fleet
fleet copied to clipboard
fleetdm
Support Bitlocker PIN
customer-preston: Gong snippet: https://us-65885.app.gong.io/call?id=4300040648007396243&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A336%2C%22to%22%3A470%7D%5D Here’s your request formatted for submission, from the perspective of an IT admin or security engineer:- @noahtalerman: User requested this because they need support for BitLocker PIN and Enhanced PIN in Fleet to protect Windows devices with an additional layer of pre-boot authentication. Today, a malicious actor needs username+password to get into a workstation. If this new mode, that requires a BitLocker PIN, is enabled, then the malicious actor also the needs the PIN.
- @noahtalerman: In the interim the user can run a PowerShell script like
Enable-BitLocker -TPMandPinProtectorto enable PIN protection and set the PIN manually. - @noahtalerman: Eventually they would like to configure, escrow, and audit BitLocker PINs centrally from Fleet, with added protections like preventing host expiry if a PIN is set, ensuring devices remain recoverable and compliant.
- @noahtalerman: In the interim the user can run a PowerShell script like
- @allenhouchins: From the Microsoft docs:
- For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the Configure minimum PIN length for startup policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication
User stories
- Air guitar
@nonpunctual based on your research, can you confirm that this PIN cannot be set by FleetDM ?
@martinpannier Have not tested if the feature doesn't work as this issue was only created yesterday. It may. I will post results here when I get a chance to try it.
Hey @noahtalerman - I spoke with customer-preston today and I have a new Gong snippet that I will add once it is processed. Additional context --> The main focus here is supporting the activation of Bitlocker with PIN in general, not escrowing the PIN.
Hey @noahtalerman - Here is the new Gong snippet: https://us-65885.app.gong.io/call?id=5942354336901751458&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A179%2C%22to%22%3A298%7D%5D
I spoke with customer-preston today and I have a new Gong snippet that I will add once it is processed. Additional context --> The main focus here is supporting the activation of Bitlocker with PIN in general, not escrowing the PIN.
Here is the new Gong snippet: https://us-65885.app.gong.io/call?id=5942354336901751458&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A179%2C%22to%22%3A298%7D%5D
Thanks @pintomi1989! I updated the issue description to reflect this.
FYI @rachaelshaw @ddribeiro ^
Updated with customer-deebradel's snippet, as well as a Slack link @noahtalerman
Updated with customer-deebradel's snippet, as well as a Slack link @noahtalerman
FYI @rachaelshaw
@pintomi1989 #21833 (Require BitLocker PIN) was shipped in 4.73. We think that adding the option to require a PIN, and adding a way to see which hosts do not have one set, fulfills customer-deebradel and customer-preston's request to support BitLocker PIN.
@pintomi1989 #21833 (Require BitLocker PIN) was shipped in 4.73. We think that adding the option to require a PIN, and adding a way to see which hosts do not have one set, fulfills
customer-deebradelandcustomer-preston's request to support BitLocker PIN.
Absolutely & great news
@pintomi1989 up to you as Customer Success Manager (CSM) to close this issue or leave it open if you think Fleet is missing something: https://fleetdm.com/handbook/customer-success#communicate-feedback-on-prioritized-customer-requests
Just a reminder to bring the improvements to customer-deebradel for feedback.
Hey @noahtalerman - This is in the agenda for my next session with them, which will be next week. I'll close it if they also approve
Update: We will need to review this next week, as the individual who submitted it is OOO this week
Going to discuss async - Removing my tag and will close afterwards if we're good to go
Going to discuss async - Removing my tag and will close afterwards if we're good to go
@pintomi1989 any update?
Up to you as Customer Success Manager (CSM) to close this issue or leave it open if you think Fleet is missing something: https://fleetdm.com/handbook/customer-success#communicate-feedback-on-prioritized-customer-requests
Just a reminder to bring the improvements to customer-deebradel for feedback.
Hey @noahtalerman - Update is that we use 256 bit encryption by default. Usually when enabling BitLocker with PIN, users can select between that type or 128 bit encryption. customer-deebradel would like the option to choose between those two encryption types
Update is that we use 256 bit encryption by default. Usually when enabling BitLocker with PIN, users can select between that type or 128 bit encryption. customer-deebradel would like the option to choose between those two encryption types
@pintomi1989 I think we can call this^ a separate request.
This request (#27354) is about enforcing a PIN. deebradel is now asking for disk encryption on Windows to use a different encryption algorithm (128).
I think we file a separate request for that and close this request out. What do you think?
Also, it sounds like deebradel shared some reasoning (the why) behind the ask: https://us-65885.app.gong.io/call?id=7695965668863687953&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A621%2C%22to%22%3A670%7D%5D
Can you please help us track that^ down? I think we want to put that in the new request.
@pintomi1989 FYI - we shipped another story related to this in 4.76.0 based on feedback from dogfooding the issue: https://github.com/fleetdm/fleet/issues/33726