Bitlocker: Enable PIN on boot

If you want your system to require a PIN number in order to unlock a Bitlocker encrypted drive at boot time, you need to change one small GPO setting (assuming that you have Bitlocker already set up):

Start Group Policy editor by pressing Windows+R and entering the command ‘gpedit.msc’

Start the Local Group Policy Editor

Navigate to Local Computer Policy → Computer Configuration → Administrative Templates → Windows Components → Bitlocker Drive Encryption → Operating System Drives

Navigate to ‘Operating System Drives’

Select the ‘Require additional authentication at startup’ option, and set it to ‘Enabled’. Then set ‘Configure TPM startup PIN’ to ‘Require startup PIN with TPM’

Set ‘Configure TPM startup pin’ to ‘Require startup PIN with TPM’

Now open CMD in elevated mode and enter the command to set the PIN

manage-bde -protectors -add c: -TPMAndPIN

This will prompt you for a PIN which You will enter at Boot time.

Enter your comment:
17 -9 = 
  • windows/client_os/pin_on_boot.txt
  • Last modified: 2019-10-31 09:06
  • (external edit)