none
Bitlocker TPMandPIN Scripting. RRS feed

  • Question

  • So, I am familiar with the three step process to force a PIN requirement to access a Bitlocker encrypted hard drive including:

    • Enabling Bitlocker through the control panel then
    • Turning on the GPO for requiring the TPMandPin and then
    • Using the manage-bde protectors command to hard-set the PIN number

    With that being said, is there a Powershell or otherwise script that complete those three things, leaving you with a prompt just to enter the PIN for the device?  I'm working on deploying a whole bunch of Win10 Pro devices and this would really simplify the process and reduce a ton of time.

    Everywhere I have searched (so far) has not led me to any automated processed, so I've come here hoping for some expertise.

    Thanks!


    • Edited by OBXBoost Wednesday, January 22, 2020 5:59 PM Formatting
    Wednesday, January 22, 2020 5:56 PM

All replies

  • Look at this article: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html in the section "Starting the encryption" there is a script that fits your needs. PINs are randomized, no user interaction needed apart from memorizing the PIN.
    Wednesday, January 22, 2020 7:28 PM
  • Only problem is that due to the organization, there is a policy in place for how the PINs are assigned to each mobile device so that it's easier for end users to remember their PIN and for us to know what it is, easily. Also, we aren't adding anymore GPOs to this domain or unnecessary changes to AD as we inherited a pretty SNAFU one and are looking to migrate to another one in the next 1.5 years. 
    Thursday, January 23, 2020 1:05 PM
  • You may use a list with your predefined PINs and have the script set them. Create a text file \\server\share\pcs_pins.txt that looks like this:

    PC1 PIN1
    PC2 PIN2
    ...

    and make the script go

    $array = @(gc \\server\share\pcs_pins.txt | sls $env:COMPUTERNAME ) -split " "
    $pin = $array[1]
    $SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
    Add-BitLockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector 
    msg /time:0 * Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
    manage-bde -on c: -s -used -rp -em XTS_AES256
    schtasks /delete /tn BL /f
    Thursday, January 23, 2020 5:26 PM
  • Hi, 

    Microsoft official website Enable-BitLocker states your 1&2 desires could be achieved with the following command:

    $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

    For third question, we could refer to the following thread:

    Change bitlocker PIN and define the new PIN

    As you are issue is more related with PowerShell or Script, we could contact PowerShell forum or Script forum for more help. 

    If my information is useful for you, please mark it as answer.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 24, 2020 2:39 AM
    Moderator
  • You may use a list with your predefined PINs and have the script set them. Create a text file \\server\share\pcs_pins.txt that looks like this:

    PC1 PIN1
    PC2 PIN2
    ...

    and make the script go

    $array = @(gc \\server\share\pcs_pins.txt | sls $env:COMPUTERNAME ) -split " "
    $pin = $array[1]
    $SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
    Add-BitLockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector 
    msg /time:0 * Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
    manage-bde -on c: -s -used -rp -em XTS_AES256
    schtasks /delete /tn BL /f
    I definitely *do* appreciate your time, but basically the format we are using for the PIN is XXXXYYYY, where XXXX is the 4-digit address of the building where the employee is located and YYYY is the 4-digit employee ID number assigned to the mobile device.  So that would be a little more difficult to align in a table.
    Friday, January 24, 2020 7:22 PM
  • Hi, 

    Microsoft official website Enable-BitLocker states your 1&2 desires could be achieved with the following command:

    $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

    For third question, we could refer to the following thread:

    Change bitlocker PIN and define the new PIN

    As you are issue is more related with PowerShell or Script, we could contact PowerShell forum or Script forum for more help. 

    If my information is useful for you, please mark it as answer.

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    This is kind of what I was looking for, but a way for it to prompt for the PIN and then automatically assign it as $SecureString
    Friday, January 24, 2020 7:23 PM
  • So, running the following:

    $PIN = Read-Host -Prompt 'Input your bitlocker PIN'
    $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    while($confirmation -ne "yes")
    {
        if ($confirmation -eq 'no') {exit}
        $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    }
    $SecureString = ConvertTo-SecureString $PIN -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

    yielded me this:

    Input your bitlocker PIN: ********
    Is the PIN you would like to use: ******** [yes/no]: yes
    Add-TpmAndPinProtectorInternal : Group Policy settings do not permit the use of a PIN at startup. Please choose a different 
    BitLocker startup option. (Exception from HRESULT: 0x80310060)
    At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2099 char:31
    + ...   $Result = Add-TpmAndPinProtectorInternal $BitLockerVolumeInternal.M ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Write-Error], COMException
        + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmAndPinProtectorInternal

    So, there is still something missing from this to automate the process completely.

    Friday, January 24, 2020 7:26 PM
  • The error suggests that you haven't set the GPO that allows to use a PIN or that it was set but wasn't applied to this machine. Verify that using gpresult /h output.html at the client.  About the list: are you unable to create it? If you have a record of who uses what machine and in what building, that could be automated, but I cannot help without knowing how this data is maintained.

    I would strongly recommend to use a random number and but that scheme. Attackers will love it, anyone knowing it may boot any machine.

    • Edited by Bagitman Saturday, January 25, 2020 12:16 PM
    Saturday, January 25, 2020 12:06 PM
  • The error suggests that you haven't set the GPO that allows to use a PIN or that it was set but wasn't applied to this machine. Verify that using gpresult /h output.html at the client.  About the list: are you unable to create it? If you have a record of who uses what machine and in what building, that could be automated, but I cannot help without knowing how this data is maintained.

    I would strongly recommend to use a random number and but that scheme. Attackers will love it, anyone knowing it may boot any machine.

    I can already verify that the GPO has not been modified.  That's the one major component that I am trying to figure out how to automate and simplify the most.  I know how to do everything manually, but I am trying to get this deployment procedure simplified the most I can to remove all the extra steps possible for the people that will be tasked with the deployments when I am not around.  So if there is a series of scripts for them to run after the initial image is copied, that would make like very easy on them and I can make sure each machine is done the exact same.

    As far as the employee numbers, this is on a "need to deploy" basis. We have close to 30-some buildings in the area and when management of one of those locations requests a mobile device for the employee, we then call HR for their employee number and then the building number is looked up.  So it's not so much of a table issue.

    *EDIT*

    I may have found something to assist, but it adds PolicyFileEditor module that requires additional prompts to be answered.  I'm wondering if there is a way to make it automatically say "Y" to both prompts so the only thing the user needs to do is enter the number for the Bitlocker....

    Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
    
    $RegPath = 'Software\Policies\Microsoft\Windows\Control Panel\Desktop'
    $RegName = 'ScreenSaverIsSecure'
    $RegData = '1'
    $RegType = 'String'
    
    
    Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
    
    $PIN = Read-Host -Prompt 'Input your bitlocker PIN'
    $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    while($confirmation -ne "yes")
    {
        if ($confirmation -eq 'no') {exit}
        $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    }
    $SecureString = ConvertTo-SecureString $PIN -AsPlainText -Force
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

    The next thing I have to do is figure out how to tie the values to: Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives/ and then modify "Require Additional Authentication at Startup"

    • Edited by OBXBoost Monday, January 27, 2020 2:54 PM
    Monday, January 27, 2020 1:28 PM
  • The error suggests that you haven't set the GPO that allows to use a PIN or that it was set but wasn't applied to this machine. Verify that using gpresult /h output.html at the client.  About the list: are you unable to create it? If you have a record of who uses what machine and in what building, that could be automated, but I cannot help without knowing how this data is maintained.

    I would strongly recommend to use a random number and but that scheme. Attackers will love it, anyone knowing it may boot any machine.

    Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
    $RegPath = 'Software\Policies\Microsoft\FVE'
    $RegName = 'UseTPMPIN'
    $RegData = '2'
    $RegType = 'String'
    Set-PolicyFileEntry -Path $RegPath -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
    
    $PIN = Read-Host -AsSecureString -Prompt 'Input your bitlocker PIN'
    $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    
    while($confirmation -ne "yes")
    {
        if ($confirmation -eq 'no') {exit}
        $confirmation = Read-Host "Is the PIN you would like to use: $PIN [yes/no]"
    }
    $SecureString = ConvertTo-SecureString $PIN -AsPlainText -Force
    
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
    So, I got everything working here *EXCEPT* $PIN being read as $SecureString.  The only other part one this I was hoping to get working was it to accept "Y", "y", "Yes", "yes" or "N", "n", "No" and "no" (or is it not case sensitive?)
    Tuesday, January 28, 2020 1:40 PM
  • Hi,

     I'm wondering if there is a way to make it automatically say "Y" to both prompts so the only thing the user needs to do is enter the number for the Bitlocker....

    If you have any confuse about script, please contact with Script forum for help. 

    If any reply is useful for you, please mark it as answer.

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, February 3, 2020 6:00 PM
    Moderator