Bitlocker Question

I just looked at a very old thread I created a while back and saw I cannot post anything to it anymore so I create a new thread.


So last year or so, I asked about bitlocker and was able to get it enabled on my windows 10 pro dell laptop. I recall i put a pin in it... so everytime i turn on laptop, it ask for me my pin. There was lot of confusion when i did this because i recall there were like 3 ways of doing it... which involved something like


Pin with TPM
Pin without TPM
Password?



Is that correct? What I did was i put in a pin. So everytime i turn on laptop, i type in pin, then I also put a windows password as well.. then after that, it go to my desktop etc.



Recently, I removed both the windows 10 password and turned bitlocker off because I wanted to clone my old ssd into the new ssd which I did successfully. I read you should always turn off bitlocker when cloning. So now, I been using my laptop without any bitlocker pin and windows 10 password at startup.



Now I want to make sure I do this correctly like the first time I did it.. Now because i turned off the bitlocker pin... does that mean when i turn it on again, i will have to do it exactly like how i did it the first time? Or could I turn it on and it would be same pin? Or it would be brand new and thus i have to type in an entire new pin? Now when I do this, if i choose pin... do i pick it without TPM or TPM? Also... when you select pin... does it have to be numbers only? Or could i pick numbers or letters or combination of both?


Also I asked this last time but the 3rd option of password is not the same as pin with tpm or without tpm? Like Password isn't secure?

 

Also I recalled last time, I saved a bitlocker recovery key file as well. I still have that. But is that useless now?


The thing is I do want to type in a new bitlocker pin this time compared to the one I typed last time.

 

Yes.

No. But you can make it the same as before.

Yes.

Pin with TPM.

No. Numbers only is very stupid on many levels.

Yes.

PIN is machine-specific, password is machine-agnostic. In other words, PIN is tied to particular machine you use the drive in, while password is not.

Yes.

 

Thanks. But I think i put a pin last time without TPM because my laptop didn't have TPM. That is possible right?


Starlight, can you help me again later on step by step on this like you helped me over a year ago on this?


I would be doing it on my my dell xps 15 9550 windows 10 pro laptop... but will respond back to your posts on my chromebook.


So that mean that bitlocker recovery code file i have right now is completely useless then?


I'm confused why because wouldn't that revert my laptop to exactly how it was though at the time I created the bitlocker recovery code?

 

Your laptop has at least one TPM - firmware TPM embedded in the CPU. It may also have a discrete TPM, sitting on a separate chip.

I can try.

Yes.

Bitlocker encrypts a storage device with different encryption key every time. State will be the same, but key will be different.

 

Thanks starlight. Will you be online tomorrow for like a 20 minutes or so straight? I just want to make sure you are available online so I can do it while you are here so if there is something im not sure what to press, then I will ask you... like last year when you helped me with this.


I will make sure i write down the steps on paper this time so if i ever do this again, i can do it myself.


Also when i first try to do this, I need to click turn on bitlocker, then im going to wait about 1.5 to 2 hours right for it to encrypt? Or i have to do the entire tpm thing first? The tpm or without tpm or password was the thing i was confused last time because it gave me different options.

 

As far as I know, you can do either.

Let's do a quick roundup of your options:
1. TPM with PIN - you enter the PIN when you boot the machine, the drive can only be accessed with PIN on your computer, other computers will need a recovery key to access the drive.
2. TPM without PIN - no pre-boot authentication whatsoever, as we determined before this is not enough for you
3. Password (without TPM) - you enter the password when you boot, the drive can be accessed with password on any computer.

The difference between TPM with PIN and password is that password definitely needs to be long & strong, because otherwise it will be easy to bruteforce, while due to use of TPM, PIN can be shorter (although still strong, obviously) without affecting security much, because using your own machine for trying to bruteforce the password is far less convenient for attackers, and TPM will lock them out for some time after a bunch of failed attempts.

Note that you will have to use hibernation instead of sleep. If you use sleep, it defeats the whole PIN/password thing - so don't.

Now, the instructions:
1. Launch Group Policy Editor gpedit.msc
2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
3. Enable the following settings:
* Require Additional Authentication at Startup
* Allow enhanced PINs for startup
4. Encrypt the drive with your desired setting
5. Disable sleep via power settings. You need to adjust the following settings in your power profile(s):
* Sleep after -> 0
* Allow hybrid sleep -> Off
* Hibernate after -> adjust to setting you believe most appropriate, you'll be using this instead of sleep
* Allow wake times -> Disable
* Lid close action -> Hibernate
* Power button action -> Hibernate or Shut Down, depending on your preference
* Sleep button action -> Hibernate

 

Thanks for that information Starlight. Well what I did last time was TPM with pin right? For some weird reason, I thought it was some other method because I recalled my laptop for some reason didn't had TPM 2.0 or something like that when my laptop only had TPM 1.4? For some reason, this came to my mind. Or am i completely mistaking this all wrong. Yea i remember there was 3 options... and obviously option 2 makes no sense TPM without pin. How many TPM versions are there?


Why would anyone even choose option 2 then? I mean that is basically no security at all since when you turn on laptop, it goes to your desktop anyway? But it has TPM so im confused why would anyone choose this? How is it even any security then? I mean might as well do nothing then as oppose to TPM without pin or what im missing here?


Oh so the password option isn't as secure as the TPM with Pin which makes sense. But the TPM with pin option mean there is only a certain number of attempts you can do before the laptop locks up? Do you know how many attempts is that? A few times i have entered my pin incorrectly... i think once i entered it wrong 2 times in a row... then enter it correct and it was fine. But with passphrase, someone can brute force it as many attempts as possible... okay make sense then for security to not choose this.


I never sleep my laptop. I either turn it off or lock it. But of course you and some mentioned that the windows 10 password isn't secure at all and someone with enough time go bypass that easily right? Thus you said if you going to be away from your laptop for a while, you mentioned just turn it off.


But if i decide to hibernate my laptop... say i want to go outside for an hour or so and want my laptop to feel secure... i hibernate it so i could restart it quicker then turning on my laptop right? But when i hibernate, are all the programs that i have currently on my laptop still there? Because back then if i was going to leave my computer turned on in my apartment for an hour or more, i typically just powered it off as oppose to just locking it.

 

If I recall correctly, yes.

The only relevant ones are 1.2 and 2.0. Everything before 1.2 is obsolete.

For starters, it is the default option. Next, it allows not only PIN or password unlock options, but also biometric options (fingerprint, face unlock) - which are less secure in most situations, but more fast and convenient than typing a long and complex password or PIN.

Only if you don't setup any Windows authentication. Otherwise, it goes to Windows login screen. The drive unlocks only after you authenticate in Windows.

It is less secure in theory. In practice, however, TPM may be flawed and vulnerable to skilled hacker attack, so password may end up being stronger. But password definitely needs to be long and complex for that.

Yes.

No, I didn't research that. Here is a good starting point for your research.

When locked, it is at best as secure as when it sleeps. If you don't use Windows authentication setup, only pre-boot authentication - then it is not secure at all when locked or asleep, thus you should not use either.

I honestly don't remember saying that windows 10 password isn't secure at all. But without pre-boot authentication, a machine without memory encryption can definitely be hacked by a skilled attacker. Newer machines with memory encryption (Ryzen Pro) are much more secure. Also, a lot depends on your threat model.

In your scenario (TPM+PIN), it's shutdown or hibernate.

Not sure about the quicker part, but like when you lock or put computer to sleep, all your programs with the work you were doing when you entered hibernation are restored.

Hibernation basically dumps memory to disk, then shutdowns the machine. When you wake the machine from hibernation, it needs to access your disk, but with pre-boot authentication can't read its contents unless you enter the correct PIN or password. Thus, hibernation with pre-boot authentication is pretty secure.

As I already mentioned, locking a machine without Windows password is pointless. And even if you have both pre-boot authentication and Windows authentication, locking or putting the machine to sleep degrades your security very noticeably, making it less secure than locking it or putting it to sleep while using Windows authentication and TPM without PIN for Bitlocker.

There is no point using Windows and pre-boot authentication simultaneously, in my opinion. You should use one of them, not both.

 

Hey thanks for the response. Okay option 2 where you have TPM but no pin... yea that was the thing i was curious about since its like how thats secure... and now you mentioned... well you have that windows 10 password that protects you. I remember that now. But many ppl have said a long time ago... that windows 10 password is completely useless and anyone can bypass that easily. So that is true right? HOWEVER, its not true if you have TPM without pin but do have a windows 10 password. Is that CORRECT?


Okay tpm 1.2 and 2.0... that rings a bell. Im pretty sure i have tpm 1.2 then because i remember when i did it last time, i mentioned my tpm was only so and so version and not 2.0.


Okay but for me, you still recommend tpm with pin as oppose to password right? Again, my threat would basically be my laptop being in someone's possession and seeing whats in there... but the bigger threat would be if they were to do something funny to it as malware/keylogger, then i use it as if nobody touched it. Yes i know that situation is rare but I just want the computer to be unusable for someone without a pin/password. So that tpm without pin thing... you would not suggest that to nobody right? Like for almost everyone, either pin with tpm or password? The password you mentioned there is unlimited retries... that is scary since someone could literally brute force it as much times as possible right?


Yea i know if you use bitlocker only but don't have windows password, well that isn't secure because if you lock it... that doesn't do anything at all.


I had no idea laptops with ryzen pro are more secure. But that make sense those other processors would be in a way.


I'm confused with your last line. What do you mean by that? Preboot authentication is bitlocker... and windows is windows 10 password right? And you say you should use either both of none or am i mistaken here? Because as you know, my bitlocker setup previously was bitlocker pin.... then you need to type in the windows 10 password in order to get to desktop. So you are saying i shouldn't have both? Well the bitlocker pin should always be there... so no windows 10 password? Or am i mistaking what you say here when you say windows in the last line?


I want to do the bitlocker thing later today or tomorrow. Do you know typically when you are free starlight? Im not sure where you are located but can you tell me exactly how many hours from now typically you are free for so I could also be online during the time that you are on? Thanks.

 

Hey starlight, I am on the forum now so whenever you post, I will reply very soon as im trying to get this done tonight or tomorrow. I just don't want to be stuck in a step where I forgot exactly what to do.

 

@Starlight5


At this part in the process


I see how it shows allow for each one. But there is also option to make each require. I assume you make it allow for each? I saw lot of arrows in the tensforum diagram and I thought it made you make each to REQUIRED. But that is incorrect right?


Configure TPM Startup - Require TPM
Configure TPM Startup Pin - Require startup pin with TPM
Configure TPM startup key ; Require startup key with TPM
Configure TPM startup key and Pin - Require startup key and pin with TPM


Each of these should be ALLOWED?


Then I got message


This pc requires a startup option that isn't supported by bitlocker setup. Please contact your system administrator to turn on bitlocker.


Another person on forum tell me I should change it to ALLOW for each. But when I do this... i get this message



Starting Bitlocker


The path specified in the boot configuration data BCD for a bitlocker drive encryption integrity-protected application is incorrect. Please verify and correct your BCD settings and try again.

 

What kind of message is this? I never had these error messages last year when I tried to do this...


I googled that message and apparently some people said this has to be related to a hard drive swap?


I mentioned not long ago, I cloned from my old 2.5 inch 250gb ssd into my new 1tb samsung 970 evo nvme without any issue.


I had removed the useless 32gb m.2 ssd that was in it before the cloning process and also removed the 2.5 inch ssd from my laptop as now i only have one hard drive on laptop... this was due to make room for the larger new battery I bought.


And when i turned on my laptop with the new cloned 1tb samsung 970 evo nvme, it had no issues at all.


But I need to make some setting change here? Like is it because bitlocker does not recognize this drive and recognizes the empty 2.5 inch drive instead which is right now empty?

 

@Drew1 I am not finished with typing reply to one of your previous posts (=

Try this first:
https://support.microsoft.com/en-us...y-to-run-the-bitlocker-drive-encryption-progr

If it doesn't help, try this:
https://answers.microsoft.com/en-us...-install/5875e74d-28f8-486d-839b-d69f94ddd486

Try reverting to default settings, then applying settings I suggested.

 

Hey man okay i will look at those boot settings.


Just to make sure...


I"m following the steps here when doing this bitlocker process again


Step four i got confused because it should be ALLOW for each one right? In that diagram, i thought it meant to make each ALLOW into REQUIRED. It doesn't give option of default setting so im not sure what setting it should be... I think it should be ALLOW for each.


Also I need to make sure i enable allow enhanced PIN right? I did that because i recall if i don't, then it would only allow me to use numbers right and also limit me to a four to six digit number only? Thus that would be completely unsecure right? I want to mix letters and numbers and long one.


https://www.tenforums.com/tutorials...cker-operating-system-drive-windows-10-a.html

 

* If you don't have Bitlocker encryption, Windows password is completely useless and anyone but the most clueless will hack the machine regardless.

* If you have Bitlocker TPM without PIN, you rely on Windows authentication to unlock the drive. It is reasonably secure, but not as secure as Bitlocker TPM with PIN, because you have increased attack surface noticeably. The problem with this option, in my opinion, is mostly vulnerable hardware, not the implementation itself. With proper modern hardware (Ryzen Pro) it should be mostly secure.

* If you do have Bitlocker TPM with PIN, the drive is unlocked when you boot, but also locks only when the matchine shuts down or hibernates. So if you use Windows authentication as well, then lock or put the machine to sleep, your encryption key is still RAM, the machine is still vulnerable unless it is shutdown or hibernates, it gives you false sense of security and wastes your time typing second password.

It depends on a threat model. In my threat model, an unskilled attacker who got the PIN/password from camera recordings or just snooping, is a much more prominent risk than skilled attacker who would bother messing with my laptop to exploit its hardware vulnerabilities. Thus, I use TPM without PIN + fingerprint unlock, and use sleep or lock instead of hibernation.

I know the limitations of such setup. Hardware can be exploited, fake fingerprints can be made. But both options require a motivated skilled attacker and some effort, which are much less likely in my scenario than typing of PIN/password being recorded on camera, flushing all security measures down the drain.

 

It should be ALLOW.

 

Okay well I will do it exactly like how I did it last time. The tpm with pin... pin is my long password mixed of numbers and letters.







I need to do ALL OF THESE STEPS to solve my issue right now? So this error I got is because of me switching hard drives then? When i look at the steps i followed on tenforums, i dont see any mistake I did there.


Symptoms
0" style="box-sizing: inherit; outline: none;">
When you try to run the BitLocker Drive Encryption program, you receive the following error message in a BitLocker Drive Encryption Error dialog box:
Cannot run.


The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption integrity-protected application is incorrect. Please verify and correct your BCD settings and try again.

Cause
0" style="box-sizing: inherit; outline: none;">
This problem occurs if one of the following entries in the Boot Configuration Data (BCD) store points to the incorrect partition:

• Windows Boot Manager
• Windows Memory Tester
• Resume from Hibernate

Resolution
0" style="box-sizing: inherit; outline: none;">
To resolve this problem, edit the following BCD entries:

• Windows Boot Manager
  Set this entry to point to the system partition. To do this, follow these steps:
  1. Click Start
     
     , click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
     
     
     
     If you are prompted for an administrator password or for confirmation, type your password or click Continue.
  2. At the command prompt, type bcdedit -set {bootmgr} device partition=S:
     
     Note In this command, S: represents the drive letter for the system partition.
• Windows Memory Tester
  Set this entry to point to the system partition. To do this, type the following command at the elevated command prompt:
  bcdedit -set {memdiag} device partition=S:
  
  Note In this command, S: represents the drive letter for the system partition.
• Resume from Hibernate
  Set this entry to point to the operating system partition. This partition is also known as the boot partition. To do this, follow these steps:
  1. At the elevated command prompt, type bcdedit -enum all.
     
     Note the identifier value for the Resume from Hibernate entry.
  2. At the elevated command prompt, type bcdedit -set {identifier} device partition=C:.
     
     Note In this command, identifier represents the identifier value for the Resume from Hibernate entry in step 1 of this procedure. Also, C: represents the drive letter for the boot partition.

 

Thanks... that is what I thought. Also I have to make sure to turn on Enhanced pin right? I mentioned the reasoning in my post a bit above. I dont why anyone would not turn it on?

 

Yes. I also don't understand why it is not enabled by default, it is very stupid...

You can do them one by one and check each time if the issue is solved or not, if you want. It will be faster if you do them all, then check.

 

Okay yea the enhanced pin not enabled just made no sense.


I tried first step of right click command prompt and run as admin... then they want me to type in those weird words... I will try now.

 

1. At the command prompt, type bcdedit -set {bootmgr} device partition=S:
   
   Note In this command, S: represents the drive letter for the system partition.

I typed this and I got message the device is not valid as specified. Run "bcdedit /?" for command line assistance.
The parameter is incorrect.



Am i even typing this correctly?

bcdedit -set {bootmgr} device partition=S:


I typed this in... but not sure if I need to Bold the S? Also those things around bootmgr is { } as oppose to [ ] right? This is confusing as Im not sure how many spaces im suppose to leave after each word as it seem to be one space?

 

@Drew1 you should use the letter of your system drive (most likely C) instead of S.

 

I keep getting message


bcdebit is not recognized as an internal or external command, operable program or batch file...

 

@Drew1 you should type bcdedit, not bcdebit. just copy-paste commands from the article and correct the drive letter, and you should be good.

Code:

bcdedit -set {bootmgr} device partition=C:

 

Okay just noticed i typed in bcdebit instead...


when i typed the first step it shows


the operation completely successfully


So i should turn on bitlocker now?

 

So I did step 1 in that link you gave me... now since it showed operation completely successfully... try to turn on bitlocker now to see if it works right?

 

Do you want me to do the other step 2 and 3... then turn on bitlocker? Or just right now turn on bitlocker to see if i get the error?

 

Okay I did step 2 as well and message shows operation completed successfully.


The last step... Resume from Hibernate... I will do now...

 

Okay im doing step 3... but when im trying to do the second part of step 3... it doesn't seem to work?

In the first step of step 3... it did show a ton of words as i entered it correctly....

What am i typing wrong in the final step here?

 

@Drew1 at this point, try running the encryption if you didn't already and see if it works.

 

Hey. But do you see any risk of me doing this even though i only did the first step of step 3 only?


Im worried there might be some conflict... would you be concerned about this at all? Now if i didn't do step 1 of part 3.... would feel more safer...

 

Do you know how long you will be online for? Its getting late here and I know if i turn on bitlocker now... it would take like 1.5 hours at least to encrypt the whole drive since i have over 200gb....


Would you recommend me do this tomorrow instead? Or would you still be availble on the forum in about 1.5 hours? Just don't want to get stuck with an issue and not knowing what to do...

 

@Drew1 there isn't any risk. Steps 1-3 are to address the error you're getting. Either of them can solve the issue. Or none of them, if you're unlucky, then we'll have to look for other solution.

 

I'll probably be unavailable for a while, but you shouldn't have any problems with Bitlocker after you encrypt. So far we can't start the encryption process. I'm sure once we address that and start it, it will be smooth sailing for you.

 

Okay i will try the encryption now with turn on bitlocker... okay? Will you still be available in a bit? You suggest me just turn on bitlocker now then right?

 

Im getting the same error right now still when I click on turn bitlocker on.

 

@Drew1

In elevated (Run as administrator) command prompt, run:

Code:

bcdedit -set {memdiag} device partition=C:

Next, run:

Code:

bcdedit -enum all

It will give you tons of stuff. Among it, there is a section dedicated to Resume from hibernate. First string there is a bloody long identifier. Copy it somewhere.

Your next step would be running:

Code:

bcdedit -set {identifier} device partition=C:

but instead of "identifier", use that bloody long alphanumeric string that you copied before.

 

I closed command prompt earlier. I tried to type in the 3rd step ... and it doesn't work at all. So apparently i have to do the entire 1-3 steps then?

 

@Drew1 you only need to do third step. Copy its full output here (text, not picture) and I'll conjure you a correct command, if it doesn't work out for you.

 

Okay so you want me to do all the steps over... got it...


But i dont get what you want me to put in place of identifier? You say the long alphaanumeric string i copied before... which is that?

 

Hey, sorry but I"m confused. You want me to type only step 3... the way its on the site link you gave me? Or what you typed above and then i type that?


Because you typed in memory... and I don't see that on that site link you gave me... or that is to check my memory because i mentioned I got bad ram from checking it? Sorry im getting so nervous right now. so im going all over the place.

 

@Drew1 in elevated command prompt, type this:

Code:

bcdedit -enum all

Copy all the text you get there and send it to me in a private message.

 

I typed in that memdiag line you put and it shows operation successful.

 

Great. Now type:

Code:

bcdedit -enum all

and either pm the results, or post it here.

 

okay.

 

Hey is there something specific you need to look at? I cant copy/paste it as its in command prompt and its really long.


I see firmware boot manager, windows boot manager, ton of firmware application


Its below memory tester where few rows down it shows

Ram Defects

Identifier {badmemory}



Are you looking at the bad memory here or to see why it wont turn on bitlocker encryption?

 

Instead of identifier, the long alphanumeric string... do you mean the very long number and letter that is under Resume from Hibernate?

Its like

xxxxxxx-xxx-xxx-xxxxxx-xxxxxxxxxxxx


Is that it?

 

Yes.