Using the Group Policy Editor to Enable BitLocker Authentication in the Pre-Boot Environment for Windows 7 / 8 / 8.1 / 10

The following article contains information about creating and using BitLocker with a Personal Identification Number (PIN).

Table of Contents:

1. How to Create a BitLocker Pre-Boot Security Prompt Requiring a Personal Identification Number (PIN)
2. Activate the TPM
3. Enable BitLocker
4. Edit the Group Policy
5. Use the Command Prompt to Create a PIN
6. Windows 10 Steps

How to Create a BitLocker Pre-Boot Security Prompt Requiring a Personal Identification Number (PIN)

As an extra layer of security, an administrator may choose to create a BitLocker preboot security prompt requiring a Personal Identification Number (PIN). This feature is available in Windows 7 Enterprise and Ultimate, and Windows 8 Enterprise and Ultimate. It can only be enabled on systems with a Trusted Platform Module (TPM) chip, typically a Latitude, OptiPlex, or Dell Precision system.

The process below is an advanced procedure and should only be attempted with the knowledge of the system administrator. The details are written for the audience of a system administrator.

Activate the TPM

1. Use the security features of your system’s BIOS to enable the TPM.
2. Check the box to clear the TPM, apply changes, and exit the BIOS.
3. Boot into the BIOS again and use the security features of your system’s BIOS to activate the TPM.
4. Apply the changes and exit the BIOS.

Enable BitLocker

1. Boot into Windows.
2. Use the preferred Microsoft process to Enable BitLocker and encrypt the entire disk containing the Operating System.

Edit the Group Policy

1. Open the Group Policy Editor by using the "Run…" executable, typing in "gpedit.msc" and clicking the "OK" button.
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. In the right pane, double-click "Require additional authentication at startup" a window opens.
4. Make sure the "Enabled" option is chosen so that all other options below are active.
5. Clear the box for "Allow BitLocker without a compatible TPM."
6. For the choice of "Configure TPM startup:", choose "Allow TPM."
7. For the choice of "Configure TPM startup PIN:", choose "Require startup PIN with TPM."
8. For the choice of "Configure TPM startup key:", choose "Allow startup key with TPM."
9. For the choice of "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM."
10. Click the "Apply" button and then the "OK" button to save the changes in the Local Group Policy Editor.

Use the Command Prompt to Create a PIN

1. Open an elevated Command Prompt window with administrator rights.
2. Excluding the quotation marks, enter the command "manage-bde -protectors -add c: -TPMAndPIN".
3. You are prompted to enter the PIN. Enter a number between four and seven digits. The cursor will not register the keystrokes as you enter the number.
4. Press the Enter key to save the PIN, and you are prompted to enter the PIN again to confirm. Press the Enter key again to save the PIN confirmation.
5. Excluding the quotation marks, enter the command "manage-bde -status."
6. The BitLocker Drive Encryption status shows the "Key Protectors:" as "Numerical Password," "TPM and PIN."
7. Now, each time the user boots the system, they receive a BitLocker preboot security prompt requiring the PIN to be entered before access to the operating system is granted.

Windows 10 Steps

The following link contains steps for Windows 10:
BitLocker Group Policy Settings

If you have further questions about this article, contact Dell Technical Support.

N/A

N/A