Enable Bitlocker, and to Prompt for PIN During Startup

MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

Enable BitLocker, and to Prompt for PIN During Startup

Author : Shuvro

First you need to check if the following items are there in your laptop/server

TPM Chip Windows 7 Enterprise or Higher (Ultimate with or without N) Windows Server 2008 R2 Enterprise or Higher

You can achieve BitLocker encryption introduced into any number of drives, and you can do this in two ways:

BitLocker Encryption tied to the TPM chip Password protected BitLocker without the integration with TPM

Enable BitLocker: This exercise is done using Windows 8.1 Enterprise N Edition. Now, you can do it in a short step. On your keyboard, press "Windows Key+E", Select your boot drive, right click on it and click enable BitLocker on this drive. It will prompt you to save the recovery key elsewhere, other than the fixed drive, perhaps a memory stick is a good choice. Save or Print the recovery key and let the wizard start the encryption. A screenshot:

1 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

As you can see there are three options available to manage. Suspend the protection, backup again the recovery key & completely turning off BitLocker.

Now Lets run the following command:

2 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. One the right pane/panel, double-click on the "Require additional authentication at startup". Screenshot follows:

3 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

First, Enable the policy, and set the fields as shown in the picture :) Press OK afterwards and close the local policy editor. DO NOT RESTART YET.

Nope, we are not done yet...haha. Now we are going to set the TPM PIN for the encrypted drive; type in the following command: manage-bde -protectors -add c: -TPMAndPIN

4 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

Provide the PIN two times. Now run the following command: manage-bde -status

You should get the following summary result:

5 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

6 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

As you can see key protectors are initiated with TPM And PIN. Wala you are done, restart and get ready to provide the PIN, otherwise, you are doomed. Word of advice, do keep your BitLocker keys in safe place(s)

7 / 8 MOBS Bangladesh Meeting of Brilliant Syche - IT Pro's Corner http://mobs-bd.org

BitLocker drive encryption was originally an integral security feature in Windows SBS 2008. You can back up a source volume that is encrypted with BitLocker. However, if you restore the backup to your server, it is restored without BitLocker encryption. You must manually enable BitLocker on the restored volume. Afterwards BitLocker ported to Vista and so on

You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO).

Checkout the following links as well:

BitLocker Drive Preparation Tool: http://www.microsoft.com/en-gb/download/details.aspx?id=7806 BitLocker Drive Encryption Step-by-Step Guide for Windows 7: https://technet.microsoft.com/en-us/library/dd835565%28v=ws.10%29.aspx Windows BitLocker™ Drive Encryption Step by Step Guide: http://go.microsoft.com/fwlink/?LinkId=53779 Windows Trusted Platform Module Services Step by Step Guide: http://go.microsoft.com/fwlink/?linkid=67232

8 / 8