During the last few weeks I have been involved with a customer that needed a tool to control the boot-PIN for BitLocker as their security policy states that all hard drives must be encrypted, protected by PIN and they may not be administrators on their machines. The boot PIN cannot be set without administrative rights (local administrator) on the system, but at the same time something you need your users to know and to be in-control of. To mitigate issue/feature there is a tool floating around the net that’s called the BitLocker PIN Tool. This tool uses as DOS-console to get the user to enter a PIN. While this works great with people who has moderate-high computer knowledge some users struggle with using the tool (since it’s command line). So I decided to take some spare time to develop a tool for this. I call this the BitLocker PIN Service and have thrown some central-administration-support into the tool also.
The application consists of two parts. A administration service that runs in the context of the local system, and then a client to run in user-mode to give the user a GUI. The client and server is completely separated and does not live within the same dll or files in any way. All authentication, authorization and dirty-work is done within the service part of the application to ensure maximum security. The service will allow any user that is permitted (regardless if they are local admin or not) to change the boot-PIN. To get authorized you need to 1) be a member of a local group called BLPinAdmins or 2) be a member of a domain group in your default domain called BLPinAdmins_<machine name>. This ensures that you can either use local groups or domain based as you prefer. This is how the GUI looks like:
Pretty simple huh? Under protectors you can see what protectors there is. This tool only works with Demanding, and if it is not present the protector will be created. When you have hit the Change PIN >> button you will most hopefully get this dialog:
The application then terminates without any further dialogs. The application should be started from the Desktop or Start menu link if you need to change the boot PIN code. There is however some more advanced options available via group-policy (local or domain based) to ensure even better security and foremost more control of the PIN-code and enforcing how often it should be changed. First lets look at the settings:
Options are as follows:
- Local BLPin Administrators group name = if you “need” to change the group name of the BLPin users on the local computer you can set a new name here.
- Allow all users= let all users who have the logon-local privilege to set the code (shared computers perhaps?)
- Start client on logon = Start the client on each logon. This should be used in conjunction with the Force PIN-change interval. Client will quit if it is not time to set a new PIN.
- Force PIN-change interval= If the client is started and this amount of days have passed since last new PIN was set then remove the “Exit” and Control Box and then display the GUI. “Forcing” the user to change PIN.
- Domain BLPin Administrators group name = If you “need” to change the group name of the BLPin users in Active-directory you can set a new name here.
If you think this sounds like a nice tool: I’m offering this tool free to anyone who needs it without warranties or support (except for this post).
If you like the tool, please, send me a email! If you find a bug, please, send me email!
If you need source code or need a supported version that also possible for a small fee.
When bugs are found, updates are avaliable or other important information I will send it by mail to all registered users.