How can I password-protect Bitlocker enabled laptops?
We are just now getting into the concept of protecting our corporate laptops via Bitlocker. After running through the rudimentary process (enabling TPM in the BIOS. . .turning on BitLocker. . .saving the recovery key to a file. . .encrypting the drive), it seemed simple enough. It got a little more complicated however when I was asked to provide password protection for the Bitlocked drive beyond and prior to the Windows authentication process. I have seen a screenshot of a window entitled <Choose how you want to unlock this drive> where I would be able to tick an option to "Use a password to unlock the drive". On the laptop that I am experimenting with, when I attempt to tun on Bitlocker for the <C:> drive (the one that is the primary drive where Windows is installed), I do not get this window (instead, I am brought right to the window where I can choose how to save my recovery key). However, I will get the <Choose how you want to unlock this drive> window when I go to turn on Bitlocker for another partition (in this case, a <D:> drive that is designated as a recovery partition). I am also aware of the area in local group policy, under <Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives> where I can enable options to "Require additional authentication at startup", "Allow enhanced PINs for startup", and "Configure minimum PIN length for startup". When I am being asked to do is 1) set up a general password to access the Bitlocker encrypted drive (which would have TPM enabled), and 2) ensure that the laptop, upon boot, prompts the user to enter this password prior to him/her being able to authenticate into the OS itself. I have been led to believe that this is possible but, right now, I am not seeing the path toward making it happen. Any suggestions? -Brian McKnight
February 8th, 2012 9:02am

By "password" I could really be meaning "boot PIN". . .sorry for the confusion in terminology.-Brian McKnight
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2012 4:41pm

Hi, You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing <4-20 digit numeric PIN> with the numeric PIN you want to use: manage-bde protectors delete %systemdrive% -type tpm manage-bde protectors add %systemdrive% -tpmandpin <4-20 digit numeric PIN> Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere. Juke Chou TechNet Community Support
February 9th, 2012 2:30am

That sounds like a great thing to try! My only question before I do is this. . .should I run these command lines before or after I start BitLocker/encrypt the drive? -Brian McKnight
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 3:00pm

Hi, Manage-bde is a command line for managing Bitlocker. Both before or after can use this command. For the protectors switch, it is used for managing the protection methods usually used for changing encryption methods. For detailed Syntax, you may refer to the following article. http://technet.microsoft.com/en-us/library/ff829849(WS.10).aspx Juke Chou TechNet Community Support
February 10th, 2012 1:46am

Your best bet would be to configure all of this in Group Policy (http://4sysops.com/archives/active-directory-and-bitlocker-part-3-group-policy-settings/) so you don't have to make any manual configuration to the computers. You also should really consider backing up the recovery information to AD.
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 10:33am

Hi, How is it going? Please feel free to give us any update.Juke Chou TechNet Community Support
February 13th, 2012 4:40am

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2012 4:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics