I'm wondering whether I should require a PIN or another form of authentication to boot my computers, especially since I'm currently using BitLocker to encrypt all my devices and enforce a PIN on mobile devices. I'm considering adding a TPM + PIN setup for desktops as well. What are your thoughts on this? How do you manage shared workstations in this scenario?
5 Answers
When it comes to shared workstations, we just avoid using them altogether. Each user has dedicated equipment, which simplifies things. But if you do need to plan for shared machines, thoughtful security can prevent unauthorized access without complicating usage too much. Just make sure users know they can manage their own PINs, and IT can provide recovery keys if needed.
From my experience, requiring a startup PIN can really complicate things, and upper management may push back on it. It might just create more headaches than it’s worth, especially since a lot of people will just end up taping the PIN to their computer! As long as you have a TPM and use Local Admin Password Solution (LAPS), a preboot PIN can often be skipped. Just be cautious if you need to reboot remotely; you don't want to lock yourself out!
True, I can see how that could become a mess, especially with rebooting issues. Using scripts to control reboots seems like a smarter choice.
Honestly, the benefits of a boot PIN feel minimal to me. You might be better off with just data-at-rest encryption without that extra layer. And make sure critical data isn’t stored on user devices—keep it on the network where it’s safer.
In our setup, we enforce BitLocker with a PIN for laptops but go without it for desktops. For stationary machines, I’d suggest looking into solutions like network unlock, which can give you decent security without the hassle of a boot PIN for every user.
Agreed, network unlock is a cool option, but be cautious; I think it has some limitations for certain devices.
We require a boot PIN purely for compliance reasons—especially in sectors like finance. However, I find that it tends to create more frustration during setup. Just a heads up, it’s something to keep in mind!
Exactly! Users managing their own pins reduces IT hassle while keeping everything secure.