How to set the BitLocker PIN

bitlocker

I am running Windows 7 RTM and have both physical drives BitLockered. Because my machine has a TPM it will boot all very nicely when I turn it on. But my employers would prefer if I was challenged for a password at boot time.

I have found this article: http://4sysops.com/archives/review-windows-7-bitlocker/ that tells me which group policy flags to set to get it BitLocker to challenge for a PIN at startup.

What I can't find is how to set this PIN given the system is already encrypted?

I have also come across http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx and am curious to know which of these recommendations it is safe to apply to an already encrypted system?

Best Answer

Found the answer, assuming you have BitLocker up and running, make the changes:

To enable TPM & PIN at boot:

Using the Group Policy Editor (Start -> gpedit.msc and press Enter), go to :

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

and open the key

"Require additional authentication at startup"

Then enable that Key and set "Configure TPM startup Pin:" to "Require startup PIN with TPM"

To set the actual PIN use in a CMD prompt

manage-bde -protectors -add c: -TPMAndPIN

This will prompt you for a PIN which it then requires you to enter at Boot.

Best Answer

Related Solutions

Bitlocker in Windows 7: how to change from USB key to PIN

BitLocker with TPM but no startup PIN concerns the users – what should I tell them

Related Topic