Weird bitlocker settings


  1. Posts : 44
    Windows 10 Pro 64 Bit Build 1803
       #1

    Weird bitlocker settings


    So at my work and home I have been setting up Bitlocker. Today at work I was setting up Bitlocker on a PC and we could not get a password for a option to unlock the device. The only option we get is to either use a USB or a pin. As per the compliance officer we have to require an encryption passphrase upon boot and I am not big on pins. How do I get my passphrase ability back? Thanks.
      My Computer


  2. Posts : 5,478
    2004
       #2

    Do you have TPM? You can check with the get-tpm powershell command. From elevated command prompt
    Code:
    Microsoft Windows [Version 10.0.10586]
    (c) 2015 Microsoft Corporation. All rights reserved.
    
    C:\WINDOWS\system32>powershell
    Windows PowerShell
    Copyright (C) 2015 Microsoft Corporation. All rights reserved.
    
    PS C:\WINDOWS\system32> get-tpm
    
    
    TpmPresent          : False
    TpmReady            : False
    ManufacturerId      : 0
    ManufacturerVersion :
    ManagedAuthLevel    : Full
    OwnerAuth           :
    OwnerClearDisabled  : True
    AutoProvisioning    : NotDefined
    LockedOut           : False
    LockoutCount        :
    LockoutMax          :
    SelfTest            :
    
    
    
    PS C:\WINDOWS\system32>
    If so the TPM enters the password for you and your system is protected by your Windows password. Only if you don't have TPM you can enter a password.

    In addition you can enter a PIN and/or use a USB key. A pin is recommended and can be alphanumeric.

    What is the best practice for using BitLocker on an operating system drive?

    The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or 2.0 and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

    Can PIN length and complexity be managed with Group Policy?

    Yes and No. You can configure the minimum personal identification number (PIN) length by using the Configure minimum PIN length for startup Group Policy setting and allow the use of alphanumeric PINs by enabling the Allow enhanced PINs for startup Group Policy setting. However, you cannot require PIN complexity by Group Policy.
    Source

    You might like to read this thread - it has some discussion / explanations when someone had a similar question. Installed Bitlocker does not ask for password on computer start-up! - Windows 10 Forums
      My Computer


  3. Posts : 44
    Windows 10 Pro 64 Bit Build 1803
    Thread Starter
       #3

    All of our laptops have the TPM chip but this is the first one that ask for a pin or usb, I know how the TPM works and also you cannot use the Alphabet in pin (we tried). Otherwise I think once the alphabet gets involved your pin is now called a pass phrase.

    Any ideas on how to get the pass phrase option again or could anyone tell me why I would want less security.
      My Computer


  4. Posts : 149
    Windows 10 Pro x64
       #4
      My Computer


  5. Posts : 5,478
    2004
       #5

    DMGrier said:
    All of our laptops have the TPM chip but this is the first one that ask for a pin or usb, I know how the TPM works and also you cannot use the Alphabet in pin (we tried). Otherwise I think once the alphabet gets involved your pin is now called a pass phrase.
    You need to check group policy. Requiring pin or usb (or both) and allowing alpha characters in pin are defined in these 2 settings. What do you have?

    Weird bitlocker settings-enhanced-pin.pngWeird bitlocker settings-require-pin.png
      My Computer


  6. Posts : 44
    Windows 10 Pro 64 Bit Build 1803
    Thread Starter
       #6

    Okay So I found the answer, I needed to turn off TPM in the bios for this to work, if enabled even in GPO you cannot get it to prompt for passphrase. I know some might find it weird that we want this but in my organization we feel a little more safe if the computer gets stolen knowing they would have to get pass the encryption password prompt before the Windows login.
      My Computer


  7. Posts : 5,478
    2004
       #7

    Glad you got it sorted
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 13:06.
Find Us




Windows 10 Forums