Windows 7 BitLocker using startup PIN and USB flash drive, but without a TPM...how? RRS feed

  • Question

  • At my organisation we are now insisting that all new laptops are to be encrypted using bitlocker in Windows 7, however some of the laptops are turning out not to have a TPM chip, or have the old 1.1 type of chip. These of course can't be used without first configuring group policy to allow use of bitlocker without a TPM, and must be booted with the use of a USB flash drive. I understand that clearly and it's all configured and working... however, in group policy there is a setting the description of which clearly states that we can use bitlocker with a startup PIN and a usb flash drive - but that we must use manage-bde to enable this functionality.

    Could someone please explain to me exactly how to enable bitlocker for use on a computer that does not have a tpm chip so that we have to enter a PIN when using a USB startup key.

    The setting in question is: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLock Drive Encryption > Operating System Drives > Require additional authentication at startup

    At the bottom of the descriptive help text is the sentence as follows:
    "Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard."

    There is an article (http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx ) which explains the various settings for the manage-bde command but it is not clear how to configure my required functionality as mentioned in the policy description.

    Any help gratefully received!
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    • Edited by NiXC Tuesday, March 2, 2010 2:44 PM typos
    Tuesday, March 2, 2010 2:41 PM


All replies

  • manage-bde -on C: -recovery password -PINandStartupkey PIN PathToExternalDirectory -EncryptionMethod aes256_diffuser
    Wednesday, March 3, 2010 9:16 PM
  • Sadly no, that doesn't work. You had my hopes up there for a minute that there might be an undocumented switch for manage-bde, but when I try:
    manage-bde -on C: -PINandStartupkey Password1 E:

    I get:

    ERROR: Invalid Syntax.
    "-PINandStartupkey" was not understood.

    Something tells me this functionality is meant for machines with a TPM and the wording in the group policy is ambiguous :(
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    Thursday, March 4, 2010 9:48 AM
  • Nick,

    I believe indeed that you only have the following combinations:

    • TPM only
    • TPM and PIN
    • TPM and Startup Key
    • USB only

    So the only option that applies to your non TPM 1.2 compatible machines is USB only.
    Check also the following site that has some use full information about bitlocker deployments.

    Kind Regards

    IM me - TWiTTer: @DFTER
    • Marked as answer by NiXC Thursday, March 4, 2010 8:19 PM
    Thursday, March 4, 2010 11:14 AM
  • Hi daft, thanks for that. I'll give up with hoping for a PIN and USB combination - maybe in Windows 8... Thanks for the link though, that deployment code will come in handy!

    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    Thursday, March 4, 2010 8:19 PM
  • Hi Nick,

    I think Daft is correct that there are only 4 options. USB only is called "Startup Key." I am assuming that you are encrypting the C drive and the USB key is drive E.

    If you type manage-bde -on /? at a command prompt, you will see that it should be:

    manage-bde -on Volume [{-StartupKey PathToExternalKeyDirectory]


    manage-bde -on C: -StartupKey E:\

    Tuesday, April 13, 2010 8:42 PM
  • Thanks for that laureli, it was really the ambiguity of the Group Policy explanation text which started all this off. Naturally that was the first thing I did, checking manage-bde /? since the text indicated that we'd have to use that tool to enable pin and usb. Perhaps they mean pin OR usb.

    We've opted to relax what we expected and just use usb startup keys or the TPM chip when the use of Windows 7 on a laptop is possible, otherwise we use a 3rd party solution now.

    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    Wednesday, April 14, 2010 8:43 AM
  • Hi,

    Please visit to www.biocryptodisk.com/BSS.html.

    This is a 2FA solution to secure the startup key.

    The USB End Point solution prevent any intruder from duplicating the startup key without your knowledge.


    Good Luck!


    Wednesday, August 24, 2011 1:07 PM