Change BitLocker PIN with Complexity

BitLocker Enabled for OS Drives? Check!
Using PIN authentication? Check!
Enforcing PIN Complexity? …

True, we get a lot of options with BitLocker in Windows. One thing that we struggled with is the inability to require any kind of complexity with the PIN. Through Group Policy we can set a minimum length which helps but what if I need to enforce alternate complexity? Say, require One Upper Case, One Lower Case, and One Number?

Well, I’ve done that work for you so sharpen your copy/paste skills and lets have at it!

Before this will work completely, make sure that you’ve enabled the Group Policy “Allow Enhanced PINs for Startup”

We’ve used this code since our first step into Windows 7 and vbscript was the winner. To add a GUI, we dropped the vbscript into an HTA and had a functional utility. Then the loveable storm I call Powershell came along, and naturally a rewrite was inevitable–Integrating a Windows Form was an obvious “plus” as well. These were tested on Windows 7 – Windows 8.1 (including Windows To-Go–Yeah, it’s a bit different for Portable OS’s).

Both utilities break apart the logic in some easy to call/use functions/subs. I’ve also added some nice messages that the user will see to help maintain their complexity in the full scripts (linked at the bottom). Hopefully if you don’t need the functionality of the utilities you can use the code snippets for other projects.

Check Length:

Powershell:

function CheckStringLength([int]$lowerInt, [int]$upperInt, [string]$stringValue)
{
    If ($stringValue.Length -lt $lowerInt)
    { return -1 }
    ElseIf ($stringValue.Length -gt $upperInt)
    { return 1 }
    else
    { return 0 }
}

vbScript:

Function CheckStringLength(lowerInt, upperInt, stringValue)
    If Len(stringValue) < lowerInt Then CheckStringLength = -1 Exit Function ElseIf Len(stringValue) > upperInt Then
        CheckStringLength = 1
        Exit Function
    Else
        CheckStringLength = 0
    End If

End Function

Require Uppercase:

Powershell:

If (-Not ($stringValue.CompareTo($stringValue.ToLower())))
{ return $false }

vbScript:

Function ContainsUpperCase(stringValue)
    If stringValue <> LCase(stringValue) Then
        ' Upper Case passed
        ContainsUpperCase = True
        Exit Function
    End If

    ContainsUpperCase = False

End Function

Require Lowercase:

Powershell:

If (-Not ($stringValue.CompareTo($stringValue.ToUpper())))
    { return $false }

vbScript:

Function ContainsLowerCase(stringValue)
    If stringValue <> UCase(stringValue) Then
        ' Lower case Passed
        ContainsLowerCase = True
        Exit Function
    End If	

    ContainsLowerCase = False

End Function

 

Require Number:

Powershell:

function ContainsNumber([string]$stringValue)
{
    foreach ($c in $stringValue.ToCharArray())
    {
        If ($c -match "[0-9]")
        {
            return $true
        }
    }

    return $false
}

vbScript:

Function ContainsNumber(stringValue)

    Dim iNum

    For iNum = 1 To Len(stringValue)
        If IsNumeric(Mid(stringValue, iNum, 1)) Then
            ContainsNumber = True
            Exit Function
        End If
    Next

    ContainsNumber = False

End Function

 

Prevent Special Characters:

Powershell:

function ContainsSpecialCharacter([string]$stringValue)
{
    $charArray = [int[]][char[]]$stringValue

    foreach ($c in $charArray)
    {
        if (($c -lt 32) -or ($c -gt 128))
        {
            return $true
        }
    }

    return $false
}

vbScript:

Function ContainsSpecialCharacter(stringValue)

    Dim iChar, cChar

    For iChar = 1 To Len(stringValue)
        cChar = Mid(stringValue, iChar, 1)

        ' Check if Character is in range
        If Asc(cChar) < 32 Or Asc(cChar) > 128 Then
            ContainsSpecialCharacter = True
            Exit Function
        End If
    Next

    ContainsSpecialCharacter = False

End Function

 

Complete scripts:

vbScript/HTA: https://skydrive.live.com/redir?resid=3D90B836AD7F51CF%21786
Powershell: https://skydrive.live.com/redir?resid=3D90B836AD7F51CF%21785

Advertisements

2 thoughts on “Change BitLocker PIN with Complexity

  1. Hi, exactly what i need but i wonder if the PS script ever worked πŸ™‚ wmi class does not have a method GetProtectorType. Is this a typo and should be GetKeyProtectorTyoe instead ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s