none
SCCM 2012, BitLocker and force changing PIN RRS feed

  • General discussion

  • I deploy Windows 7 using SCCM 2012 and enable BitLocker with a PIN 1234.

    Will it be possible to enable a PIN change on first usage ? And how ?

    Thursday, March 28, 2013 3:36 PM

All replies

  • Hi,


    For SCCM related issue, I suggest you post it via Configuration Manager 2012 - Operating System Deployment forum to get more help.


    Thanks,


    Vincent Wang
    TechNet Community Support

    Friday, March 29, 2013 2:57 AM
    Moderator
  • You need to use a vbscript and call changePIN UI screen which a user generally use to change the PIN from Control Panel.

    User require admin rights to change the PIN.

    Suggestion:

    Use MBAM as a product, which allows standard user to change the PIN.

    MBAM stands for Microsoft BitLocker Administration & Monitoring which is part of MDOP Suite.

    Note:

    In Win8 a standard user can change the PIN or password of a volume.


    Manoj Sehgal

    Monday, April 1, 2013 12:57 AM
  • You need to use a vbscript and call changePIN UI screen which a user generally use to change the PIN from Control Panel.

    I would love to see this solution. How this can be called?
    Monday, April 8, 2013 2:51 PM
  • http://fbinotto.blogspot.nl/2012/06/powershell-set-bitlocker-pin-only-if.html#!/2012/06/powershell-set-bitlocker-pin-only-if.html

    If you enable BitLocker during your Task Sequence you know that a PIN can be set but what you really want is the users to set their own PINs.

    After the Task Sequence is completed the user can't set the PIN as well because it requires admin rights. So how do you set it?
    What you can do is set a generic PIN and then deploy a script prompting the user to set their PIN.
    Christjan Schumann wrote this script to let the users reset their pins.

    $DriveLetter = "C:"
    # Get the WMI object of the drive $DriveLetter if it’s encrypted
    $EncryptableVolume = Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume -Filter "ProtectionStatus=1 AND DriveLetter='$DriveLetter'"
    if ($EncryptableVolume)
    {
    # Handle 64-bit file system redirection on 32-bit SCCM client
    $OS = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
    if ($OS.OSArchitecture -like "64*")
    {
    $sysfldr = "sysnative"
    } else {
    $sysfldr = "system32"
    }
    # Build command line and run it
    $cmd = @("$ENV:windir\$sysfldr\bitlockerwizardelev.exe",'$($EncryptableVolume.DeviceID)',"U") -join " "
    Invoke-Expression -Command $cmd
    }
    But there is one problem with the script it only reset a PIN, but if there is no PIN set you won't be able to reset it.

    So the additional step you have to take is to set the PIN during the Task Sequence or in the beginning of the script above.

    This has to be added.

    $bit = Get-WmiObject -Namespace root\cimv2\security\microsoftvolumeencryption -class win32_encryptablevolume
    $bit.ProtectKeyWithTPMAndPin("","","123456")
    It will set a Generic PIN of 123456 and after the user will be able to reset it.
    Tuesday, April 9, 2013 8:22 AM
  • Suggestion:

    Use MBAM as a product, which allows standard user to change the PIN.

    MBAM stands for Microsoft BitLocker Administration & Monitoring which is part of MDOP Suite.


    MBAM requires SQL enterprice because of securiting the database. Enterprice SQL costs a lot and is not worth it to be purchuated only because of Bitlocker management. This is very usual scannario in smaller countries, where are lot of organizations with less than 1 thousand computers.

    I would persanally not suggest to use PIN at all because of lack of the decent management support. Use PIN only, if you have SQL enterprice already. 
    Sunday, April 14, 2013 11:20 AM
  • Hi Yannara

    Last week Microsot released MBAM 2.0, where SQL Standard is working! Cool enhancements in Version 2.0...

    Kind regards
    Chris

    Thursday, April 18, 2013 7:24 PM
  • Hi Yannara

    Last week Microsot released MBAM 2.0, where SQL Standard is working! Cool enhancements in Version 2.0...

    Kind regards
    Chris

    I´ve watched this video, were is told, that enterprice or datacenter edition is still required.

    http://technet.microsoft.com/en-us/windows/jj822163.aspx

    But here, Standard seems to be supported: http://technet.microsoft.com/en-us/library/dn145074.aspx

    Friday, April 19, 2013 1:50 PM
  • MBAM 2.0 Beta did not support SQL Standard Edition.

    MBAM 2 RTM allows SQL Standard edition.

    Microsoft best practice is to use SQL TDE to protect SQL DB.


    Manoj Sehgal

    Saturday, April 20, 2013 11:20 AM
  • Just thinking, if I have MDOP 2013 media with MBAM 2.0, I could only use the MBAM 2.0 client to provide change PIN code? I don´t need to install saparate server for entire MBAM infrastructure?

    The problem with the script above is, that it enables user to print recovery key, via SCCM deployment, bitlocker group policies have no effect.

    Tuesday, April 23, 2013 8:15 AM
  • Please, explain me where is the file bitlockerwizardelev.exe ?

    Thank you!

    Tuesday, March 19, 2019 10:07 AM
  • Please, explain me where is the file bitlockerwizardelev.exe ?

    Thank you!


    Are you kidding me? :D … raise 6 year old thread about a side issue :D

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Thursday, March 21, 2019 1:25 PM