Getting BitLocker to enable TPMAndPIN
I'm having a problem enabling the PIN at bootup. The group policies for the machine does allow the usage of a PIN. But when I try this as an administrator, it just fails: manage-bde.exe -protectors -add c: -TPMAndPIN It gives the following error: ERROR: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option. Is there a way to get a more descriptive error message, to figure out why it thinks BitLocker is configured to not allow a PIN?
December 19th, 2009 10:28pm

I had this problem. I edited group policy to require TPM and PIN at startup, forced gpupdate, but I still received the error mentioned above. It allowed me to delete the tpm protector, but generated the error when trying to add tpmandpin. This was the solution for me: apparently this cannot be set with BitLocker active. I suspended protection, rebooted once, then ran the commands at an elevated command prompt: manage-bde -protectors -delete c: -type tpm manage-bde -protectors -add c: -tpmandpin <4-20 digit numeric PIN> and I didn't get the error and the protectors were added. The BitLocker FAQ says the above commands will work without decrypting, but I think maybe the add command won't work without suspending. http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx#BKMK_unlockpol1 http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_EnableAuthWODecrypt
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2010 6:26pm

Correction: This was not a solution for me. I was able to make the setting change to add tpmandpin with Bitlocker suspended, but when I attempted to resume Bitlocker protection, it again gave me an error about Group policy not permitting a PIN: "Wizard initialization has failed. Group Policy settings require that use of TPM-only at startup. Please choose this BitLocker startup option." My problem was that within group policy are four separate settings for the "Require additional authentication at startup" key: Configure TPM Startup, Configure TPM startup PIN, Configure TPM startup key, and Configure TPM startup key and PIN. If you have Configure TPM Startup set to "Require TPM" as well as have Configure TPM startup PIN set to "Require startup PIN with TPM", these two settings result in a configuration of Require TPM only at startup. To enable the PIN functionality, I changed the Configure TPM Startup to "Alllow TPM" and I left the Configure TPM startup PIN set to "Require startup PIN with TPM" and .... success! I forced gpupdate and was able to resume BitLocker successfully. Upon reboot, it asked for the PIN I had set.
November 9th, 2010 7:12pm

Same problem, i've tried change local policies, delete tpm, suspend bitlocker, almoust everything i found via google but always the same error appears. ERROR: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option. Anyone have anymore ideas?
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 9:02am

This post may help: http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/5d551413-7370-485c-b016-8d2441aa0599
August 17th, 2012 10:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics