System Center, Automation, Powershell and other Thoughts

Change Bitlocker PIN without administrative rights using SCCM

While everyone is talking about Bitlocker, there are still some tasks to be done if your going to deploy it in an enterprise.
One of these tasks is, that non administrative users are not allowed to change the Bitlocker PIN (if you decide to use TPM and PIN as protector for the system drive).

At our own environment we decided to use the SCCM to accomplish this task.

  1. We built a nice little app ( that uses the Bitlocker WMI interface to get the new PIN from the user.
  2. We built a little program that executes an advertisement using the command line. This is done using the UIResource.UIResourceMgr-Class.
  3. We made an package in SCCM with a program called “Set-Pin”. This package has “Persist content in client cache” enabled so execution works also in notebooks without access to the SCCM. Also it was set to execute “Only when a user is logged on” and “Run with administrative rights” and “Allow users to interact with this program”.
    This package is advertised to each client without an mandatory assignment, so it can be executed by each client as often it is started.

Now every client has a link in the start menu that executes the SCCM package (PackageID) and the program “SetPin” with administrative rights (as the SCCM-agent has administrative rights on the client).

Bitlocker PIN tool


As a nice little addition, our little tool was built with a “force” method. So we can force people to set the PIN (for example, on every new system or when a system changes his owner).


I have to say a big thanks to “the god of programming” for his support on building the little apps!

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.



  1. Sebastien

    June 11th, 2010 02:22 PM

    Wow, this looks like exactly what we are trying to do in our organisation.

    Any change you publish the little tool you use to reset the pin ?

  2. Jonathan

    June 16th, 2010 06:46 PM

    You dont have a copy of the gui in english do you?

  3. balthaus

    June 29th, 2010 02:38 PM

    Thank you for your interest.

    We are currently checking, if we can make this tool for free to download.

    The language can be changed easily as it only shows up a few buttons and popups.

  4. IT-Admin

    July 12th, 2010 02:59 PM

    I can hardly wait!
    This seems to be the solution for my sleepless nights. :)

  5. [...] written in the post “Change Bitlocker PIN without administrative rights using SCCM” we builed a little gui for non administrative users to change the bitlocker [...]

  6. Form Generator

    August 24th, 2010 08:06 AM

    You made some good points there. I did a search on the topic and hardly found any specific details on other sites, but then great to be here, seriously, thanks…

    - Josh

  7. Holger

    November 16th, 2011 10:04 AM

    Subject: Change Bitlocker PIN without administrative rights using SCCM


    I’m working on an similar project.

    In June 29th, 2010 you wrote:
    We are currently checking, if we can make this tool for free to download.

    Did You finished the checking? I’m very interested in the tool, especialy the VB sources?

    If you share, please give me a hint where to get it.



Comments are now closed.