BitLocker with TPM but no startup PIN concerns the users – what should I tell them

bitlockerwindows 7

My infrastructue uses BitLocker encrypted drives with TPM but no start up PIN. Recovery keys are stored in the AD. A few of my users are worried that no startup PIN is insecure as to the old WinMagic setup with a startup PIN before booting the OS.

In our design it is clearly stated that the most important thing is that the hard drive is encrypted in case the computer is stolen or lost.

What can I tell my concerned users, that will make them understand that the startup PIN does not really introduce any extra security.

Best Answer

Why not just explain to them the transparent mode operation of BitLocker in conjunction with TPM and that no startup PIN is required.

You could also implement TPM + PIN if it's that big an issue with the users.

Related Solutions

How to set the BitLocker PIN

Found the answer, assuming you have BitLocker up and running, make the changes:

To enable TPM & PIN at boot:

Using the Group Policy Editor (Start -> gpedit.msc and press Enter), go to :

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

and open the key

"Require additional authentication at startup"

Then enable that Key and set "Configure TPM startup Pin:" to "Require startup PIN with TPM"

To set the actual PIN use in a CMD prompt

manage-bde -protectors -add c: -TPMAndPIN

This will prompt you for a PIN which it then requires you to enter at Boot.

Bitlocker in Windows 7: how to change from USB key to PIN

Well, apparently it's not possible.

Only four options are available:

TPM only TPM and PIN TPM and Startup Key USB only

Therefore, USB it is for me ;)

Best Answer

Related Solutions

How to set the BitLocker PIN

Bitlocker in Windows 7: how to change from USB key to PIN

Related Topic