The Notebook Review forums were hosted by TechTarget, who shut down them down on January 31, 2022. This static read-only archive was pulled by NBR forum users between January 20 and January 31, 2022, in an effort to make sure that the valuable technical information that had been posted on the forums is preserved. For current discussions, many NBR forum users moved over to NotebookTalk.net after the shutdown.
Problems? See this thread at archive.org.

    Bitlocker: How to force PIN input before laptop can be used?

    Discussion in 'Windows OS and Software' started by Rad Gravity, Apr 3, 2015.

  1. Rad Gravity

    Rad Gravity Notebook Enthusiast

    Reputations:
    0
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    6
    Hello everybody -- :

    New Lenovo T550 here with TPM 1.2 & Windows 8 Pro. I setup a TPM Recovery Key and saved the file to a removable drive. I then setup Bitlocker but it never once asked me to create a PIN. The drive is encrypted but when I shutdown/restart, the computer boots up without asking for a PIN. I saved the Bitlocker recovery key to a removable drive & also printed a copy.

    1. How can a PIN be created for Bitlocker, and how can the user be forced to input the PIN before the Windows login screen pops up?

    It seems odd to me that the drive is encrypted but the only password basically unlocking the whole system is my one username and account...
     
    Rad Gravity, Apr 3, 2015
    #1
  2. HTWingNut

    HTWingNut Potato

    Reputations:
    21,580
    Messages:
    35,370
    Likes Received:
    9,877
    Trophy Points:
    931
    Why is that weird? How is a PIN any different than a password? If you have a strong password nobody can enter. And PIN is really to prevent direct DMA access, and most laptops don't have direct DMA access.

    But if you must, you may have to enable it in your BIOS, and/or also you have to edit it in group policy. See this site for more information: http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

    Or more specifically for T500 here: https://forums.lenovo.com/t5/Windows-7-Knowledge-Base/Adding-pin-to-Bitlocker/ta-p/392889
     
    Last edited: Apr 4, 2015
    HTWingNut, Apr 4, 2015
    #2
    Dragnoak likes this.
  3. Rad Gravity

    Rad Gravity Notebook Enthusiast

    Reputations:
    0
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    6
    Thanks! That was helpful. It is more secure to require Bitlocker to request a PIN before booting up into Windows. It is also a good idea to never put your Bitlocker computer into sleep or hibernation (always shut it down) because it allows adversaries to attack the system & gain access to the keys.

    To make Bitlocker require a PIN and/or USB before booting up into Windows login screen

    Run CMD under elevated privilege and type:

    manage-bde.exe -protectors -add c: -TPMAndPIN

    Make sure group policy has been set to REQUIRE PIN AND/OR USB first.
     
    Rad Gravity, Apr 5, 2015
    #3
  4. radji

    radji Farewell, Solenya...

    Reputations:
    3,856
    Messages:
    3,074
    Likes Received:
    2,619
    Trophy Points:
    231
    You can always say a bios password or hard drive password (if your system supports it). They won't be able to access anything without entering those codes first.
     
    radji, Apr 5, 2015
    #4
  5. LTBonham

    LTBonham Notebook Evangelist

    Reputations:
    182
    Messages:
    347
    Likes Received:
    52
    Trophy Points:
    41
    I thought the point of TPM was to maintain security without the need for a pin at boot. If you have a password for login, and a TPM (drive will only function in that particular mobo) then you should be good. I am not an expert on the matter though.
     
    LTBonham, Apr 5, 2015
    #5