Location:
State:
Carrier
Country
Status

Weird bitlocker settings


So at my work and home I have been setting up Bitlocker. Today at work I was setting up Bitlocker on a PC and we could not get a password for a option to unlock the device. The only option we get is to either use a USB or a pin. As per the compliance officer we have to require an encryption passphrase upon boot and I am not big on pins. How do I get my passphrase ability back? Thanks.

Do you have TPM? You can check with the get-tpmpowershell command. From elevated command prompt
Code:
Microsoft Windows [Version 10.0.10586]  (c) 2015 Microsoft Corporation. All rights reserved.    C:WINDOWSsystem32>powershellWindows PowerShell  Copyright (C) 2015 Microsoft Corporation. All rights reserved.    PS C:WINDOWSsystem32> get-tpmTpmPresent          : False  TpmReady            : FalseManufacturerId      : 0  ManufacturerVersion :  ManagedAuthLevel    : Full  OwnerAuth           :  OwnerClearDisabled  : True  AutoProvisioning    : NotDefined  LockedOut           : False  LockoutCount        :  LockoutMax          :  SelfTest            :        PS C:WINDOWSsystem32>
If so the TPM enters the password for you and your system is protected by your Windows password. Only if you don't have TPM you can enter a password.

In addition you can enter a PIN and/or use a USB key. A pin is recommended and can be alphanumeric.

What is the best practice for using BitLocker on an operating system drive?

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or 2.0 and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

Can PIN length and complexity be managed with Group Policy?

Yes and No. You can configure the minimum personal identification number (PIN) length by using the Configure minimum PIN length for startup Group Policy setting and allow the use of alphanumeric PINs by enabling the Allow enhanced PINs for startup Group Policy setting.However, you cannot require PIN complexity by Group Policy.
Source

You might like to read this thread - it has some discussion / explanations when someone had a similar question. Installed Bitlocker does not ask for password on computer start-up! - Windows 10 blog

All of our laptops have the TPM chip but this is the first one that ask for a pin or usb, I know how the TPM works and also you cannot use the Alphabet in pin (we tried). Otherwise I think once the alphabet gets involved your pin is now called a pass phrase.

Any ideas on how to get the pass phrase option again or could anyone tell me why I would want less security.

Have you looked here: BitLocker - Turn On or Off for Operating System Drive in Windows 10 - Windows 10 blog

All of our laptops have the TPM chip but this is the first one that ask for a pin or usb, I know how the TPM works and also you cannot use the Alphabet in pin (we tried). Otherwise I think once the alphabet gets involved your pin is now called a pass phrase.
You need to check group policy. Requiring pin or usb (or both) and allowing alpha characters in pin are defined in these 2 settings. What do you have?


Okay So I found the answer, I needed to turn off TPM in the bios for this to work, if enabled even in GPO you cannot get it to prompt for passphrase. I know some might find it weird that we want this but in my organization we feel a little more safe if the computer gets stolen knowing they would have to get pass the encryption password prompt before the Windows login.

Glad you got it sorted

Weird bitlocker settings