15

I am running Windows 7 RTM and have both physical drives BitLockered. Because my machine has a TPM it will boot all very nicely when I turn it on. But my employers would prefer if I was challenged for a password at boot time.

I have found this article: http://4sysops.com/archives/review-windows-7-bitlocker/ that tells me which group policy flags to set to get it BitLocker to challenge for a PIN at startup.

What I can't find is how to set this PIN given the system is already encrypted?

I have also come across http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx and am curious to know which of these recommendations it is safe to apply to an already encrypted system?

Colin Desmond
  • 659
  • 1
  • 7
  • 18

3 Answers3

22

Found the answer, assuming you have BitLocker up and running, make the changes:

To enable TPM & PIN at boot:

Using the Group Policy Editor (Start -> gpedit.msc and press Enter), go to :

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

and open the key

"Require additional authentication at startup"

Then enable that Key and set "Configure TPM startup Pin:" to "Require startup PIN with TPM"

To set the actual PIN use in a CMD prompt

manage-bde -protectors -add c: -TPMAndPIN

This will prompt you for a PIN which it then requires you to enter at Boot.

Sam
  • 329
  • 2
  • 6
Colin Desmond
  • 659
  • 1
  • 7
  • 18
  • 2
    I think it's "cscript manage-bde.wsf -protectors -add c: -TPMAndPIN" - right? Also, I think that changing the group policy isn't necessary unless you want to force the use of TPM+PIN on subsequently encrypted volumes. In this case, just adding the PIN (via the "manage-bde" cmd) is what is desired. Anyway, +1 for all the detail! – Garrett Aug 18 '09 at 13:25
  • Thanks, we've been looking for this answer for the last 2 weeks. – Richard Clayton May 06 '11 at 15:36
  • On Windows 8.1, you have to modify Group Policy and enable the aforementioned key (no need to change it to 'require' though; the default 'allow' is fine). If you don't, the latter command will fail and tell you to modify Group Policy. – Sam Jan 22 '14 at 09:01
  • On Windows 8.1, ffter activating that group policy, you are actually able to set the PIN via the BitLocker config GUI. A new option appears: "Change how drive is unlocked at startup", where you can comfortably set a PIN. Blog post with screenshots for the whole process: http://www.windows-infrastructure.de/enable-bitlocker-tpm-and-pin/ – Anton Kaiser Dec 10 '14 at 09:07
1

Windows 7 - type in search box(start) 'cmd" right click on the program found above; 'cmd' and select 'run as administrator" then use manage-bde -protectors -add c: -TPMAndPIN as stated above

0

http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx#BKMK_protectors

run as admin to delete the associated protectors: cscript manage-bde.wsf -protectors -delete

Then add just the TPM only: cscript manage-bde.wsf -protectors -add -tpm

To check which protectors are being used by your system run cscript manage-bde.wsf -status

If you are using Win 7 change manage-bde.wsf to manage-bde.exe and you are good to go.