BitLocker by itself is great drive encryption, but unfortunately it has some shortcomings in its default configuration. Namely, there’s no safeguard at boot time preventing the drive from being accessed. If your computer is stolen or physically compromised, the drive is ready and willing to give access to your data.
Fortunately BitLocker supports a PIN code which would can be required to be entered at boot time to unlock the drive. To enable the BitLocker PIN, simply open an administrator-level command prompt and run the following:
manage-bde -protectors -add c: -TPMAndPIN
You should receive output similiar to the following, during which you’re prompted for your PIN (no confirmation of keystrokes will appear on the screen during PIN entry):
BitLocker Drive Encryption: Configuration Tool version 6.1.7601 Copyright (C) Microsoft Corporation. All rights reserved. Type the PIN to use to protect the volume: Confirm the PIN by typing it again: Key Protectors Added:
If you get the following error…
ERROR: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.
… then you will need to edit the local computer policy to allow a PIN to be set by performing the following steps:
- Click Start > Run and type mmc
- If Local Computer Policy is not visible, or Group Policy Object is not already added, add it by going to File > Add/Remove Snap-In > Group Policy Object
- Browse to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
- Open the key Require additional authentication at startup
- Enable that Key and set Configure TPM startup Pin to Require startup PIN with TPM
Now you can set the PIN by running the manage-bde command once more.