none
Can Bitlocker use a PIN on start up if you are using a USB start up key because of no compatible TPM? RRS feed

  • Question

  • Greetings!

    I am trying to configure Bitlocker and am having trouble finding information for a specific scenario here at the office. We have a few laptops that do not have a TPM chip so they have to use a USB drive for their startup key when the drive is encrypted. The laptops that do have a TPM chip are able to have a PIN on boot up that has to be entered before Windows starts to load.

    I need to know if it is possible to have the PIN to be used on the laptops that are using the USB drives without the TPM chips.

    Thanks in advance!
    Friday, February 10, 2012 3:08 PM

Answers

  • If you look in the Group Policy in Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup, you'll see that what you're looking for isn't an available scenario.  PIN vs. USB startup key is an either/or setup... you can't do both. 

    As an alternative, you could re-partition the disks and create a fixed, local data drive that is encrypted with BitLocker for storing senstive data. 

    • Proposed as answer by kobeckman Friday, February 10, 2012 5:31 PM
    • Marked as answer by Niki HanModerator Tuesday, February 14, 2012 6:54 AM
    Friday, February 10, 2012 3:26 PM

All replies

  • If you look in the Group Policy in Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup, you'll see that what you're looking for isn't an available scenario.  PIN vs. USB startup key is an either/or setup... you can't do both. 

    As an alternative, you could re-partition the disks and create a fixed, local data drive that is encrypted with BitLocker for storing senstive data. 

    • Proposed as answer by kobeckman Friday, February 10, 2012 5:31 PM
    • Marked as answer by Niki HanModerator Tuesday, February 14, 2012 6:54 AM
    Friday, February 10, 2012 3:26 PM
  • If you look in the Group Policy in Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup, you'll see that what you're looking for isn't an available scenario.  PIN vs. USB startup key is an either/or setup... you can't do both. 

    As an alternative, you could re-partition the disks and create a fixed, local data drive that is encrypted with BitLocker for storing senstive data. 

    Yea I remember seeing that in the group policy but just wanted to make sure there wasn't some other way to do it. Thanks.
    Friday, February 10, 2012 3:35 PM
  • I am trying to do the same thing, use the pin and usb key for a laptop w/o tpm.  I see the policy setting you refer to, but in the help for that policy, it has the following note at the bottom:

    "Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard."

    That tells me that this should be possible, but I can't seem to find documentation on how to accomplish it.

    Tuesday, May 1, 2012 10:09 PM