Windows 10: Is my computer safe without a Bitlocker password?

  1.    02 Jan 2018 #1

    Is my computer safe without a Bitlocker password?


    I encrypted my entire drive, and everything went fine. I notice there is no preboot password though, it just uses my normal login screen password. My other older computers have Veracrypt on them. You can't do a thing with those until you enter the password first. This does not seem safe to me. If my pc is stolen, can't they just bypass the simple screen login and still get into my computer just as they could with no encryption?
      My ComputerSystem Spec

  2.    02 Jan 2018 #2

    You can enable pre-boot authentication (referred to as the PIN) through group policy. Even without the startup PIN you are protected from someone getting access to your data after removing the drive or booting to a different OS. And as long as you have a strong Windows login password there's no way they can bypass the Windows login while the drive is unlocked.

    I don't know why MS doesn't expose this option in the normal Bitlocker UI. Maybe they didn't want people to easily enable the PIN, forget it, and have no way to recover the system without another computer.

    Look at Turn On or Off BitLocker for Operating System Drive in Windows 10 Security System Tutorials to enable the startup PIN.
      My ComputerSystem Spec

  3.    02 Jan 2018 #3

    PolarNettles said: View Post
    You can enable pre-boot authentication (referred to as the PIN) through group policy. Even without the startup PIN you are protected from someone getting access to your data after removing the drive or booting to a different OS. And as long as you have a strong Windows login password there's no way they can bypass the Windows login while the drive is unlocked.

    I don't know why MS doesn't expose this option in the normal Bitlocker UI. Maybe they didn't want people to easily enable the PIN, forget it, and have no way to recover the system without another computer.

    Look at Turn On or Off BitLocker for Operating System Drive in Windows 10 Security System Tutorials to enable the startup PIN.
    Thanks for the link. So then, does my TPI chip have to ok the Windows login password to allow the drive to unlock and be read? If so, then I really don't need to set a pin?
      My ComputerSystem Spec

  4.    02 Jan 2018 #4

    No, the TPM does not validate your Windows password. That's still managed internally by Windows (since Windows has to work even without a TPM) after the drive is unlocked. But BitLocker does use the TPM to validate "early boot components and boot configuration data" to make sure there's no malware injected into your boot files.

    So if there happens to be some hack that can expose your Windows password while you're sitting at the login screen then your data would be exposed. Of course, that's not specifically a BitLocker issue.

    If you want to protect against such a possibility then a PIN would be needed.
      My ComputerSystem Spec

  5.    03 Jan 2018 #5

    PolarNettles said: View Post
    No, the TPM does not validate your Windows password. That's still managed internally by Windows (since Windows has to work even without a TPM) after the drive is unlocked. But BitLocker does use the TPM to validate "early boot components and boot configuration data" to make sure there's no malware injected into your boot files.

    So if there happens to be some hack that can expose your Windows password while you're sitting at the login screen then your data would be exposed. Of course, that's not specifically a BitLocker issue.

    If you want to protect against such a possibility then a PIN would be needed.
    Thank you for helping me out. I decrypted my computer and set up an advanced PIN, now I can use my easy to remember but hard to crack password that I use with Veracrypt. I will now encrypt it that way. But with that said....

    I'm still unsure of this Bitlocker screen lock password. With my pc decrypted now, and my screen lock disabled, I was able to set up bit locker for whole drive encryption without the screen lock enabled. It was all ready to encrypt the drive. I wonder of I had done that if the computer would just simply boot right up without having to enter any pass/pin. Strange encryption, I sure hope Veracrypt comes out with a solution for the newer computers, but it's not looking good.
      My ComputerSystem Spec

  6.    03 Jan 2018 #6

    Yes, you can setup BitLocker with no password at all. I don't know why Microsoft allows this but you are correct that it means if someone stole your entire system then they could just boot into Windows. You would still be protected if they just ripped out the hard drive though.
      My ComputerSystem Spec

  7.    03 Jan 2018 #7

    PolarNettles said: View Post
    Yes, you can setup BitLocker with no password at all. I don't know why Microsoft allows this but you are correct that it means if someone stole your entire system then they could just boot into Windows. You would still be protected if they just ripped out the hard drive though.
    I just thought of something else. My other desktop (no TPM) has two drives, one cloned, and both have been encrypted with Veracrypt. They both boot and run just fine in the same computer. So, I just cloned the drive in my new one, can I encrypt both in the new machine which has the TPM, and will they both boot to that TPM, or will there be a problem with the key produced with the TPM for each drive?
      My ComputerSystem Spec

  8.    03 Jan 2018 #8

    I'm not quite clear on what you're asking. Are you trying to clone a BitLocker-encrypted drive and booting to the clone?

    I believe this should be possible if you do a sector-by-sector clone. The partition table, bootloader, boot manager settings, and OS boot files need to be identical.
      My ComputerSystem Spec

  9.    03 Jan 2018 #9

    PolarNettles said: View Post
    I'm not quite clear on what you're asking. Are you trying to clone a BitLocker-encrypted drive and booting to the clone?

    I believe this should be possible if you do a sector-by-sector clone. The partition table, bootloader, boot manager settings, and OS boot files need to be identical.
    I did a sector by sector clone. But when I install the cloned disk into my computer and encrypt it, it will generate a new key from the TPM to OS, will the TPM still recognize the other drive since the encryption keys will be different?
      My ComputerSystem Spec

  10.    03 Jan 2018 #10

    Oh, so both drives are unencrypted and you want to boot to each one individually and encrypt them? In that case the keys would be different and you wouldn't be able to boot.

    I was thinking that you were cloning a drive that was already encrypted by Bitlocker.
      My ComputerSystem Spec


 

Related Threads
Solved Installed Bitlocker does not ask for password on computer start-up! in AntiVirus, Firewalls and System Security
SOLVED - see last post. My query is regarding a brand new i7 sixth generation computer with Windows 10 Professional, including all the Windows upgrades, and a new Samsung SSD hard-drive. The reason I bought Windows 10 Professional was for the...
Forgot BitLocker Password in AntiVirus, Firewalls and System Security
Hi everyone, I have BitLocker enabled for my custom built computer's main drive and forgot the password since I haven't used the computer for a month or so. I looked at a lot of possible ways to fix the problem, yet they don't apply. I don't have a...
Bitlocker...TPM + PIN vs Password? in AntiVirus, Firewalls and System Security
I have seen this question asked elsewhere several times, but with different answers...so I just want to make sure my understanding of BitLocker is correct. In the past, I had used BitLocker on several computers that did Not have a TPM...therefore...
Forgot bitlocker password in AntiVirus, Firewalls and System Security
I have a pendrive which contains an important data .I turned on the bitlocker,but forgot the password ,here is the out put any help would be great100734
Bitlocker doesnt allow to key in password in AntiVirus, Firewalls and System Security
hi buddy, I have my portable drive encrypted with bitlocker. However, everytime i connect with computer it doesnt appear a window to type in password to unlock rather than a recovery key. Unfortunately, I lost my receovery key so I can not solve...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 23:06.
Find Us