While everyone is talking about Bitlocker, there are still some tasks to be done if your going to deploy it in an enterprise.
One of these tasks is, that non administrative users are not allowed to change the Bitlocker PIN (if you decide to use TPM and PIN as protector for the system drive).
At our own environment we decided to use the SCCM to accomplish this task.
- We built a nice little app (VB.net) that uses the Bitlocker WMI interface to get the new PIN from the user.
- We built a little program that executes an advertisement using the command line. This is done using the UIResource.UIResourceMgr-Class.
- We made an package in SCCM with a program called “Set-Pin”. This package has “Persist content in client cache” enabled so execution works also in notebooks without access to the SCCM. Also it was set to execute “Only when a user is logged on” and “Run with administrative rights” and “Allow users to interact with this program”.
This package is advertised to each client without an mandatory assignment, so it can be executed by each client as often it is started.
Now every client has a link in the start menu that executes the SCCM package (PackageID) and the program “SetPin” with administrative rights (as the SCCM-agent has administrative rights on the client).
As a nice little addition, our little tool was built with a “force” method. So we can force people to set the PIN (for example, on every new system or when a system changes his owner).
I have to say a big thanks to “the god of programming” for his support on building the little apps!