My former computer didn’t support TPM, so I had to set "Allow BitLocker without a compatible TPM". I recently equipped it with TPM 2.0, and now I want to change the BitLocker authentication process to TPM + PIN + startup key triple verification. Is this feasible?
Your idea is actually excellent and workable. Microsoft BitLocker does offer a variety of authentication mechanisms for us, and the mode you select, combining three of common modes, indeed provides the highest level of security.
The setup process needs modifications in the Local Group Policy, and for the sake of security, ensure that your BitLocker recovery key has been securely saved in a safe location.
Before start, assure BitLocker encryption is enabled for system drive and is in unlock state. The steps are similar to setting up TPM + PIN mode and TPM + USB key mode, but with few differences in some details. Pay attention to each following step:
Step 1 Make sure that the system has TPM enabled. In Windows 10, using TPM 2.0 requires the extra GPT partition style. So even if TPM is correctly installed, you may still encounter issues with TPM failing to prepare. Upon resolving, turn to next step.
Step 2 Type "Edit group policy" then click the specific result to open Local Group Policy.
Step 3 Navigate to "Computer Configuration" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption" > "Operating System Drives" > "Require additional authentication at startup".
Step 4 Uncheck "Allow BitLocker without a compatible TPM", then set the first three options below to "do not allow" and the fourth to "Require startup key and PIN with TPM".
Step 5 Plug the USB flash drive, and run Command Prompt as Administrator, execute the command below:
manage-bde -protectors -add c: -TPMandPINandStartupKey -tp 123456 -tsk e:
# c is the encrypted system drive letter, while 123456 is PIN, e is the flash drive letter
Step 6 Check whether BitLocker Key Protectors are in effect on system drive:
manage-bde -status
Note that don’t store the USB startup key file and the recovery key file in the same location. Otherwise, when inserting this USB drive into computer, it may cause the computer to automatically boot from the recovery key, thus bypass the TPM system integrity check. Also with great danger of data being unrecoverable if you lost the USB drive.
To enhance the key security, you can copy the startup key file and stored it in multiple flash drive for backup. If you lost both BitLocker startup key and pin, you can unlock the drive with BitLocker recovery key's help.
Sure, I’m glad to answer your questions. Pre-boot authentication with BitLocker refers to the process of confirming your identity before entering the system.
Benjamin
PIN BitLocker in Windows 11 and BitLocker password are two totally different things, because their protection mechanism is not the same. Following I will answer your questions in detail.
Lydia
Right here to answer it for you. The BitLocker USB key, known as the USB startup key, is typically used for storing BitLocker key on a USB flash drive in the form of a file.
Lydia
TPM (Trusted Platform Module) is an important part of BitLocker encryption and one of the BitLocker password protection methods.
Lydia
