Hey sysadmins! I just started at a new startup, and we're trying to figure out the best way to manage BitLocker PINs for our users. We're debating whether to set the same PIN for all devices, different ones for batches of laptops, or unique PINs for each device. The challenge with unique or batch PINs is keeping track of them; it gets messy and complicates our password database. We currently backup our recovery keys on an external drive since we don't have shared drives set up yet. We're also in the process of transitioning from Google Workspace to Microsoft 365 and don't have Entra ID or on-premises AD yet. I'd love to hear how you manage BitLocker setups in your companies. Thanks in advance!
3 Answers
We usually have a default BitLocker startup PIN that new employees change upon their first login. It’s documented along with their initial password. We also backup the recovery password using Entra ID, so everything’s easy to manage. If you don't have AD or Entra, consider setting up a free Azure account to help keep things organized in the future.
Honestly, if you're managing BitLocker without Entra ID or an AD setup, you're on the wrong track. Prioritize getting that sorted out ASAP. Any sizable business should have these systems in place to manage everything efficiently.
I completely agree! Get your devices managed by Intune; it will save you so much headache. Using Intune will allow you to back up those BitLocker keys securely and keep everything centralized. Don't try to do it manually without proper management tools.
That’s smart! Using PowerShell to export and securely store the recovery keys is a great workaround if you don't have those tools. Just make sure backups are easily accessible as needed.