none
Bitlocker Pin Code Without TPM? RRS feed

  • Question

  • Hey guys,

    we use bitlocker to encrypt our laptops , due to some security issues we most encrypt a few pc's as well,

    someone told me that i can use bitlocker pin code on a pc that does not have a TPM Chip  (at the moment i know that i can only use an external flash drive to function as startup key only ) , btw he told me i can only use the command prompt commands of bitlocker because this option does not exist on the BL GUI...

    so my question is , if this is true , if i can use only pin code without startup key?

    or can i use them both ?

     

    thanks..

     

    Wednesday, August 31, 2011 7:03 AM

Answers

  • This article answers your query:
    http://technet.microsoft.com/en-us/library/cc732774.aspx

    Quoting from the page, it says:

    "On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

    In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented."

    So the answer is No. You can use a PIN (or both PIN and start-up key) only in addition to a TPM. If you do not have a TPM, you will require a start-up key. Hope it helps!


    Kunal D Mehta - a Windows Server Enthusiast | My first TechNet Wiki Article
    • Proposed as answer by daft Wednesday, August 31, 2011 8:57 AM
    • Marked as answer by Cloud_TSModerator Friday, September 2, 2011 9:41 AM
    Wednesday, August 31, 2011 8:25 AM

All replies

  • This article answers your query:
    http://technet.microsoft.com/en-us/library/cc732774.aspx

    Quoting from the page, it says:

    "On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

    In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented."

    So the answer is No. You can use a PIN (or both PIN and start-up key) only in addition to a TPM. If you do not have a TPM, you will require a start-up key. Hope it helps!


    Kunal D Mehta - a Windows Server Enthusiast | My first TechNet Wiki Article
    • Proposed as answer by daft Wednesday, August 31, 2011 8:57 AM
    • Marked as answer by Cloud_TSModerator Friday, September 2, 2011 9:41 AM
    Wednesday, August 31, 2011 8:25 AM

  • So the answer is No. You can use a PIN (or both PIN and start-up key) only in addition to a TPM. If you do not have a TPM, you will require a start-up key. Hope it helps!


    Kunal D Mehta - a Windows Server Enthusiast | My first TechNet Wiki Article
    I'd be eager to learn if this is still the case with Windows 8
    Thursday, September 11, 2014 3:52 PM
  • Check this out:
    http://www.eightforums.com/tutorials/21271-bitlocker-turn-off-os-drive-windows-8-a.html


    Kunal D Mehta - a Windows Server Enthusiast | I'm on facebook.com/serverbaba

    Thursday, September 11, 2014 4:49 PM