Enable BitLocker to Prompt for PIN on Startup (TPMAndPIN)

Posted on May 1, 2018 at 10:09 pm

How to enable BitLocker to ask for a PIN when the PC is booted/startup?

1) Modify BitLocker policy via GPEdit

Open gpedit.msc and browse to:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > BitLocker Drive Encryption > Operating System Drives

On the right-panel, double-click on “Require additional authentication at startup”.

Make these changes (same as the image below):

– Choose (dot) Enabled
– Uncheck “Allow BitLocker without a compatible TPM”
– Under “Configure TPM startup PIN:” choose “Require startup PIN with TPM”

2) Open cmd.exe as Administrator

3) Remove TPM-only protector

manage-bde.exe -protectors -delete c: -type TPM

4) Add TPMandPIN protector:

manage-bde.exe -protectors -add c: -TPMAndPIN

* You will be asked to enter the PIN *

5) Make sure TPMandPIN is present:

manage-bde.exe -status

6) Reboot the PC

* You will be asked to enter the PIN *

Receive updates via email

Other Posts

Updated Posts