Event details

Let’s talk resiliency, security hardening, and recovery tools! We’re kicking off Tech Community Live: Windows edition, with a one-hour Ask Microsoft Anything (AMA) on all things Windows security. Ide...
Pearl-Angeles
Updated May 14, 2025
AMA
Tech Community Live
lalanc01's avatar
lalanc01
Iron Contributor
Dec 11, 2024

Hi, are there other options than network unlock to prevent users from having to enter their bitlocker pin?

thks

  • Joe_Lurie's avatar
    Joe_Lurie
    Icon for Microsoft rankMicrosoft
    Dec 11, 2024

    Hey Stefane lalanc01 good to see you here! Network Unlock is handy when devices are being updated and rebooted overnight, so the device is ready for the end user when they come in in the morning, instead of stuck at the PIN screen. You really have two choices here:

    1. Use Network Unlock
    2. Remove the PIN requirement

    Fortunately, we added hotpatching to Windows 11 Enterprise, version 24H2. Make sure you join that AMA as well, as it will allow the updates to install and be active even without a reboot AMA: Hotpatching Windows - client and server - December 11, 2024 - Microsoft Event 

    • lalanc01's avatar
      lalanc01
      Iron Contributor
      Dec 11, 2024

      Thks Joe, yes hotpatch is good, but since bitlocker is suspended during patching with Autopatch it's less of a concern. 

      It's more of when we need to reboot devices for whatever reason or when there's power outages and the user is working remotely from home and IT just power on the machine.

      • Jason_Sandys's avatar
        Jason_Sandys
        Icon for Microsoft rankMicrosoft
        Dec 11, 2024

        This is not correct to the best of my knowledge. Disabling BitLocker offers an attack vector to any bad actor regardless of when or how it is done and Autopatch does not automatically do this. I believe feature updates do this (regardless of how they are deployed) but quality updates do not.

  • Jason_Sandys's avatar
    Jason_Sandys
    Icon for Microsoft rankMicrosoft
    Dec 11, 2024

    Hi Lalanc01. No. The options are extremely limited -- mostly by design and the limitations of the platform at the time it was designed. For this reason, this is one of the reasons many recommend not using a PIN at all. This is not a universal recommendation, but is something to consider when choosing whether or not to enforce a PIN. If your organization feels that they need a PIN, I'd first suggest revisiting this as there's a lot of unfounded and outdated FUD floating around out there on this. If you still come to the conclusion that you need to enforce a PIN, then you should look at Personal Device Encryption (PDE) instead or on top of BitLocker (without a PIN) as PDE implements a layer of file system encryption that is gated by Windows Hello for Business thus actually being more secure and easier to use for end-users.

    • lalanc01's avatar
      lalanc01
      Iron Contributor
      Dec 11, 2024

      Yes PDE will surely help once we move to 24h2 since it supports a broader scope of documents/places.

      Could you elaborate a bit more on 'lot of unfounded and outdated FUD floating around'? This could help in our discussions with our security team for a new for the PIN.

      Thks

      • Jason_Sandys's avatar
        Jason_Sandys
        Icon for Microsoft rankMicrosoft
        Dec 11, 2024

        In general, most of the info you'll find on the web involves some level of attack on the hardware and specifically the bus between the TPM and the CPU. This can involve specialized knowledge and skills but some attacks don't require an excessive amount of this, just someone willing to dedicate a small amount of time money. Eliminating this attack though is as simple as eliminating the ability to physically access the bus though which nearly all (maybe even all) devices sold within the last few years do by using integrated TPMs instead of separate TPMs that required a bus physically exposed and accessible. The Pluton architecture does this as do other modern motherboard and CPU architectures.