Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 25, 2018 6:47 AM
Because MBAM is going down next year, I started to investigate, is it possible to change PIN code with user rights. Many years ago this was the hottest topic around MBAM. I found this GPO in a link, turned on as Disabled, and it has no effect - standard user is still prompted with UAC and PIN code cannot be changed. I´m running 1803 with latest CU.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
All replies (4)
Wednesday, September 26, 2018 9:58 AM ✅Answered
Solved it. A test machine I was using had a MBAM history, GPO and policies. I installed new computer and isolated it totally from MBAM, there I can see the Change PIN function without UAC. So, Windows 10 is capable of doing it.
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Tuesday, September 25, 2018 11:07 AM
1st question: why ever change? Unless it leaked to certain unwanted persons (or they watched while you entered it), there's no real reason to do so. Brute-forcing a PIN is almost impossible because of the TPM lockout which occurs very soon.
--
That said: we do it this way:
1 people write the new PIN (or enhanced PIN) to a file c:\BLpin\pin.txt
2 a scheduled task, running as system account checks for a new file every five minutes and sets the PIN with:
manage-bde -protectors c: -delete -type TPMAndPINtimeout 2for /f %%a in ('type C:\BLpin\pin.txt') do powershell \\server\share\change_bl_pin.ps1 --%% %%a
The content of \server\share\change_bl_pin.ps1 is the following:
$newpw = ConvertTo-SecureString $args[1] -AsPlainText -Force
Add-BitLockerKeyProtector c: -pin $newpw -TpmAndPinProtector
function Decrypt-SecureString {
param(
[Parameter(ValueFromPipeline=$true,Mandatory=$true,Position=0)]
[System.Security.SecureString]
$sstr
)
$marshal = [System.Runtime.InteropServices.Marshal]
$ptr = $marshal::SecureStringToBSTR( $sstr )
$str = $marshal::PtrToStringBSTR( $ptr )
$marshal::ZeroFreeBSTR( $ptr )
$str
}
That works. Make sure to understand that in order for this to be secure,
the change_bl_pin.ps1 has to be on a read-only share, or, if placed locally, somewhere where only admins have write access.
Try it, you'll see that it works.
Tuesday, September 25, 2018 12:02 PM
1. Because there are such need. Computers will be shipped with generic PIN code, and it must be unique.
2. Your suggestion is too complex in real life.
I´m more interested, why there are such GPO which doesn´t work. And is it really so, that today user has no rights to change the PIN code himself?
MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.
Tuesday, September 25, 2018 12:14 PM
If they are shipped, I assume an admin will start it once before it is passed on to the user?
Nevermind, let's look at the GPO:
Disallow standard users from changing the PIN or assword
Setting Path: Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Supported On: At least Windows Server 2012 or Windows 8
Explanation: This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINS, provided they are able to provide the existing PIN first.
**This policy setting is applied when you turn on BitLocker. **
lf enable this policy setting. Standard users will not be allowed to change BitLocker PINS or passwords
lf you disable or do notconfigure this policy setting. Dtandard users will be permitted to change BitLocker PINS and passwords.
Not sure if MS is serious about what I formatted bold, but it seems so, so my suggestion is what you'll need to use. If you could only make understandable how real life at your company differs from ours... why would users at your side be unable to memorizy that whenever they want to change the pin, they simply need to enter the PIN into c:\BLpin\pin.txt?