База знаний

Using the Group Policy Editor to Enable BitLocker Authentication in the Pre-Boot Environment for Windows 7 and Windows 8


Article Summary:

This article provides information on

"Using the Group Policy Editor to Enable BitLocker Authentication in the Pre-Boot Environment for Windows 7 and Windows 8".



Table of Contents:

1. Problem – How to create a BitLocker pre-boot security prompt requiring a Personal Identification Number (PIN)

2. Solution – Activate the TPM

3. Solution – Enable BitLocker

4. Solution – Edit the Group Policy

5. Solution – Use the Command Prompt to Create a PIN



1. Problem

How to create a BitLocker pre-boot security prompt requiring a PIN

As an extra layer of security, an administrator may choose to create a BitLocker pre-boot security prompt requiring a Personal Identification Number (PIN). This feature is available in Windows 7 Enterprise and Ultimate, and Windows 8 Enterprise and Ultimate. It can only be enabled on systems with a Trusted Platform Module (TPM) chip, typically a Latitude, Optiplex or Precision system.

The process below is an advanced procedure and should only be attempted with the knowledge of the system administrator. The details are written for the audience of a system administrator.



2. Solution

Activate the TPM

1. Use the security features of your system’s BIOS to enable the TPM.

2. Check the box to clear the TPM, apply changes and exit the BIOS.

3. Boot into the BIOS again and use the security features of your system’s BIOS to activate the TPM.

4. Apply changes and exit the BIOS.



3. Solution

Enable BitLocker

1. Boot into Windows.

2. Use the preferred Microsoft process to Enable BitLocker and encrypt the entire disk containing the operating system.



4. Solution

Edit the Group Policy

1. Open the Group Policy Editor by using the “Run…” executable, typing in “gpedit.msc” and clicking on the “OK” button.

2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

3. In the right pane, double click "Require additional authentication at startup" and a popup box will open.

4. Make sure the “Enabled” option is chosen so that all other options below will be active.

5. Uncheck the box for “Allow BitLocker without a compatible TPM”.

6. For the choice of “Configure TPM startup:”, choose “Allow TPM”.

7. For the choice of “Configure TPM startup PIN:”, choose “Require startup PIN with TPM”.

8. For the choice of “Configure TPM startup key:”, choose “Allow startup key with TPM”.

9. For the choice of “Configure TPM startup key and PIN:”, choose “Allow startup key and PIN with TPM”.

10. Click on the “Apply” button and then the “OK” button to save the changes in the Local Group Policy Editor.



5. Solution

Use the Command Prompt to Create a PIN

1. Open an elevated Command Prompt window with administrator rights.

2. Excluding the quotation marks, enter the command “manage-bde -protectors -add c: -TPMAndPIN”.

3. You will be prompted to enter the PIN. Enter a number between four and seven digits. The cursor will not register the keystrokes as you enter the number.

4. Hit the Enter key to save the PIN, and you will be prompted to enter the PIN again to confirm. Hit the Enter key again to save the PIN confirmation.

5. Excluding the quotation marks, enter the command “manage-bde -status”.

6. The BitLocker Drive Encryption status will show the “Key Protectors:” as “Numerical Password”, “TPM and PIN”.

7. Now, each time the user boots the system, they will receive a BitLocker pre-boot security prompt requiring the PIN to be entered before access to the operating system is granted.


 


Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

Код статьи: SLN171842

Дата последнего изменения: 05/07/2013 12:00 AM


Оцените эту статью

Точно
Функционально
Просто понять
Помогла ли вам эта статья?
Да Нет
Отправьте нам свое мнение
Комментарии не должны содержать следующие специальные символы: <>()\
К сожалению, наша система обратной связи в настоящее время не работает. Повторите попытку позже.

Благодарим вас за отзыв.