My BitLocker is Missing Parts of the Set-up Process?

If I understand that correctly, I think that the key is in the first line when it says "PIN-only". However, in your case, you want to ADD a PIN in addition to the security already provided by the TPM.

I'm not trying to discourage you from adding a PIN, but I'm simply curious as to the reasoning. If you don't mind sharing, may I ask why you want to add a PIN? I just want to be sure that you are not misunderstanding what that will provide you. If you prefer not to say, that's fine .

Also, be aware that you would lose some functionality such as the ability to reboot your system remotely via Remote Desktop because you would need to be in front of the system to provide the PIN.

I need to test this so that I can give you a step-by-step. I'll need to setup a VM with TPM and then add a PIN to it. I'm currently juggling multiple issues at once so please be patient with me. It looks to be very simple, but I just need time to setup the test.

hsehestedt said:

If I understand that correctly, I think that the key is in the first line when it says "PIN-only". However, in your case, you want to ADD a PIN in addition to the security already provided by the TPM.

I'm not trying to discourage you from adding a PIN, but I'm simply curious as to the reasoning. If you don't mind sharing, may I ask why you want to add a PIN? I just want to be sure that you are not misunderstanding what that will provide you. If you prefer not to say, that's fine .

Also, be aware that you would lose some functionality such as the ability to reboot your system remotely via Remote Desktop because you would need to be in front of the system to provide the PIN.

I need to test this so that I can give you a step-by-step. I'll need to setup a VM with TPM and then add a PIN to it. I'm currently juggling multiple issues at once so please be patient with me. It looks to be very simple, but I just need time to setup the test.

Okay, yeah no rush. Thanks so much.

So I would have to change it to Allow TPM then to have both a TPM and PIN, but when I did that it created a conflict and wont allow me to enable a PIN. I will try some more digging around.

I have sensitive data, I wanted to use the maximum level of security. I dont want to get into what the data is or what I do, and whether its over the top or not, it matches my needs and would like to utilize the full features that Bitlocker offers.

Okay, looks like this is a lot easier than I expected.

NOTE: This worked perfectly for me, but I would suggest making sure you have a good backup just in case something goes completely wrong. Also, I don't want you yelling at me if it doesn't work

I didn't have to change policy at all. Here is all I did:

Open a command prompt as administrator.

Run the command below: Note: I assume your OS drive is C:. If not, change the C: to the correct drive letter.

Code:

manage-bde -protectors -add C: -TPMandPIN

It should ask you for the PIN that you want to use (twice).

NOTE: I have no idea if this changes the Recovery Key for BitLocker. In File Explorer, I would suggest selecting Manage BitLocker and then backup the Recovery Key again just be sure you have the current key in case this changes it.

If you do end up comparing your old key vs the new one, I would just be interested in knowing if it changed so I can try to remember this for future reference.

I will compare recovery keys afterwards and let you know.

But Im still stuck on some earlier steps. See below. So what should I have it set on? I followed several tutorials but it still is creating a conflict:

In the right pane, double-click "Require additional authentication at startup" and a popup box will open.
Make sure the "Enabled" option is chosen so that all other options below will be active.
Uncheck the box for "Allow BitLocker without a compatible TPM."
For the choice of "Configure TPM startup:", choose "Allow TPM."
For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
Click the "Apply" button and then the "OK" button to save the changes in the Local Group Policy Editor

Hi,

Have you seen that thread ?

Unable to set password after encrypting C drive with Bitlocker

Don't change it. As I noted, you don't need to set a policy. Simply leave it as "Not configured".

I think this was part of the solution.

Require additional authentication at startup
Enable use of bitlocker authentication requiring preboot keyboard input on slates
Allow enhanced PINs for startup.

In my case, I did not enable the policy. I left it alone.

In your case, because you altered the policy, I guess that exposed a PIN option in the UI. Since I had no such option in the UI, I had to do it via the command line.

Remember, there is more than one way to do many things in Windows. Often, you will get more functionality from the command line.

In fact, Microsoft is specifically going the route of purposely exposing fewer items in the GUI, especially in Server. Many of the GUI elements are now just front ends for PowerShell commands as an example.

Bottom line - I was simply showing what I did that worked for me. It was easy and straightforward, so that was the route I took.

hsehestedt said:

In my case, I did not enable the policy. I left it alone.

In your case, because you altered the policy, I guess that exposed a PIN option in the UI. Since I had no such option in the UI, I had to do it via the command line.

Remember, there is more than one way to do many things in Windows. Often, you will get more functionality from the command line.

In fact, Microsoft is specifically going the route of purposely exposing fewer items in the GUI, especially in Server. Many of the GUI elements are now just front ends for PowerShell commands as an example.

Bottom line - I was simply showing what I did that worked for me. It was easy and straightforward, so that was the route I took.

Okay, so I tried first what worked for you. With the Group Policy Editor settings as NOT CONFIGURED. It failed. CMD gave me this message:


Once I enabled the "Require additional authentication at startup", the PIN via CMD function worked.


So it appears you have to enable it first in the Group Policy Editor first, or at least for me, then the additional PIN option that shows up in the Bitlocker Wizard is just an alternative way of adding the PIN. Its not a different type of PIN, just another method of doing it. Much less crude than CMD.


Also To answer your question, no the recovery keys did not change. They are the same.

Now the one thing I dont know still is, about 50% of the tutorials (including Malok up above) said you also have to enable this setting: "enable use of bitlocker authentication requiring preboot keyboard input on slates" which would make sense. But the other 50% did not mention it. So why is it there if you dont need to enable it. I will test tomorrow and see if its needed.