question

KanikaAsht-4281 avatar image
0 Votes"
KanikaAsht-4281 asked yannara answered

Bitlocker- Prompt User to Change Pin via PS Script

Hi,

I have already set up bitlocker via Task Sequence setting up default PIN. My requirement is to prompt user to change the PIN via PS Script ( preferably want to use Intune).
Also I have script as below which is prompting for the PIN Change.

$Drive = "C:"

$EncryptableVolume = Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume -Filter "ProtectionStatus=1 AND DriveLetter='$Drive'"
if ($EncryptableVolume)
{

$OS = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture

$cmd = @("$ENV:windir\system32\bitlockerwizardelev.exe",'$($EncryptableVolume.DeviceID)',"U") -join " "
Invoke-Expression -Command $cmd
}

But, In case User cancels that prompt than what? how can I check if user have changed password or not?

Regards,
Kanika

mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
1 Vote"
RahulJindal-2267 answered RahulJindal-2267 commented

Never tried it but you can deploy a compliance setting to query the encryption wmi class to check for default pin and then prompt the user to set the pin using the script you posted.

Although, in my honest opinion, setting pin is an overkill and pointless.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Thanks for the response.
I just looked into it, Class is Win32_EncryptableVolume an what would be the possible method which stores the PIN.

0 Votes 0 ·

Are you managing devices using ConfigMgr or Intune or under Co-management?

0 Votes 0 ·

Co-management..

0 Votes 0 ·
Show more comments
CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered CiciWu2-MSFT commented

@KanikaAsht-4281 I have done tests in my environment but it seems Intune doesn’t have the ability to check if user has changed PIN or not. From Intune side, we can only see if the script has been deployed successfully, or if the devices has Bitlocker enabled. See the following two screenshots.
85656-040801.png85657-040802.png



040801.png (30.1 KiB)
040802.png (21.8 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, which script did you push for PIN prompt.. the one I mentioned above or if it is yours could you please share?

Thank You

0 Votes 0 ·

I tested and use your provided script above.

0 Votes 0 ·

@CiciWuMSFT-9520

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered

PIN code for Bitlocker was valuable for Windows 7 and Bios legacy format. With Windows 10 and UEFI you don't really need it, it doesn't bring big additional value, because the boot loader is already protected with UEFI.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.