none
Remove BitLocker PIN Requirement RRS feed

  • Question

  • If a drive is encrypted with BitLocker and you choose to not require any form of pre-boot authentication the system will simply boot and unlock when you login.

    If you encrypt a computer with BitLocker and chose to set a PIN, is there any way to later retract the pre-boot PIN requirement and revert back to the scenario above without first decrypting and re-encrypting?

    I've looked at the various options via manage-bde and tested a few such as:

    manage-bde -protectors -delete C: -Type TPMAndPIN

    Unfortunately this simply removed the simple PIN and instead requires the recovery key. Using the same command to delete the recovery key breaks the system.

    Any help is greatly appreciated!

    Monday, August 26, 2013 10:43 PM

Answers

  • Apologies for replying to an old-ish question but I believe I have a solution.

    Assuming any group policy changes relating to BitLocker PINs have been reset,  enter the command manage-bde -protectors -add C: -tpm. This will reconfigure BitLocker into using just the TPM and delete the PIN as well.

    If you run manage-bde -status and look under Key Protectors you should see Numerical Password (ie the recovery key) and either TPM on a system that does not use a PIN, or TPM And PIN on a system that does. If you try to remove the PIN by just removing the TPM and PIN key protector the only means of unlocking the drive available is Numerical Password, causing you to be prompted for the recovery key at every boot. You have to specifically tell BitLocker to use just the TPM instead, it wont automatically default to this setting.

    • Marked as answer by ImageGuy Tuesday, November 26, 2013 8:08 PM
    Wednesday, November 6, 2013 2:32 PM
  • You should only have to enter the recovery key once.  Honestly, I don't think there is any way around this.  I am pretty sure once you configure Bit Locker to use a PIN it uses the PIN in the either encryption algorithm or the hash value.  Since the PIN is required to verify the integrity of the drive or the person accessing the drive a recovery key would be needed to boot the drive.  However, after you do this you should no longer need the PIN or the recovery key as Bit Locker should reconfigure itself to only use the TPM.  Have you tried it?  I would be strange if it required you enter the recovery key after every reboot after accepting the new configuration.

    Sorry I couldn't be much help.  There might be something in the TechNet library about how the PIN interfaces with the encryption method of Bit Locker.  I think I remember reading about it back in my MCITP Windows 7 days.


    Remember to select 'Mark as Answer' for any reply that provided a solution

    Tuesday, August 27, 2013 6:57 PM

All replies

  • As far as I know you need to have either a TPM or Bit Locker requires the use of a startup key (bootable USB thumb drive) or a PIN.  The above scenario of not having any kind of pre-boot authentication I believe is impossible.  If your computer has a TPM or you want to use just that startup key without the PIN you can change the settings in Group Policy Manager, Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives the check the box stating  Allow BitLocker without a compatible TPM.  I am pretty sure you will have to re-encrypt your drive after this.  Hope this was of some help.


    Remember to select 'Mark as Answer' for any reply that provided a solution

    Monday, August 26, 2013 11:30 PM
  • Thank you Curtis.

    I should clarify that my test system does have a compatible TPM. I am enforcing the requirement to have a TPM.

    So in the case where you enable BitLocker and choose not to use any pre-boot authentication the system will silently pass the TPM as I understand it. However, to the end user there is no additional activity or requirements from their end.

    Going to the process of enabling TPMAndPIN we now force the end user to enter a PIN at boot. I'm trying to figure if there is a way to revert the PIN and restore services back to the scenario above.

    Monday, August 26, 2013 11:33 PM
  • The same Group Policy Object should have the option of booting using TPM-Only, in fact I think it is the default.

    Remember to select 'Mark as Answer' for any reply that provided a solution

    Tuesday, August 27, 2013 12:20 AM
  • Hi,

    We can just use Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode without decrypting the drive.

    If you have any feedback on our support, please click here


    Alex Zhao
    TechNet Community Support

    Tuesday, August 27, 2013 1:25 PM
    Moderator
  • That's true.  However he want to go in the other direction, specifically from a multifactor authentication to a TPM-only authentication.  You could still do the with manage-bde.exe cli.

    The command I believe is

    manage-bde -protectors  -delete [Volume Letter] -type TPMandPIN -cn [Computer Name]

    I would imagine that you can add multiple computer names to be applied via the -cn switch for enterprise environments however, I thought using the group policy mmc would probably be less of a hassle.

    If adding a PIN to a TPM-only authentication doesn't require re-encryption then most likely removing the PIN wont either.  Let us know how it goes.  Truthfully, I am curious about the command-line command.  I bet there is a powershell cmdlet that can get the job done in respected to an entire OU, group and/or domain.


    Remember to select 'Mark as Answer' for any reply that provided a solution

    Tuesday, August 27, 2013 4:06 PM
  • @Curtis

    So the command you provided is actually similar to the one in my original post, with the exception of the -cn parameter. The command does run successfully and proceeds to remove the pre-boot PIN requirement. Unfortunately now it requires that I enter the complete Recovery Key at boot. So my dilemma now is to prevent the recovery key requirement. Of course deleting the recovery key is destructive and prevents the computer from booting. It seems like such a simple task...

    Regarding Group Policy - I do intend on using a GPO to control our enterprise deployment. However, in my current testing I need the capability to add and remove the PIN code protector on select systems.

    Tuesday, August 27, 2013 6:06 PM
  • You should only have to enter the recovery key once.  Honestly, I don't think there is any way around this.  I am pretty sure once you configure Bit Locker to use a PIN it uses the PIN in the either encryption algorithm or the hash value.  Since the PIN is required to verify the integrity of the drive or the person accessing the drive a recovery key would be needed to boot the drive.  However, after you do this you should no longer need the PIN or the recovery key as Bit Locker should reconfigure itself to only use the TPM.  Have you tried it?  I would be strange if it required you enter the recovery key after every reboot after accepting the new configuration.

    Sorry I couldn't be much help.  There might be something in the TechNet library about how the PIN interfaces with the encryption method of Bit Locker.  I think I remember reading about it back in my MCITP Windows 7 days.


    Remember to select 'Mark as Answer' for any reply that provided a solution

    Tuesday, August 27, 2013 6:57 PM
  • I really appreciate your help Curtis.

    I did try consecutive reboots after removing the PIN and got consistent results. Every boot required me to enter the complete 48 character Recovery Key.

    I read that suspending BitLocker and rebooting can force an update to resolve this issue. Unfortunately it didn't take affect in this situation.

    I'm continuing to research the issue. I'll post back if I identify a working solution.

    Tuesday, August 27, 2013 9:03 PM
  • Just to follow-up on this - I never did identify a working method for reverting the PIN. The only workable solution seems to involve decrypting the volume and re-encrypting it.
    Wednesday, September 4, 2013 4:02 PM
  • That's a bummer.  It's my guess that the PIN is used for either initializing your TPM or is part of unlocking the key to startup the boot process.  If your dealing with a bunch of machines I would suggest scripting out the commands for disabling Bit Locker and re-enabling it with the TPM-Only schema.

    Remember to select 'Mark as Answer' for any reply that provided a solution

    Wednesday, September 4, 2013 5:31 PM
  • Apologies for replying to an old-ish question but I believe I have a solution.

    Assuming any group policy changes relating to BitLocker PINs have been reset,  enter the command manage-bde -protectors -add C: -tpm. This will reconfigure BitLocker into using just the TPM and delete the PIN as well.

    If you run manage-bde -status and look under Key Protectors you should see Numerical Password (ie the recovery key) and either TPM on a system that does not use a PIN, or TPM And PIN on a system that does. If you try to remove the PIN by just removing the TPM and PIN key protector the only means of unlocking the drive available is Numerical Password, causing you to be prompted for the recovery key at every boot. You have to specifically tell BitLocker to use just the TPM instead, it wont automatically default to this setting.

    • Marked as answer by ImageGuy Tuesday, November 26, 2013 8:08 PM
    Wednesday, November 6, 2013 2:32 PM
  • @RARowlands

    You sir are fantastic. Thank you for posting to this thread. I finally got around to testing the command you posted and sure enough it reconfigured TPM and wiped the PIN requirement. Most excellent.

    Have a great day!

    • Proposed as answer by dboylan Friday, January 31, 2014 11:18 PM
    Tuesday, November 26, 2013 8:09 PM
  • Worked for me as well. Thank you!
    Wednesday, May 31, 2017 5:52 PM
  • This link will give a detailed solution. 

    Apply the GPO to allow protector as TPM only and just only run the below command line:-
               manage-bde -protectors -add C: -TPM

    This command will automatically delete the TPMandPIN protector and add protector as TPM only.

    https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/


    Gaurav Ranjan

    Saturday, April 13, 2019 9:04 AM