After the Task Sequence is completed the user can't set the PIN as well because it requires admin rights. So how do you set it?
What you can do is set a generic PIN and then deploy a script prompting the user to set their PIN.
Christjan Schumann wrote this script to let the users reset their pins.
$DriveLetter = "C:"
# Get the WMI object of the drive $DriveLetter if it’s encrypted
$EncryptableVolume = Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume -Filter "ProtectionStatus=1 AND DriveLetter='$DriveLetter'"
if ($EncryptableVolume)
{
# Handle 64-bit file system redirection on 32-bit SCCM client
$OS = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
if ($OS.OSArchitecture -like "64*")
{
$sysfldr = "sysnative"
} else {
$sysfldr = "system32"
}
# Build command line and run it
$cmd = @("$ENV:windir\$sysfldr\bitlockerwizardelev.exe",'$($EncryptableVolume.DeviceID)',"U") -join " "
Invoke-Expression -Command $cmd
}
So the additional step you have to take is to set the PIN during the Task Sequence or in the beginning of the script above.
This has to be added.
$bit = Get-WmiObject -Namespace root\cimv2\security\microsoftvolumeencryption -class win32_encryptablevolume
$bit.ProtectKeyWithTPMAndPin("","","123456")It will set a Generic PIN of 123456 and after the user will be able to reset it.
Thanks
ReplyDelete