none
Bitlocker doesn't ask for PIN on boot RRS feed

  • Question

  • Bitlocker is set up to use TPM and PIN, but in fact it never prompted for PIN

     

    C:\Windows\system32>manage-bde -protectors -get c:
    BitLocker Drive Encryption: Configuration Tool version 6.1.7600
    Copyright (C) Microsoft Corporation. All rights reserved.

    Volume C: []
    All Key Protectors

        TPM:
          ID: {AC246DEC-CF56-41FA-97C6-306D848BFAED}

        Numerical Password:
          ID: {FA78C0C5-0FC2-42CB-805F-E17316043680}
          Password:
            368577-127688-030107-590271-299420-569393-128271-656007

        TPM And PIN:
          ID: {F80A1317-CA38-46DC-8DE6-3E4EE68B76E0}

    Wednesday, June 8, 2011 12:26 PM

Answers

  • we can use the manage-bde command line to enable TPMAndPIN,if it dont prompt at started upcomputer.  You can check this by typing in

    manage-bde –status

    If you get a return result under the Key Protectors of “TPM”, and also “TPM And PIN” you’re not gonna get a prompt during startup. So, you need to remove the TPM only during startup. To do this I used this command.

    manage-bde –protectors –delete c: –type tpm

    Go ahead and check if that reflected by using the “manage-bde –status” command again and you should notice you’re left with “TPM And PIN”. Reboot your machine and…:)

     

    -----------*************************************----------------------------------------------------------------

    Or follow this link

    http://weikingteh.wordpress.com/2011/04/18/how-to-enable-bitlocker-to-prompt-for-pin-during-startup/

     

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Friday, June 10, 2011 6:35 AM
  • Hi,

    You may refer to the following link.

    http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/c3b5e90d-89fd-4e95-af97-723b045eb41b


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, June 10, 2011 9:49 AM
    Moderator

All replies

  • To enable TPM & PIN at boot:

    Using MMC, go to :

    Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

    and open the key

    "Require additional authentication at startup"

    Then enable that Key and set "Configure TPM startup Pin:" to "Require startup PIN with TPM"

    To set the actual PIN use in a CMD prompt

    manage-bde -protectors -add c: -TPMAndPIN

    This will prompt you for a PIN which it then requires you to enter at Boot.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, June 10, 2011 6:34 AM
  • we can use the manage-bde command line to enable TPMAndPIN,if it dont prompt at started upcomputer.  You can check this by typing in

    manage-bde –status

    If you get a return result under the Key Protectors of “TPM”, and also “TPM And PIN” you’re not gonna get a prompt during startup. So, you need to remove the TPM only during startup. To do this I used this command.

    manage-bde –protectors –delete c: –type tpm

    Go ahead and check if that reflected by using the “manage-bde –status” command again and you should notice you’re left with “TPM And PIN”. Reboot your machine and…:)

     

    -----------*************************************----------------------------------------------------------------

    Or follow this link

    http://weikingteh.wordpress.com/2011/04/18/how-to-enable-bitlocker-to-prompt-for-pin-during-startup/

     

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Friday, June 10, 2011 6:35 AM
  • Hi,

    You may refer to the following link.

    http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/c3b5e90d-89fd-4e95-af97-723b045eb41b


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, June 10, 2011 9:49 AM
    Moderator
  • Hi,

    How is going?

    Please feel free to give us any update.

    Best Regards
    Juke
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Tuesday, June 14, 2011 9:40 AM
    Moderator
  • Hi,
     
    Thanks for posting in Microsoft TechNet forums.

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards
    Juke
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com
     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, June 17, 2011 9:57 AM
    Moderator