How to enable/configure BitLocker authentication


  1. Posts : 58
    Windows 10 Pro
       #1

    How to enable/configure BitLocker authentication


    I have a laptop with TPM running Windows 10 Pro Version 20H2 (OS Build 19042.1415) and followed these instructions to setup BitLocker:

    How to Set Up BitLocker Encryption on Windows

    Step 2 is titled "Choose an Unlock Method" and says:

    The first screen you’ll see in the “BitLocker Drive Encryption” wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.
    and

    If your computer does have a TPM, you’ll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could also use a PIN instead of a password, or even choose biometric options like a fingerprint.
    When I went through the BitLocker setup process I was never presented with any of these choices. When I boot up my computer the only required authentication is my windows password, which was true before I setup BitLocker.

    When I open Windows explorer my C: drive icon has a little lock icon on top of it and if I right click the drive and click "Manage BitLocker" a window pops up that says "OS (C:) BitLocker on".

    Why was I never given any of the authentication options mentioned in the link above during the BitLocker setup process? How do I change this?
      My Computer


  2. Posts : 42,735
    Win 10 Pro (22H2) (2nd PC is 22H2)
       #2

    Hi, does your PC configuration and TPM meet these requirements?
    https://docs.microsoft.com/en-us/win...quirements-faq

    Note: this is linked from the tenforums tutorial
    Turn On or Off BitLocker for Operating System Drive in Windows 10

    One of a series of tutorials on bitlocker in the very extensive Tutorials section - link at the top.

    tenforums tutorials have a list of related tutorials linked following the main text.
      My Computers


  3. Posts : 58
    Windows 10 Pro
    Thread Starter
       #3

    Thanks for posting that tutorial. My PC has TPM 2.0. I'm reading through the tutorial and the options shown in step 4e seem kind of confusing to me.

    Why would a choice be given between "allowing" a security method or "requiring" it? If I enabled BitLocker and one or more security measure(s), wouldn't I always want to "require" it/them? What would be the point of enabling a security measure that could be ignored?

    Similarly, I don't understand why "Configure TPM startup PIN", "Configure TPM startup key" and "Configure TPM startup key and PIN" need to be 3 separate options. The third option seems redundant. It seems like all of the possible values of the third option are already covered by the possible value combinations of the first two. What am I missing here?

    Finally why is there an option to "Do not allow TPM"? Don't all of the other options listed depend on the TPM being enabled, i.e. they all say "with TPM"?
      My Computer


  4. Posts : 1,052
    windows 10
       #4

    In a professional environment, requiring and allowing makes more sense...

    It is not possible to configure in the bitlocker menu (in step 10 of the tutorial) "Configure TPM startup PIN", "Configure TPM startup key" at the same time, so Microsoft has put "Configure TPM startup key and PIN" .

    "Do not allow TPM" is not to disable the tpm, but not to use the tpm to unlock the hdd/ssd automatically.
      My Computer


  5. Posts : 58
    Windows 10 Pro
    Thread Starter
       #5

    itsme1 said:
    In a professional environment, requiring and allowing makes more sense...
    I'm not sure I follow what you mean by this. The menu gives the option of either requiring OR allowing. I'm just asking why someone would implement a security measure but then make it optional (i.e. "allowing" instead of "requiring").

    itsme1 said:
    It is not possible to configure in the bitlocker menu (in step 10 of the tutorial) "Configure TPM startup PIN", "Configure TPM startup key" at the same time, so Microsoft has put "Configure TPM startup key and PIN" .
    I see that the menu in step 10 doesn't allow you to specify both a key and a PIN, but that still doesn't explain why "Configure TPM startup PIN", "Configure TPM startup key" and "Configure TPM startup key and PIN" need to be 3 separate options in the menu shown in step 4. The third option seems redundant. It seems like all of the possible values of the third option are already covered by the possible value combinations of the first two.

    itsme1 said:
    "Do not allow TPM" is not to disable the tpm, but not to use the tpm to unlock the hdd/ssd automatically.
    But if I set the first menu, "Configure TPM startup", to "Require TPM", shouldn't that invalidate all of the other 3 menus, as I've now specified that the TPM alone will be used to unlock the HDD/SSD? These menus are very confusing.
      My Computer


  6. Posts : 1,052
    windows 10
       #6

    Citizen Snips said:
    I'm not sure I follow what you mean by this. The menu gives the option of either requiring OR allowing. I'm just asking why someone would implement a security measure but then make it optional (i.e. "allowing" instead of "requiring").



    I see that the menu in step 10 doesn't allow you to specify both a key and a PIN, but that still doesn't explain why "Configure TPM startup PIN", "Configure TPM startup key" and "Configure TPM startup key and PIN" need to be 3 separate options in the menu shown in step 4. The third option seems redundant. It seems like all of the possible values of the third option are already covered by the possible value combinations of the first two.



    But if I set the first menu, "Configure TPM startup", to "Require TPM", shouldn't that invalidate all of the other 3 menus, as I've now specified that the TPM alone will be used to unlock the HDD/SSD? These menus are very confusing.



    For example in a company, the IT project manager configures "allowing" for 2 options instead of "requiring" to leave the choice of authentication at startup to employees.



    In the menu shown in step 4 it is only possible to require one option. Still in business if the I.T. wants to require only key and pin together, it needs this third option "Configure TPM startup key and PIN". And also as I said in my previous comment explained otherwise, if the I.T. allowing "Configure TPM startup PIN" and "Configure TPM startup key" in Local Group Policy Editor, employees could not configure both at the same time for startup in step 10 of the tutorial in “BitLocker Drive Encryption” wizard. And, the BitLocker Drive Encryption wizard must not allow this possibility because the employees could configure a thing that the I.T. would not.




    Yes the setting "Configure TPM startup", on "Require TPM" invalidates the other 3 menus. Menus are confusing because they are designed for businesses. To configure bitloker startup authentication you should go through the BitLocker Drive Encryption wizard and leave the Local Group Policy Editor menus on allow.


    note: In BitLocker Drive Encryption wizard there is no "key and PIN" option you have to configure it in command line.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:52.
Find Us




Windows 10 Forums