none
How can we set and enforce a common bitlocker PIN for users and distribute the PIN to them for login. Prefer group policy. RRS feed

  • Question

  • As most of users are working from home due to COVID-19, the IT team prefer to set a common PIN and distribute to users. The problem we have is BItlocker is not enabled at all on all laptops and we are not sure whether all laptops have TPM enabled. To minimize complexity, I am thinking to have GPO to enable bitlocker PIN without TPM for all laptop and enforce.

    However, the question I have is, can we set and enforce a common PIN for users and distribute the PIN to them for login.

    We are using 2016 AD and Windows 10 PRO V1909.

    Appreciate your advise on this.

    Thanks

    Wednesday, April 15, 2020 11:55 PM

All replies

  • Hello,

    Thanks for posting in our TechNet forum.

    Based on your description, we can edit a GPO to enable bitlocker PIN without TPM for all laptop and enforce.
    Following steps for your reference:
    1.Open the group policy editor (gpedit.msc) as admin.
    2.And then open"Computer Configuration/Administrative Templates/ Windows Components/ BitLocker Drive Encryption/ Operating System Drives";
    3.Open the "Require additional authentification at startup" entry (right sub-window);
    4.Set it to "enabled" and check "Allow Bitlocker without a compatible TPM ";


    Here is the link, we could kindly have a check for reference.
    https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Hope the information is helpful. For any question, please feel free to contact us.

    Best Regards,
    Snowy Guan

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, April 16, 2020 5:54 AM
  • To enable encryption without being local admin is not possible, so you need to use GPOs to deploy scripts that do it for you, since you don't seem to have access to MBAM (which is an enterprise deployment and management tool for bitlocker, but only available to volume license customers).

    See my article for such a script: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html

    You without a TPM, you will need to skip all lines but 6 and 7.

    Please note that the script is intended to save the key to AD, so it should only be used when users have permanent network access, using a VPN that starts before logon.

    Thursday, April 16, 2020 7:59 AM
  • Hello,

    We would like to hear your feedback about whether our issue has been solved. If the issue has been solved, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best regards,
    Snowy Guan

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 20, 2020 5:50 AM
  • Hello,

     

    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

     

    Thank you so much for your time and support.

     

    Best regards,

    Snowy Guan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 23, 2020 5:29 AM
  • Hello,

     

    Haven't received your message a few days, was your issue resolved?

    I am proposing previous helpful replies as "Answered". Please feel free to check it and let me know the result. If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.

     

    Best Regards,

    Snowy Guan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 29, 2020 3:32 AM