I encrypted my entire drive, and everything went fine. I notice there is no preboot password though, it just uses my normal login screen password. My other older computers have Veracrypt on them. You can't do a thing with those until you enter the password first. This does not seem safe to me. If my pc is stolen, can't they just bypass the simple screen login and still get into my computer just as they could with no encryption?
You can enable pre-boot authentication (referred to as the PIN) through group policy. Even without the startup PIN you are protected from someone getting access to your data after removing the drive or booting to a different OS. And as long as you have a strong Windows login password there's no way they can bypass the Windows login while the drive is unlocked.
I don't know why MS doesn't expose this option in the normal Bitlocker UI. Maybe they didn't want people to easily enable the PIN, forget it, and have no way to recover the system without another computer.
Look at Turn On or Off BitLocker for Operating System Drive in Windows 10 Security System Tutorials to enable the startup PIN.
No, the TPM does not validate your Windows password. That's still managed internally by Windows (since Windows has to work even without a TPM) after the drive is unlocked. But BitLocker does use the TPM to validate "early boot components and boot configuration data" to make sure there's no malware injected into your boot files.
So if there happens to be some hack that can expose your Windows password while you're sitting at the login screen then your data would be exposed. Of course, that's not specifically a BitLocker issue.
If you want to protect against such a possibility then a PIN would be needed.
Thank you for helping me out. I decrypted my computer and set up an advanced PIN, now I can use my easy to remember but hard to crack password that I use with Veracrypt. I will now encrypt it that way. But with that said....
I'm still unsure of this Bitlocker screen lock password. With my pc decrypted now, and my screen lock disabled, I was able to set up bit locker for whole drive encryption without the screen lock enabled. It was all ready to encrypt the drive. I wonder of I had done that if the computer would just simply boot right up without having to enter any pass/pin. Strange encryption, I sure hope Veracrypt comes out with a solution for the newer computers, but it's not looking good.
Yes, you can setup BitLocker with no password at all. I don't know why Microsoft allows this but you are correct that it means if someone stole your entire system then they could just boot into Windows. You would still be protected if they just ripped out the hard drive though.
I just thought of something else. My other desktop (no TPM) has two drives, one cloned, and both have been encrypted with Veracrypt. They both boot and run just fine in the same computer. So, I just cloned the drive in my new one, can I encrypt both in the new machine which has the TPM, and will they both boot to that TPM, or will there be a problem with the key produced with the TPM for each drive?
I'm not quite clear on what you're asking. Are you trying to clone a BitLocker-encrypted drive and booting to the clone?
I believe this should be possible if you do a sector-by-sector clone. The partition table, bootloader, boot manager settings, and OS boot files need to be identical.
Oh, so both drives are unencrypted and you want to boot to each one individually and encrypt them? In that case the keys would be different and you wouldn't be able to boot.
I was thinking that you were cloning a drive that was already encrypted by Bitlocker.
Quote