Laptop Security Encryption

lx07 said:

Good news

Yes it is easy to change.

You can see what protectors are defined :
manage-bde -protectors -get c:
change the pin :
manage-bde -changepin c:
or delete it :
manage-bde -protectors -delete c: -type tpmandpin

Don't bother writing down the details - you only need the recovery key.

What you just typed with the protectors.


So if i want to change it... just do step 2? Then type the pin?

If i want to delete it... just do step 3?

If i want to do delete it for now...but put it one later on in the future... just do step 3? Then do step 1 right?


The other thing is don't i have to change those edit group policy settings though if i want to delete the bitlocker pin? Thus the disable enhanced pin and disable required startup required with TPM and pin though?

That is right. You only need to change group policy if you set it to "require" not "allow" additional authentication at startup. Manage-bde will tell you if your change is blocked by policy.

As for plugging in USB with malware on it, bitlocker will not protect you from that at all. You will get infected just the same as a PC without bitlocker. That is a separate question about anti-virus though - nothing to do with encryption and not something I know anything about - I just use Windows Defender.

@lx07


Yes i did change it to require additional authentication at setup. But that wasn't required? It said so in the instructions...


Because if you left it at allow additional authenitication at setup, that still would have worked?



Well i dont mean someone putting their own usb with malware into your laptop while your laptop is turned on. That obviously means you are screwed right? I saw a video where i saw someone turn on their laptop and he sticked a usb into it for 60 seconds... then unplugged it. He then said i just put malware on it just like that. If a person was away from their computer for 1 minute, this could be done. But well because we have bitlocker pin... or even if i was on windows screen which need a password, im protected from this as you said right?


I mean someone having access to your usb sticks or external hard drive... putting a virus in it while you not knowing. Example let say that thief had their own computer with them or tablet or whatever. They have access to your usb stick and external hard drive after checking your computer is locked with bitlocker. Now they stick your usb stick and external hard drive to their own laptop. Then they put malware/keylogger/virus on it. Then leave your usb and external hard drive as is like it wasn't touched. Or you could say they take your usb/external hard drive to their place... put it in computer... then come back to your place and put your usb/external hard drive as is to make it look like it wasn't touched.


Then when you use your laptop... you plug one of your usb stick or external hard drive in and there is already a virus in it. So you don't know anything about this part then right? Are you screwed here?


Because i would want encrypt my usb sticks and external hard drives that i currently have. So this is still about encryption right?

paulyjustin said:

Because if you left it at allow additional authenitication at setup, that still would have worked?

Yes it would.

paulyjustin said:

Now they stick your usb stick and external hard drive to their own laptop. Then they put malware/keylogger/virus on it.

If you encrypt your removable drives then they would have to guess the password first. Depending how long you make the password they could brute force it by using a program to guess passwords.

Follow the instructions in this tutorial and make a long/complex password : Turn On or Off BitLocker for Removable Data Drives in Windows 10 | Tutorials

You can make them auto-unlock on your own PC by following this tutorial : Turn On or Off Auto-unlock for BitLocker Drive in Windows 10 | Tutorials

hey man thanks. I am going to look at these things right now. If anyone else have opinion on this, feel free to comment.

I'm trying to encrypt my usb flash drive and external hdd. I am trying it on a flash drive. Connected it and open my computer. Right click the flash drive and enable bitlocker. I got this error


Starting bitlocker


Group policy settings for bitlocker setup options are in conflict and cannot be applied. Contact system administrator for more information.

Does this have to do with the



Local group policy editor? Because there is some conflict?


The require additional authentication at startup?


I had it changed to enabled and the Configure TPM startup PIN to Require startup PIN with TPM. So i might have to change this to allow startup pin with TPM? Because this conflicts with it?


Or it has do with the same thing but instead of clicking the operating system drives, i click on removable data drives or fixed data drives? Im guessing its removable data drives? And something to do with the 1st line of control use of bitlocker on removable drives or enforced drive encryption type on removable data drives?

There is no guide that tells you what you are suppose to fix here in local group policy.

lx07


can you tell me why im having this error message? I spoke to the guy who helped me set up bitlocker initially. I sent him a screenshot of my edit group policy settings and he says he has it set up the same as me with no issue of encrypting his flash drives. He says it most likely has to do with the bitlocker pin.

Try changing require to allow.

Hey okay. One other thing. But you don't think this has anything to do with the external drive data option? Im confused why the change require to allow thing would mean anything because doesn't this have nothing to do with startup?