BitLocker PIN

To enhance endpoint security and reduce the overall attack surface, some organizations choose to configure BitLocker with a pre-boot PIN. This adds an additional layer of protection by requiring user authentication before the operating system can boot. However, configuring a BitLocker PIN typically requires administrative privileges – permissions that standard users usually do not possess.

To address this, an application capable of prompting for a BitLocker PIN while running with the necessary elevated privileges is available in the Public Repository (app is called ‘BitLocker PIN Setup Prompt’) . This application will prompt the user to set a PIN if one has not already been configured.

Detection Logic

The application is designed to exit with a success code (used for detection purposes) if any of the following conditions are met:

• BitLocker PIN key protector already set.
• The device is currently in OOBE (Out-Of-Box Experience).
• A BitLocker PIN prompt is already running.
• No interactive user session is present.
• The system is not configured to require a BitLocker PIN, as determined by the following registry settings:
  • HKLM:\SOFTWARE\Policies\Microsoft\FVE
    • UseTPMPIN
    • UseTPM

If the system is configured to support Enhanced PINs, the prompt will adapt accordingly – both in terms of requiring alphanumeric input and matching the defined character span policy.

Deployment Script Parameters

The application supports two optional script parameters to modify prompt behavior:

• PromptCancelClosingWindow
  • When enabled, the user is prevented from closing the BitLocker PIN prompt window. This helps enforce PIN setup and ensures the security policy is applied without user circumvention.
• PromptUseCustomPSADTBanner
  • If enabled, the custom PowerShell App Deployment Toolkit (PSADT) banner will be displayed in the prompt, provided one has been deployed to the endpoint. This allows for a consistent user experience in environments using customized branding.