This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 63%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Hi,
I have already set up bitlocker via Task Sequence setting up default PIN. My requirement is to prompt user to change the PIN via PS Script ( preferably want to use Intune).
Also I have script as below which is prompting for the PIN Change.
$Drive = "C:"
$EncryptableVolume = Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume -Filter "ProtectionStatus=1 AND DriveLetter='$Drive'"
if ($EncryptableVolume)
{$OS = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
$cmd = @("$ENV:windir\system32\bitlockerwizardelev.exe",'$($EncryptableVolume.DeviceID)',"U") -join " "
Invoke-Expression -Command $cmd
}
But, In case User cancels that prompt than what? how can I check if user have changed password or not?
Regards,
Kanika
Never tried it but you can deploy a compliance setting to query the encryption wmi class to check for default pin and then prompt the user to set the pin using the script you posted.
Although, in my honest opinion, setting pin is an overkill and pointless.
Hi, Thanks for the response.
I just looked into it, Class is Win32_EncryptableVolume an what would be the possible method which stores the PIN.
Are you managing devices using ConfigMgr or Intune or under Co-management?
Co-management..
Then you should be able to reset by pushing a script. The link below is literally the first hit on Google.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 33%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
@Kanika Asht I have done tests in my environment but it seems Intune doesn’t have the ability to check if user has changed PIN or not. From Intune side, we can only see if the script has been deployed successfully, or if the devices has Bitlocker enabled. See the following two screenshots.
Hi, which script did you push for PIN prompt.. the one I mentioned above or if it is yours could you please share?
Thank You
@CiciWuMSFT-9520
I tested and use your provided script above.
PIN code for Bitlocker was valuable for Windows 7 and Bios legacy format. With Windows 10 and UEFI you don't really need it, it doesn't bring big additional value, because the boot loader is already protected with UEFI.