Is it possible to centrally disable Bitlocker Pre Boot Authentication? RRS feed

  • Question

  • Dear all,

    we are looking into rollout out Bitlocker with Windows 10 Pro for a few hundred laptops. Due to budget restrictions we cannot use Windows 10 Enterprise with MBAM. Actually, Bitlocker in Windows 10 Pro looks quite usable to me, especially since recovery key can automatically backed up to AD.

    However, we are looking for a possibility to centrally disable PreBoot authentication with PIN and switch to TPM only so the PC boots automatically. This might be usful for larger rollouts where multiple reboots of the OS are required - i.e. for Windows 10 feature upgraded that are deployed nightly.

    Does anyone know whether its possible to centrally disable and enable PIN Pre Boot authentication? The GPO "Require additional authentication at startup" only sets which authentication methods are allowed but does not enforce them.


    Wednesday, October 24, 2018 8:58 AM


All replies

  • You have not started encryption yet, right? By default, no preboot authentication is used = no need for action on devices that have a usable TPM.
    Wednesday, October 24, 2018 12:02 PM
  • We are currently testing. I know that by default no additional protection for authentication besided TPM is used. However, for our laptops we need pre boot authentication with PIN. But I'm looking for a way to temporarily disable it and allow the laptops to reboot without having to pre authenticate. This is important for rollouts that require multiple reboots.
    Wednesday, October 24, 2018 12:37 PM
  • To temporarily suspend bitlocker, making it boot the next x times without asking for the PIN, use the command

    manage-bde -protectors -disable c: -rc x

    • Marked as answer by sam.bell Monday, October 29, 2018 9:50 AM
    Wednesday, October 24, 2018 12:50 PM
  • Also to note, I'm pretty sure that while installing feature update, BitLocker protectors are disabled anyways..

    Friday, October 26, 2018 2:47 AM
  • That is true, feature updates suspend bitlocker automatically. That's why they were deemed potentially dangerous, see http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
    • Proposed as answer by cloris_sun Monday, October 29, 2018 9:44 AM
    • Marked as answer by sam.bell Monday, October 29, 2018 9:51 AM
    Friday, October 26, 2018 6:36 AM
  • Thanks Ronald! You helped me a lot!
    Monday, October 29, 2018 9:51 AM