Change TPM pin or Password for SystemDrive on Window 10 and above devices.
  • 23 Jul 2024
  • 4 Minutes to read
  • PDF

Change TPM pin or Password for SystemDrive on Window 10 and above devices.

  • PDF

Article summary

This PowerShell script helps IT Admins to change the TPM pin or Password for SystemDrive on Window 10 and above devices.

  1. Create a file on your desktop, for example, ChangeTPMPinOrPasswordOnSystemDrive_v2.ps1 and open it in an editor like notepad++

  2. Copy the contents below to the file or click here to download the file.

    1. In the following script, change the drive letter and the password that you want to update.

    2. Note that if you want to update the pin of D: drive then please first Unlock the D: drive (if its Locked) and then publish the script.

    3. Please test the script on one or two devices first and then deploy it on rest of the devices.

      #==================================================================
      # User input parameters for bitlocker encryption
      #==================================================================
      
      $BitlockerSecureStr = "enter the new password"
      $SystemDrive = "enter the drive name"
      
      #==================================================================
      
      try
      {
      	Function GetPinPasswordMinLength()
      	{
              $MinLength = 8
      
              try
      		{
                  $key = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
      		    $MinLength = (Get-ItemProperty -LiteralPath $key -Name 'MinimumPIN' -ErrorAction Ignore) | Where-Object -FilterScript {$_ -ne $null} | Select-Object -ExpandProperty $('MinimumPIN')
      
      		    if ($MinLength -eq $null)
      		    {
      			    $MinLength = 8
      		    }
              }
              catch {
                  $MinLength = 8
                  $Error.Clear()
              }
      
      		return $MinLength
      	}
      	
      	$MinPinAndPasswordLength = GetPinPasswordMinLength
      	
          if ($BitlockerSecureStr.Length -ge $MinPinAndPasswordLength)
          {
      		$BitLockerVolume = Get-BitLockerVolume -MountPoint $SystemDrive | Where-Object -FilterScript {$_ -ne $null -and $_.VolumeStatus -eq 'FullyEncrypted' }
      
      		if ($BitLockerVolume -eq $null)
      		{
      			Write-Error "ERROR: No key protectors found on '$SystemDrive' drive."
      			return
      		}
      		
              $LockStatus = $BitLockerVolume | Select -ExpandProperty LockStatus
      
              if ($LockStatus -eq 'Locked')
              {
                  Write-Error "ERROR: Bitlocker can not be perform any operation on the locked drive, please unlock the '$SystemDrive' drive first and then try again."
                  return;
              }
      
              $NewSecureStr = ConvertTo-SecureString $BitlockerSecureStr -AsPlainText -Force
              $BitLockerVolume | Select-Object -ExpandProperty $('KeyProtector') | ForEach-Object {
      
                  $KeyProtectorType = $_.KeyProtectorType
      
                  switch -Exact ($KeyProtectorType)
                  {
                      "TpmPin" {
                                  if ($BitlockerSecureStr -match '^\d+$')
                                  {
                                      manage-bde -protectors $SystemDrive -delete -type TPMAndPIN 
                                      Add-BitLockerKeyProtector $SystemDrive -pin $NewSecureStr -TpmAndPinProtector
      								Write-Output "Bitlocker new pin '$BitlockerSecureStr' has been changed on '$SystemDrive' drive successfully."
                                  }
                                  else
                                  {
                                      Write-Error "ERROR: Bitlocker pin must be a number, please correct the pin and try again."
                                  }
                                  break;
                      }
                      "Password" { 
                          
                                  manage-bde -protectors $SystemDrive -delete -type Password
                                  Add-BitLockerKeyProtector $SystemDrive -Password $NewSecureStr -PasswordProtector                  
                                  Write-Output "Bitlocker new password '$BitlockerSecureStr' has been changed on '$SystemDrive' drive successfully."
                                  break;
                      }
                      default {
                          return;
                      }
                  }
      
              }
          }
          else
          {
              Write-Error "ERROR: Pin/Password does not meet minimum length requirement of $MinPinAndPasswordLength characters."
          }
      }
      Catch
      {
          $err = $($_ | Out-String)
      	Write-Error "ERROR: Exception raised: $err"	
      }


  3. Follow our guide to upload & publish the PowerShell script using Scalefusion Dashboard.

  4. Once the script is successfully executed, you will be able to see the status of the same in the View Status report on the Scalefusion dashboard.

Please note that to use the PowerShell scripts, the Scalefusion MDM Agent Application must be installed on the device(s). Please follow our guide to publish and install the Scalefusion MDM Agent Application.

Note:

  1. The scripts and their contents are sourced from various albeit authenticated Microsoft sources and forums.

  2. Please validate the scripts on a test machine before deploying them on all your managed devices.

  3. Scalefusion has tested these scripts, however, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these scripts.


Was this article helpful?