Why Bitlocker is often used without a PIN.
Why Bitlocker is often used without a PIN.
I find it hard to grasp the main advantage of using BitLocker with TPM without a PIN. Most users I know do this, and both Microsoft 365 and Intune promote it. The only clear benefit seems to be a small one: if someone steals the device and tries to bypass the built-in admin account by opening it, removing the drive, and reading it elsewhere, they wouldn’t be able to access the data. However, in reality, such an attack is unlikely because most people would know how to activate the admin account.
Any opinions much appreciated.
My view:
Microsoft chose this as the standard setting. It's also a configuration that reduces the chance of losing access quickly because of a forgotten BitLocker PIN. The business might update the default admin password immediately, weakening its importance. Overall, though, BitLocker without a PIN offers protection only at the SSD/HDD level. If you can restart and log in, tools like Cellebrite should likely bypass the login screen.