How can I password-protect Bitlocker enabled laptops?
We are just now getting into the concept of protecting our corporate laptops via Bitlocker. After running through the rudimentary process (enabling TPM in the BIOS. . .turning on BitLocker. . .saving the recovery key to a file. . .encrypting the drive),
it seemed simple enough. It got a little more complicated however when I was asked to provide password protection for the Bitlocked drive beyond and prior to the Windows authentication process.
I have seen a screenshot of a window entitled <Choose how you want to unlock this drive> where I would be able to tick an option to "Use a password to unlock the drive". On the laptop that I am experimenting with, when I attempt to tun on Bitlocker
for the <C:> drive (the one that is the primary drive where Windows is installed), I do not get this window (instead, I am brought right to the window where I can choose how to save my recovery key). However, I will get the <Choose how you want
to unlock this drive> window when I go to turn on Bitlocker for another partition (in this case, a <D:> drive that is designated as a recovery partition).
I am also aware of the area in local group policy, under <Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives> where I can enable options to "Require additional authentication
at startup", "Allow enhanced PINs for startup", and "Configure minimum PIN length for startup".
When I am being asked to do is 1) set up a general password to access the Bitlocker encrypted drive (which would have TPM enabled), and 2) ensure that the laptop, upon boot, prompts the user to enter this password prior to him/her being able to authenticate
into the OS itself. I have been led to believe that this is possible but, right now, I am not seeing the path toward making it happen.
Any suggestions?
-Brian McKnight
February 8th, 2012 9:02am
By "password" I could really be meaning "boot PIN". . .sorry for the confusion in terminology.-Brian McKnight
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2012 4:41pm
Hi,
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following
commands from an elevated command prompt, replacing <4-20 digit numeric PIN> with the numeric PIN you want to use:
manage-bde protectors delete %systemdrive% -type tpm
manage-bde protectors add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.
Juke Chou
TechNet Community Support
February 9th, 2012 2:30am
That sounds like a great thing to try! My only question before I do is this. . .should I run these command lines before or after I start BitLocker/encrypt the drive?
-Brian McKnight
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 3:00pm
Hi,
Manage-bde is a command line for managing Bitlocker. Both before or after can use this command. For the protectors switch, it is used for managing the protection methods usually used for changing encryption methods.
For detailed Syntax, you may refer to the following article.
http://technet.microsoft.com/en-us/library/ff829849(WS.10).aspx
Juke Chou
TechNet Community Support
February 10th, 2012 1:46am
Your best bet would be to configure all of this in Group Policy (http://4sysops.com/archives/active-directory-and-bitlocker-part-3-group-policy-settings/)
so you don't have to make any manual configuration to the computers. You also should really consider backing up the recovery information to AD.
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 10:33am
Hi,
How is it going?
Please feel free to give us any update.Juke Chou
TechNet Community Support
February 13th, 2012 4:40am
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply
this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2012 4:57am