none
Windows 7 BitLocker using startup PIN and USB flash drive, but without a TPM...how?

    问题

  • At my organisation we are now insisting that all new laptops are to be encrypted using bitlocker in Windows 7, however some of the laptops are turning out not to have a TPM chip, or have the old 1.1 type of chip. These of course can't be used without first configuring group policy to allow use of bitlocker without a TPM, and must be booted with the use of a USB flash drive. I understand that clearly and it's all configured and working... however, in group policy there is a setting the description of which clearly states that we can use bitlocker with a startup PIN and a usb flash drive - but that we must use manage-bde to enable this functionality.

    Could someone please explain to me exactly how to enable bitlocker for use on a computer that does not have a tpm chip so that we have to enter a PIN when using a USB startup key.

    The setting in question is: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLock Drive Encryption > Operating System Drives > Require additional authentication at startup

    At the bottom of the descriptive help text is the sentence as follows:
    "Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard."

    There is an article (http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx ) which explains the various settings for the manage-bde command but it is not clear how to configure my required functionality as mentioned in the policy description.

    Any help gratefully received!
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    • 已编辑 NiXC 2010年3月2日 14:44 typos
    2010年3月2日 14:41

答案

全部回复

  • manage-bde -on C: -recovery password -PINandStartupkey PIN PathToExternalDirectory -EncryptionMethod aes256_diffuser
    2010年3月3日 21:16
  • Sadly no, that doesn't work. You had my hopes up there for a minute that there might be an undocumented switch for manage-bde, but when I try:
    manage-bde -on C: -PINandStartupkey Password1 E:

    I get:

    ERROR: Invalid Syntax.
    "-PINandStartupkey" was not understood.

    Something tells me this functionality is meant for machines with a TPM and the wording in the group policy is ambiguous :(
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    2010年3月4日 9:48
  • Nick,

    I believe indeed that you only have the following combinations:

    • TPM only
    • TPM and PIN
    • TPM and Startup Key
    • USB only

    So the only option that applies to your non TPM 1.2 compatible machines is USB only.
    Check also the following site that has some use full information about bitlocker deployments.
    http://code.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3206

    Kind Regards
    DFT


    IM me - TWiTTer: @DFTER
    • 已标记为答案 NiXC 2010年3月4日 20:19
    2010年3月4日 11:14
  • Hi daft, thanks for that. I'll give up with hoping for a PIN and USB combination - maybe in Windows 8... Thanks for the link though, that deployment code will come in handy!

    Cheers.
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    2010年3月4日 20:19
  • Hi Nick,

    I think Daft is correct that there are only 4 options. USB only is called "Startup Key." I am assuming that you are encrypting the C drive and the USB key is drive E.

    If you type manage-bde -on /? at a command prompt, you will see that it should be:

    manage-bde -on Volume [{-StartupKey PathToExternalKeyDirectory]

    or

    manage-bde -on C: -StartupKey E:\

    2010年4月13日 20:42
  • Thanks for that laureli, it was really the ambiguity of the Group Policy explanation text which started all this off. Naturally that was the first thing I did, checking manage-bde /? since the text indicated that we'd have to use that tool to enable pin and usb. Perhaps they mean pin OR usb.

    We've opted to relax what we expected and just use usb startup keys or the TPM chip when the use of Windows 7 on a laptop is possible, otherwise we use a 3rd party solution now.


    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    2010年4月14日 8:43
  • Hi,

    Please visit to www.biocryptodisk.com/BSS.html.

    This is a 2FA solution to secure the startup key.

    The USB End Point solution prevent any intruder from duplicating the startup key without your knowledge.

     

    Good Luck!

     

    2011年8月24日 13:07