BitLocker questions

They can automate the task. Unless they seen you typing the pin and know most of it, it is unrealistic scenario.

I sometimes use my laptop in public, as in on the street, in cafes bars coffee shops etc.

I have Windows Hello fingerprint authentication. I only have to enter Windows password or PIN if fingerprint login failed 3x times. It typically happens only if the finger I use is wet e.g. after washing hands or spilling liquids. Bottom line, I don't usually need to enter password or PIN in public.

When I started using Bitlocker years ago, and was debating whether to use hardware or software encryption for my new SSD, I found information that it would be couple %s, 5% at worst - and that on older machines. I personally didn't notice any battery life difference using Bitlocker software encryption. Bitlocker hardware encryption, on the other hand, definitely won't affect battery (because it doesn't actually encrypt anything, just takes control of drive's internal hardware encryption mechanism). You have software encryption.

TL;DR Bitlocker software encryption shouldn't affect your battery life in any noticeable way. Saying that it doesn't affect battery life is technically wrong, but who cares.

Yes.

Security and usability often don't go hand in hand together. I already have my machine secured against casual attacker. There aren't many people around that could pull off something like Ice Cold Boot attack (video from my previous post), or produce a fingerprint copy good enough to access the laptop within 3 tries - and I'm positively sure I'm outside their scope of interest.

I don't know why other people ignore the people&cameras around you aspect of security. Maybe they don't use their laptops in public much, and are not really aware there easily could be hidden cameras in hotel rooms and even rented apartments nowadays - places where you might leave your laptop when traveling.

 

Yes. Not entering pw = no boot to OS, no access to bios, hd(s) locked (unreadable and locked even if removed form laptop).

Simply bitlock'ed a partition (drive D: in my case). Unlocking it by entering the bitlock pw which was set when applying bitlocker to the partition (TPM not involved).

 

“Threat model” essentially means what is the *realistic* security threat that you face and what sort of appropriate actions can be taken to deal with that.

For most people, their threat model is pretty low: their children/roommates/etc might try to log into their computer or they might be subject to passive malware on the websites they visit (stuff like spam, misbehaving ads, etc). The usual solution to this is to put a (strong) password on your account and to run some sort of anti-malware and anti-virus program. Your average child/roommate/etc won’t try anything more complex than guessing a login password before giving up and moving on, and a decent anti-malware/virus program(s) can deal with any accidental run-ins with malicious links online that you might click.

Another step up might be that you live in an area where house robberies are common and there’s a non-trivial risk to having your computer physically stolen from your house. So in addition to the above solutions, a solution to deal with the hardware being stolen is to encrypt the storage on the machine. That way, when the computer is stolen from the house, a robber can’t just simply try reading the drive on their own computer if they can’t guess your login password (make sure to use an actually good password btw, as a weak password is trivial to break).

Yet another threat model is one that lots of people on the internet *believe* applies to them, but in reality rarely ever does. This is the idea where various government agencies are actively attempting to break into the system over the internet or by being super-sneaky in your house to mess with your computer when you’re not looking, etc. In actuality, unless you’re name is Edward Snowden, Julian Assange, etc, this is pretty much never the case. The solution to try to fight this sort of security attack off would be more complex than either of the solutions described previously.

 

@Starlight5

With the pin and you say its automatic, so isn't that pretty unsafe then since it could type 7000000, 7000001 and keep repeating itself? Thus if you know its 6-20 digits, well if it keeps going one number and then the next etc, isn't it going to hit it because its a pin and no letters? You say unless they see it, its unrealistic. Buts its all numbers though right? I mean couldn't you spend 12 hours typing from 7000000 to 7300000 and eventually get there after many days even if you do it manually? But ifs its automatic, it will hit the pin number?

Could i set up a password as oppose to pin without going through the entire process? Remember when i first did it following that guide, it ask me for a pin but i followed process for password.

Okay if you say your threat model is different than most ppl, but you say most ppl you know use tpm unlock? But how is that the case then since most ppl would use password or pin instead? The other person told me your threat model does not apply to almost all ppl.. he said you should be looking at the most common threats... theft or someone stealing it and putting malware/keylogger etc. So he said your model wouldn't apply to majority of ppl.

Well i understand the camera thing. That makes sense. But that seems really extreme in public. Now if you rent an apartment or airbnb... that does make sense. But still, i think that is so extreme. I mean you could pretend to type other letters when typing it to fool ppl. Example you type pin in atm... even if you dont cover your pin... you could look like you pressing a ton of numbers etc.

@6730b

So to confirm,

You set up bitlocker on windows 10. You set up and secure bios with a password. You say you have to type in a password in order for it to boot. So this is the bios password or the bitlocker password?

Im a bit confused because the bios password is one you need to know and change if a hacker/thief wants to make changes to bios right? Thus the bios password is the one you do NOT need to enter right?

And its the bitlocker password to boot windows 10?

Also what you mention with the partition, is that necessary? I just never heard of that before.

So you don't bother with a windows 10 password right? The guy mentioned that is important if say you are going to be away from your computer for a short time which makes sense.

jarhead

Yea i want to know the security threat that would apply to me. Theft and someone wanting to implement trojan or malware on your computer is pretty much the biggest threat to most ppl. I mean say you have lot of money in your bank account and do online banking. Or that person finds out your credit card info from your computer and start making purchases. They can do that and try to make purchases etc and even though you will get reimbursed by your bank, im not sure if they will get the items etc?

I cant imagine being in public and worried about security camera watching me type my password. First off that person will also have to get my computer as well. Unless the person implemented the security camera or knows to watch you for some reason, then its really something most ppl dont think about.

Starlight5, do you really have all those security concerns where you are located that you do all this for your laptop? Have you had issues when you ran into things like this before where thats why you do it? Because the other guy on the forum said you need to follow basic security threat first... and not threats that almost will not happen to the average user...

 

^^^
- Zero interest here in bitlocking OS, programs etc. keeping that drive totally untouched. Only sensitive files are encrypted, on a bitlocked partition (local disk D: in my case).

- bios pw set for: access to bios, boot of laptop, locking drive(s). Done in 1 minute, makes any (decently recent) laptop and it's drive contents completely useless for anyone but the owner (or completely useless for the owner if he forgets the pw :O)

About a windows pin \ pw, use one if \ when wanted \ needed, don't use one if \ when not wanted \ not needed :O)

And..... 1st move will be to make a full backup on reliable, external media, before starting any kind of experiments. And do a full surface test on the hd.

If going for encryption of a quite full drive, have a fully charged battery + reliable mains, nobody wants to know what can happen if the process is cut midway :O)

 

Whether the person gets the items isn't really your concern. So long as your bank / credit card / etc reimburse you for money stolen from your account, that's pretty much where the concern ends for someone that's a victim of theft.

If your threat model is children or noisy roommates and typical internet issues (which very likely is your real threat model), just locking your computer with a login password and running a decent antivirus (and stop browsing shady sites) is enough to keep you secure insofar as anyone copying something off your computer. Anything beyond that is just excess.

 

Well the thing is im not only talking about your bank/credit card info. I mean if someone puts malware or keylogger on your computer, well your keepass or lastpass is going to be compromised correct?


If i want to right now put a bitlocker pin.. how do i do this? And if i do this, it would be TPM with pin correct? But if i choose password it would be no tpm and password only? Thus best thing is just add a bitlocker pin to boot it for now?


How do i add the bitlocker pin right now without having to go through the entire process again?

 

@Drew1

1. Enable strong PIN via group policy:
https://www.tenforums.com/tutorials...nced-pins-bitlocker-startup-windows-10-a.html

2. Enable Bitlocker PIN by following this guide:
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

FWIW I linked the first guide multiple times in this thread, it's sad that you simply ignored it.

I explained my security measures, my threat model, and arguments behind both. I explained pros and cons of other security measures, notably Bitlocker PIN that you are willing to implement, and what additional measures you need to take to make them work as intended and actually improve your security, particularly:
* disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;
* protect BIOS from casual low-skilled attacker that can wreck havoc if you don't, and increase time and effort required from skilled hacker to perform the attack.

I also noted that you shouldn't blindly follow someone's threat model - including mine. My security measures may be imperfect from someone's point of view but they work for me, allowing to achieve reasonable compromise between security and usability. I couldn't care less what the other guy on the forum has to say about them, I never asked his opinion or advice.

In all honestly I believe the information and additional links in this thread are enough to decide what exactly you want to implement. Maybe re-read it from the beginning to refresh and systematize the information?

 

Best procedures to implement for eternal 100% security against theft, hacking, ransomware, virus:

- Never store anything on the laptop.
- Never connect to the internet.
- Never power it on.
- Bury it in a remote corner of the garden.

 

@Starlight5

Well the thing is i want to make sure of everything first when I tried anything. For example, it would have been great had i set up the bitlocker pin the first place. But of course at the time, i wanted a password and not pin. And i did not want the pin.

I know everyones security threat is different now based on what you and others said. But the thing was your model is much different from normal people. Example if you are worried about typing your password or pin in public because of security cameras... that probably wouldn't apply to 99% of ppl would you agree on it?

I asked in dell xps 15 9550 forum about bios and was told to check my bios. This was related to about battery life and how i always got very little battery from it when unplugged. I get max 1.5 hours on it when battery is at lowest and screen is 25% bright. This is what i see for bios when i type in start menu and check certain settings.

Bios Version/Date Dell Inc. 01.00.07, 11/2/2015
SMBIOS Version 2.8
Embedded Controller Version 255.255

Thus i never touched my bios right? I got this laptop in late 2016. So could this be the reason my battery has always been bad?

You say

disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;
* protect BIOS from casual low-skilled attacker that can wreck havoc if you don't, and increase time and effort required from skilled hacker to perform the attack.

I spoke to someone else on this issue. They said similar to you when you are away from your computer for a bit but don't want to turn off your computer, they say make sure you lock it. I told them i want it to be like okay im going somewhere for 15 minutes and coming back soon. I want to lock it where if anyone tries to use it, they need to enter my windows 10 password. Then when i come back, i click say a button on my computer... then it would ask me for my win10 password to unlock it. I said is this how you do it... click on start... click on lock. That would then lock it. Now you want to unlock it, just type in your win10 password and now you are good to go. They say that is the correct way to do it.

But here you say never use lock? Or you mean something else? So if i want to go outside for a short bit and come by and not turn off my laptop... what is the proper way then? Its not the way i described to another poster and they say thats the correct way? Or it is and you are referring to something else?

Well i understand you don't care about what another person says about your encryption. But for example if i have my encryption set a certain way and i know a lot about this. And say someone else ask me hey i want to encrypt my computer. And they tell me what they want to do... i mean my method which say is a complicated one... let say i use fingerprint scanning or some advanced thing that is called... i would never suggest that to someone. Because the basic threat to most ppl would be ... well another person doesnt want your computer files accessed... and if it gets stolen... well files not accessed... and also what i mentioned.. imagine someone put malware/keylogger via usb and how to protect that.

Im also curious but to those of you here who use TPM, can each of you tell me which method you use? Such as TPM unlock... TPM with bitlocker pin... or no TPM and just a password? Im curious how many ppl use each one.. The thing is i cant imagine majority of ppl use TPM unlock. In terms of security... TPM with bitlocker pin is most secure... then is it password or TPM unlock?

 

So you 'seem' lol to be interested in security ...maybe high time to start with the laptop itself and get it into a decently maintained state.

f.ex, your bios is from the middle ages, see attach. for what should have been installed on that machine over time, as a matter of very obvious obviousity. And probably a ton of outdated\buggy\unsecure drivers as well.

https://www.dell.com/support/home/us/en/19/product-support/product/xps-15-9550-laptop/drivers

 

@6730b


I don't know about bios and never did anything to it. I mean where does it really tell you for security update bios? Wouldn't most ppl not do anything with bios or update it etc?

Does this mean this could be the cause of my poor battery as well?

 

Okay so just to confirm. Right now first thing i should do is update bios right? Now at the moment, i have bitlocker encrypted with tpm unlock and it only has the windows 10 password. I want to do the bitlocker pin as well to secure it at boot. But i should do that later right?


So right now i have to disable bitlocker first before i download bios? Otherwise i would have huge issue if i were to do this while bitlocker is enabled? So do i disable bitlocker just by clicking disable bitlocker and thats it? Or i have to decrypt the hard drive which could take 2 hours since thats how long it takes to encrypt it? Do i have to turn off my windows 10 password or is that fine?


So click on that link... and click view more... and click download Dell xps 15 9550 system bios? Then when its done, just open it and the instructions will be very simple right? And then wait? Others say it should take about 5 minutes but because i never did a bios update ever... could this be longer? So i just wait... when i wait... what will my screen show? So my computer will turn off and have a black screen and then you see it go through the process? Then after its done... my computer will automatically restart and then go straight to my windows 10 screen asking me for my password? Again i don't want any surprises or anything like that when i do this and then suddenly go... oh no what do i click on etc.


Then after all this is done... do the secure bios with password and disable usb boot via by going f2 later on right? But first make sure i disable bitlocker first... then download bios?

 

Why? It doesn't matter if you set PIN before or after.

Why? PIN is more secure than password, being tied to machine. If somebody tries to use that PIN to access your drive on another machine it won't work, he/she will need a recovery key. It must be your machine for PIN to work, otherwise the only way is to type recovery key.

Numeric PIN of limited length is not characteristic of PIN. It is stupid default setting, nothing more. It is easy to make Bitlocker PIN strong, via group policy editor - and you'll need to go there to enable ability to enable PIN for Bitlocker pre-boot authentication anyway, these settings are near each other. So just do it.

Look around you. How many people like to type passwords or pins, instead of using FaceID or fingerprint reader? Most people like authentication to be fast and easy. They don't like the hassle of passwords or pin-codes. Yes, it's less secure. But it's so convenient. You and that other guy recommending Bitlocker PIN are way farther from average users than me. The fact that I can somewhat justify using less secure but way more convenient TPM auto-unlock is the only difference between me and average user who doesn't care how it all works, as long as he can put his/her face or finger and access his/her device. While you and that other guy, craving for more security at the price of much less convenience, are the edge case.

When you use lock or sleep on a machine with Bitlocker with pre-boot (PIN in your case) you are vulnerable to about the same range of attacks as if you were using Bitlocker with auto-unlock, with the added inconvenience of typing Bitlocker PIN every boot.

 

Obviously on the dell driver pages.
A random example:

One of the many bios updates which adresses some serious security flaws, info > https://meltdownattack.com/

----

Any question about this, post in the relevant Dell section of the forum so as to try to stay ontopic here, or go to Dell's own forums.

 

You should suspend Bitlocker (not disable!!!) before running (not downloading!!!) BIOS update utility if you don't want to type Bitlocker recovery key next boot.
Download BIOS update tool -> suspend Bitlocker -> run BIOS update tool. It will reboot the machine and flash the BIOS, let it finish, don't touch laptop until it's rebooted to Windows again.

Alternatively, you can:
download BIOS update tool -> prepare your recovery key -> run BIOS update tool -> wait until BIOS tool does its magic, and after couple reboots Bitlocker asks you for recovery key -> type the recovery key.

Either way works.

 

@6730b

Don't most ppl not read the dell drivers etc? Most ppl who get their computers just turn it on and use it..



@Starlight5


Okay so suspend bitlocker now. Doing that takes just a click and thats it right? Or it takes a while? And just to confirm that you know... i only have a windows 10 password. I do not have bitlocker pin at the moment set up yet. I will confirm with the dell xps 15 9550 thread first on this before i do this as i want a few others to confirm this before i do it.


Download BIOS update tool -> suspend Bitlocker -> run BIOS update tool. It will reboot the machine and flash the BIOS, let it finish, don't touch laptop until it's rebooted to Windows again.


Well why can't i just suspend bitlocker now before downloading the bios update link that 6730b posted? Then once i suspend it... download the bios update. And then run? Someone could easily make a mistake where they download the bios update and then immediately open and run it... Or there is issue with what i posted?



The second step... i certainly don't prefer it as i will have to type in that long recovery key.

 

@Drew1

Yes.

You can do that if you want.

 

If someone was to mistakenly not suspend bitlocker and were to download bios update and download update, the computer will get screwed? Or they only have to enter that bitlocker recovery key to make it normal again. Im just curious about this part.

 

They will only have to enter Bitlocker recovery key, there won't be any problem.

But if you interrupt BIOS update process your computer will probably get screwed. So don't interrupt it, keep the laptop plugged in while it is updating BIOS, don't touch it until you're sure the BIOS update process is finished.

 

Hi there. Okay thanks for that info on the bitlocker suspending.


Okay so to make sure my bios update process don't get interrupted, make sure its connected to a charger and make sure battery is 100% even though that is probably not needed right? Also i have a backup powerbank as well but that is not necessary since you say the bios update takes 5 minutes? But since i never did a bios update ever... could it take much much longer like 15 or 30 minutes or even 1 hour?


Well actually the powerbank won't even matter since well i wouldn't even know if my laptop is running out of battery right since it won't display it? But this should not matter at all but make sure its plugged in and battery 100% and its fine?


How do i know 100 percent my bios is updated? Will it restart itself and go to the windows 10 password screen?


When you say your are screwed... you mean the computer is screwed? Thus you can't use it anymore and its useless? Thus you can't have it repaired at the computer repair shop? So even if you were to replace the ssd with another ssd that won't work? Does this happen often or rarely? Im concerned about this because i never did a bios update ever as you could see with the version i have.

 

Given that your laptop currently has very high power consumption problem (that will probably be resolved by BIOS update) I'd advise at least 50%. In future, when power consumption problem is resolved, 30% or more is OK for healthy battery. But plug the charger anyway.

99.99% everything will be OK and finished within 5 minutes. If it takes longer, either you flashed wrong BIOS and screwed the machine, or you got very unlucky.

Yes.

It will probably be OK after a fix, but fix is not really pleasant to do yourself. Many repair shops will be able to fix it. This happens extemely rarely, mostly with desktop computers when power is interrupted during flashing process (though some of them have protection against such problems).

 

https://www.dell.com/support/home/us/en/19/product-support/product/xps-15-9550-laptop/drivers


Scroll down and click view more


Dell xps 15 9550 bios .... click on download. Then it downloads. Then i open the file... and wait correct? This is the bios file right?


Well if i got unlucky during bios, that means my computer is screwed where i can no longer use it anymore? Does it can't be repaired... is that correct when you say screwed?

 

Okay i just want to confirm its that link i posted... well you cant click on it. You need to click it and click view more and then scroll to Dell xps 15 9550 Bios and click download now. That is the link that 6730 posted for me previously. If so... i then will confirm it with the ppl on the dell xps 15 9550 forum just to make sure before i do this.

 

@Starlight5, just to confirm this... i don't need to disable my windows 10 password right? That is fine? Or should i disable it for this bios update?

 

@Drew1 you don't need to disable Windows password.

 

@Starlight5


thanks. Okay i will wait for a few confirmations in the dell xps thread before i do this. I listed the steps you mentioned and just want a few confirmations from others on this first.


Thank you again.

 

Wanted to ask you. Do you think me not ever updating bios had an effect on my battery as well? I get max 1.5 hours on battery... even if i do lowest battery setting...

 

@Drew1 yes. BIOS updates often deliver not only security fixes, but also other functionality improvements. You generally always want to have latest firmware applied to any computing device.

 

Okay thanks. When i get confirmation from others on the xps 15 9550 thread.. i will do it.

 

@Starlight5


I just want to confirm this as well.


Make sure when i do this, remove everything attached to the laptop right? At the moment, i have a usb hub connected to it that has my wired keyboard connected to it and also a usb to ethernet adapter with the ethernet cable along with it. Thus the hub has 4 ports and one is used for each because i only have 2 usb ports on my laptop. But i could stick the usb to ethernet cable with the usb port hub otherwise... i won't have internet unless i do wifi? The other usb port... i connected a usb port to my wireless mouse. That i could leave in right? So leave the wireless mouse usb to one port and what about my usb to ethernet adapter?


Also make sure i remove the 2 monitors connected to it before i do this?


Thanks.

 

@Drew1 doesn't matter if you have additional devices attached, leave them as is.

 

Alright thanks.

 

@Starlight5


Hey man. I just want to confirm this part as I will be doing the bitlocker pin as well. The 2 links you posted for me... if i want to have letters in my bitlocker pin... I have to do step 1 before doing step 2 right? But if i only want my pin to be numbers only... just do step 2 and not step 1? Thus the step 1 enable strong pin... is basically having your bitlocker pin the option to use letters and characters?


Thank you.

 

I just thought about something that i did not thought previously. My TPM is 1.2. I read the articles and apparently most laptops use tpm 2.0 correct? I read tpm 2.0 gives you only 32 attempts for trying to log into a pin for bitlocker before locking it and only allowing you to try another pin every 2 hours or so.


Do you have tpm 2.0? Now does that mean because my bios is not updated... then updating my bios would most likely make my tpm 1.2 to tpm 2.0 which would give me that security of someone getting only 32 attempts at guessing the bitlocker pin? So i have to go through all the bios updates for my xps 15 9550 to see if this was implemented in any of the bios updates? Or is the tpm what you have typically what you always have?

 

no. So you did not find it worth the effort to spend any time looking through the Dell driver website.

 

@Drew1 e.g. my laptop has discrete (separate chip) TPM1.2 and firmware TPM2.0 (Intel PTT), I can switch between them. I use TPM2.0 because I have problems with fingerprint reader and TPM1.2. After updating discrete TPM1.2 firmware as advised by @6730b check your BIOS settings, it can probably do Intel PTT TPM2.0 too unless it's too old.

Yes to all.

 

Hi there. I only looked through bios... i did not look at anything else...

I see that now. So i should download the tpm 2.0 then? Or just stick with what i currently have which is tpm 1.2? And when i download it and run it, its very smooth right? Now would i need to suspend bitlocker or do anything like this before i download and install tpm 2.0? Since at the moment i have tpm unlocked 1.2 and currently using it? Does it automatically make the tpm 1.2 to 2.0 while keeping the current security which is tpm unlock?

 

Okay so you suggest me update that tpm1.2 firmware, i can do this with my computer as is.... tpm unlocked right? I do not need to suspend bitlocker or anything like that?


Okay thanks for confirming the step 1 and 2 thing.

 

@Drew1 I only performed TPM firmware update once on couple machines, to patch recently discovered vulnerability, don't remember much. You might need to suspend Bitlocker, but even if you do, get your recovery key ready just in case Bitlocker asks for it anyway.

 

@Starlight5


Okay im going to do the bitlocker pin right now. Are you going to be here for the next 15-20 minutes or so?


Right now I do not want to install the driver for tpm update. I will just use the tpm 1.2 that i currently have. Is that fine for now?



1. Im looking at those 2 steps for the enhanced pin and to enter a bitlocker piin. I do want to do enhanced pin as i could add a few letters into it as oppose to all numbers. I did read that it says before you do this.

Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup to verify that enhanced PIN characters can be used.


This is what it says below as a system check

14. Uncheck or check (recommended) the Run BitLocker system check box for what you want, and click/tap on Continue when ready to start encrypting. (see screenshot below)
Note



Then it shows pictures of it. I did this last time when i installed bitlocker right? So my computer will 100% support the enhanced pin?


Or would you say don't bother with it and just do the bitlocker pin as is? Because my pin would be a long number but i thought maybe its a good idea to add a few letters or characters in between or something. Do you like this idea or not? Of course the issue is the more you put... the higher chance you could forget your enhanced pin.




2. So whether i do step 1 or not and go to step 2, when i enter my bitlocker pin or enhanced pin, it doesn't show the numbers or letters when im typing it right? Also you type it twice to confirm it is the same right? The thing is when i do it now... i have to do it through that command prompt as oppose to like how it looked normally when i first was setting it up right?


So once i type in the pin twice for it to confirm it... i now have a bitlocker pin. Then the next thing i should do is restart my computer or turn off my computer then start up. Then when it loads, it immediately will go to boot where i just have to type my bitlocker pin correct? Then once i do that, it goes straight to my windows 10 password screen where i then enter my win10 password?



Thank you.

 

Also have you ever set up a bitlocker pin before? Thus set it up once once or twice and then got rid of it just to test it out first?

 

When i get the notification from you, i will reply within 5 minutes.


Also when i restart the computer after i enter the pin.... the screen would show it asking me for my bitlocker pin correct? Then once i enter that... it would shows the windows 10 startup... then windows password screen? Just want to know all of this as i do not want any surprises. At first i thought the bitlocker pin screen was going to be like like that screen with the command prompt for you to type the pin in at startup...

 

@Starlight5


I did the step 1. Step 2 i followed. Both show enabled for require additional authentication at startup and allow enhanced pins for startup.


Then go to start menu and type in command prompt


I type this in

manage-bde -protectors -add c: -TPMAndPIN



I get message


Error: An attempt to access a required resource was denied.

Check that you have administrative rights on the computer.




It looks like this on the line that im typing on


c:/users/drew/manage-bde -protectors -add c: TPMandPin



I also tried putting 2 spaces between the c: and TPM since a colon... there is suppose to be 2 spaces after. I get the same error message...

 

drew is my username on my windows computer... well its not that but you get my point.


I did not leave any space between the drew/manage


I always made one space between every other word next to hyphen etc. The only thing i tried to space bar twice was right after the colon. But one space after colon or two space... i still get this error message.


Why do i have this issue? Does it have something to do with my admin rights or anything like that? Also certain programs on my laptop when i open, some does have the user active control message do you want to allow this app from an unknown publisherr to make changes to your device? The reason is because those programs on my computer, its related to what i do, i was told to do that as oppose to clicking on it and it opening as is ... as it works that way for those programs.


Or is its somewhere with the number of space bars?

 

Article says

To do this, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: .

manage-bde -protectors -add c: -TPMAndPIN


When you right click start button, the options are

windows explorer
open
open all users
settings
help
exit


Where is the command prompt? I just clicked on start menu and typed in the word command prompt and it showed up and i clicked on that. So what i did is incorrect? But when i right click start menu... where is the command prompt (admin)?


Do i type in command prompt on start menu and instead of clicking it when it shows up, i have to right click it and run as administrator?

 

Looks like chaos, with no practical understanding of anything.

Am not expecting that this was done:

= impossible recovery from possible (forthcoming and self inflicted) encryption catastrophies.

Basically, seems the real danger laptop and data is subjected to is not hackers or thieves, but OP himself.

 

@6730b


I did back up programs like keepass and my important documents on my laptop into an external hard drive. Thus the important files.


But are you talking about a complete full backup like the macrium reflect where it copies everything exactly like how my setup is like? If so... i did not do this. But im planning to do this afterwards.

 

This.

Type the commands exactly as they are in the guide. Don't put spaces where there are not supposed to be any, don't add additional spaces, don't change commands themselves - you can only change their arguments but not commands themselves, because if you change commands they won't work. Copy-paste commands and adjust them to your situation if you're not sure if you're typing them correctly.

 

@Starlight5


Okay im going to do it now.


By the way, so after I enter my bitlocker pin twice. Then i restart my computer right? Then it will ask me for my bitlocker pin ... then i do that... then it starts up windows like it does now for me... then windows 10 password right? I will do this when i get a reply back.