Windows 7 BitLocker using startup PIN and USB flash drive, but without a RRS feed

  • คำถาม

  • At my organisation we are now insisting that all new laptops are to be encrypted using bitlocker in Windows 7, however some of the laptops are turning out not to have a TPM chip, or have the old 1.1 type of chip. These of course can't be used without first configuring group policy to allow use of bitlocker without a TPM, and must be booted with the use of a USB flash drive. I understand that clearly and it's all configured and working... however, in group policy there is a setting the description of which clearly states that we can use bitlocker with a startup PIN and a usb flash drive - but that we must use manage-bde to enable this functionality.

    Could someone please explain to me exactly how to enable bitlocker for use on a computer that does not have a tpm chip so that we have to enter a PIN when using a USB startup key.

    The setting in question is: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLock Drive Encryption > Operating System Drives > Require additional authentication at startup

    At the bottom of the descriptive help text is the sentence as follows:
    "Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard."

    There is an article ( ) which explains the various settings for the manage-bde command but it is not clear how to configure my required functionality as mentioned in the policy description.

    Any help gratefully received!
    Nick Clark -- Senior Systems Engineer University of the West of England, Bristol (UK)
    • แก้ไขโดย NiXC 2 มีนาคม 2553 14:44 typos
    2 มีนาคม 2553 14:41