System Center, Automation, Powershell and other Thoughts

Tag Archives

Bitlocker Pin Tool on Codeplex


as written in the post “Change Bitlocker PIN without administrative rights using SCCM” we builed a little gui for non administrative users to change the bitlocker pin.

We where really astounded about the feedback and the questions on how to get the tool or the source code. So we decided to bring it up on Codeplex.

And here it is:

Project Description
Deploying Bitlocker with Windows 7 in enterprise environments works pretty nice with the new features which have beend implemented by microsoft. There’s still one big problem to solve. Users can’t change their PBA Bitlocker PIN without administrative priviledges.

Feel free to give away this link and grab the tool on codeplex.

Change Bitlocker PIN without administrative rights using SCCM

While everyone is talking about Bitlocker, there are still some tasks to be done if your going to deploy it in an enterprise.
One of these tasks is, that non administrative users are not allowed to change the Bitlocker PIN (if you decide to use TPM and PIN as protector for the system drive).

At our own environment we decided to use the SCCM to accomplish this task.

  1. We built a nice little app ( that uses the Bitlocker WMI interface to get the new PIN from the user.
  2. We built a little program that executes an advertisement using the command line. This is done using the UIResource.UIResourceMgr-Class.
  3. We made an package in SCCM with a program called “Set-Pin”. This package has “Persist content in client cache” enabled so execution works also in notebooks without access to the SCCM. Also it was set to execute “Only when a user is logged on” and “Run with administrative rights” and “Allow users to interact with this program”.
    This package is advertised to each client without an mandatory assignment, so it can be executed by each client as often it is started.

Now every client has a link in the start menu that executes the SCCM package (PackageID) and the program “SetPin” with administrative rights (as the SCCM-agent has administrative rights on the client).

Bitlocker PIN tool


As a nice little addition, our little tool was built with a “force” method. So we can force people to set the PIN (for example, on every new system or when a system changes his owner).


I have to say a big thanks to “the god of programming” for his support on building the little apps!