    $SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
    Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
    msg * /time:0 Your Bitlocker PIN has been changed to $pin
    schtasks /delete /tn BL /f


    • Edited by Ronald Schilf Tuesday, October 15, 2019 3:41 PM
    • Marked as answer by fujitsuuk Tuesday, October 15, 2019 4:16 PM
    Tuesday, October 15, 2019 3:40 PM

All replies

  • First note that MBAM doesn't have any PINs, BitLocker does though. This is a very important distinction.

    There's nothing built-in no as this could easily lead to data loss as PINs aren't escrowed anywhere and thus there is no recovery process if the user can't remember the one specific to the system that they are on. What's your goal for changing them? What's your requirement for using them in the first place?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, October 14, 2019 12:27 PM
  • You cannot force PIN changes by means of something that is built-in.

    All you can do is script it. Before I tell you how, I would like to make you aware of certain aspects:

    -PINs cannot be brute forced since you have only 32 tries (until TPM lockout), thus changing them is normally never needed

    -PINs don't allow you to decrypt the drive. All they do is allow you to boot the machine to the logon screen

    So the question is, why do you see a need to change them?

    Another question: why would you allow the user to set it? Users will use their birthday and such, which can be found out by an attacker. It's better to set a randomized PIN and hand it to the user.

    Monday, October 14, 2019 1:18 PM
  • Hi Ronald,

    Thanks for you reply

    This is more of a bungle rectification :-)

    When the customer W10 build was done, they stupidly set the PIN to be the same for every machine and the customer would now like to force their users to change it. This would be a one-off change rather than a regular one. Can you help with a script?

    Tuesday, October 15, 2019 2:42 PM
  • Sure.

    1st, make perfectly sure, that you have the recovery key backed up somewhere.

    Then use an immediate scheduled task that runs as system account and deletes the PIN like this:

    manage-bde -protectors -delete c: -type TPMAndPIN

    then, use my powershell script from my article to set a new random PIN:

    $pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
    echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
    $SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
    Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
    msg * /time:0 Your Bitlocker PIN has been changed to $pin
    schtasks /delete /tn BL /f


    • Edited by Ronald Schilf Tuesday, October 15, 2019 3:41 PM
    • Marked as answer by fujitsuuk Tuesday, October 15, 2019 4:16 PM
    Tuesday, October 15, 2019 3:40 PM
  • Thanks Ronald, I'll do some testing with this :-)

    cheers

    Tuesday, October 15, 2019 4:16 PM