Bitlocker setup omits asking for unlock mechanism RRS feed

  • Question

  • Bitlocker setup omits asking for unlock mechanism

    I have finally decided to gain peace of mind if my PC goes missing and decided to setup bitlocker.

    Launching the app it successfully checks the PC & starts bitlocker but then skips the "choose how to unlock your drive at startup"step. It goes to the how to back up your recovery key...how much to encrypt...etc

    Anyone have any idea of what is going on. All that I have seen indicates the "choose how to unlock your drive at startup" should appear and clearly it seems logical.

    Tuesday, March 28, 2017 4:40 PM

All replies

  • Hi Fred.

    If a TPM chip is available, then it will be utilized without offering other protectors such as password/PIN or USB token - that's why. If you'd like to add another protector, simply activate the following GPO:

    Afterwards, you can right click c: and select "manage bitlocker" and then choose (and add) a method to unlock your drive.

    Wednesday, March 29, 2017 6:49 AM
  • Hi Fred B',

    According to your description, please refer to the link below about how to set up BitLocker Encryption on Windows.


    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope it will be helpful to you

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 29, 2017 8:15 AM
  • Thanks for the link Carl.

    Also please see the reply from Ronald above.



    Wednesday, March 29, 2017 12:13 PM
  • Thanks Ronald;

    Gotta love an easy fix.

    What I do not get is why encrypt my PC if from a cold boot bitlocker simply uses the TPM chip to open the system.  Clearly once Windows is launched it is child's play to obtain the user passwords. My PC stolen from a hotel would then have no protection.

    There are at least two very fine and descriptive sites which outline the bitlocker set up, one of which is posted below by Carl.  Neither mention that adjusting a GPO might be required in order to implement the set up with requiring a password.  Odd eh? Perhaps the default is with the additional protection on for most systems.

    Anyway, thanks again, and off I go happily encrypting;


    Wednesday, March 29, 2017 12:26 PM
  • "Clearly once Windows is launched it is child's play to obtain the user passwords." - no. No child's play. The attacker has no logon password. His only chance against a TPM-only secured system are

    1 use a so-called coldboot-attack https://www.youtube.com/watch?v=JDaicPIgn9U

    2 use a DMA attack (there are GPOs against that

    3 (if he is lucky) the firewall is off and there are exploitable ports (unpatched services)

    "Perhaps the default is with the additional protection on for most systems." - no. The default is: use a TPM and nothing else.

    Wednesday, March 29, 2017 12:32 PM
  • ahha

    I have clearly missed something.  I have never seen a system encrypted with bitlocker during the boot process. I I mistakenly envisioned either with password, a request generated by the bitlocker process for same password during the boot process, or without password - well that is where I am in error.  You indicate there would be a "logon password" required.  If the password is not set during the bitllocker setup where was the logon password set up?  I am now assuming this logon password is not a Windows User password. 

    Re the ease of obtaining user passwords, I was, in error, referring to an unencrypted Windows pc.

    Sometimes a little knowledge is dangerous.

    Wednesday, March 29, 2017 10:25 PM
  • The logon password is the windows password. An attacker can boot the machine, but he cannot logon. Neither can he use bootdisks to circumvent the password (or reset it). Nor can he access the contents offline from a bootdisk.
    Thursday, March 30, 2017 8:58 AM