Solved Bitlocker issue

antares

Member
Member
Messages
243
Hi, I have a Win8 Pro laptop with a single SSD. I just encrypted the entire drive using Bitlocker. The process prompted me to save the recovery key, which I did to an external drive. The encryption was successful but nowhere during the process was I prompted to choose a password. So I have the drive encrypted but when I reboot it does so normally without asking me for a key or password to access the drive. Did I do something wrong? thanks
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
Hello Antares,

Does your PC's motherboard have a TPM.


Did you do steps like in the tutorial below?
If so, then this would be normal if you have the USB flash drive connected while the PC boots. When the PC boots, it will automatically read the startup key from the connected USB flash drive, and allows Windows 8 to start.


Hope this helps, :)
Shawn
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
Hi Brink, yes, the laptop does have TPM. I don't know exactly what TPM is or how it works, or if my laptop's TPM is hardware or software based. In any case, I tried booting both with the USB flash drive connected and unplugged and even when unplugged the laptop boots normally without any restrictions, even though Bitlocker as I said encrypted the whole drive.
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
That would be why then.

The Trusted Platform Module (TPM) is a chip on the motherboard.

The startup key is stored automatically on the TPM when you have a TPM, and is why it's unlocked at startup. :)

If the hard drive was removed from the PC, then it would not be accessible.

You could open the Control Panel (icons view), click on "BitLocker Drive Encryption" icon, expand "OS drive", and see if you may have an option to add a password to have to enter it at boot before being able to unlock the OS drive.
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
Hi Brink, thanks for your follow up. I understand what you said, however, what if my laptop is stolen? Then Bitlocker with TPM is useless, because I checked Control Panel/Bitlocker Drive Encryption and under the OS drive ("C") there is no option to add a password, and the thief would have unrestricted access to the hard drive.
I checked the BIOS and there is an option to set a machine access password, but then this isn't Bitlocker related and offers a lower degree of protection than encryption.
Is there a turnaround to this? I mean a way to set a TPM machine access password? If not I guess I will try TrueCrypt.
Thanks again.
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
I don't have a TPM to work with, but you should be able to set group policy in step 1 of OPTION ONE in the tutorial below for this. Afterwards, check in Control Panel/Bitlocker Drive Encryption under the OS drive to see if you have any option to use a USB flash drive, PIN, or password.

http://www.eightforums.com/tutorials/21271-bitlocker-turn-off-os-drive-windows-8-a.html


This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
Thanks Brink. I enabled "Require additional authentication at startup" in the Local Group Policy Editor as outlined in your steps but no additional options show up in Control Panel/Bitlocker Drive Encryption (PIN, Password, etc).
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
That's what I was afraid of.

Looks like you may need to turn off BitLocker, then turn it back on with this policy now enabled to have the options for USB, PIN, or Password while turning BitLocker back on. :(
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
Yes! I turned Bitlocker OFF and then back ON (it had to re encrypt the drive again :mad:) and now I'm prompted for a PIN after each boot before accessing the machine (which I guess is the same as a password, as an option for a password was not present). I was also given the option for USB. Thanks!!
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
You're most welcome Antares. Sorry it took decrypting and encrypting the drive again to do so.
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
Final question: is there a way to disable/enable PIN access without having to turn Bitlocker OFF/ON and avoid re encryption of the drive? I tried changing the PIN and leave the New PIN fields empty but it requires entering a new PIN.
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
What options does it give you in Control Panel/Bitlocker Drive Encryption under the OS drive (Manage BitLocker)?

If you don't have options to do so there, then you could use the commands below in an elevated command prompt to add and remove the PIN.


Manage-bde: protectors


(add)
manage-bde -protectors -add c: -TPMAndPIN

(remove)
manage-bde -protectors -delete c: -Type TPMAndPIN
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
I see the following options under Control Panel/Bitlocker Drive Encryption:

SUSPEND PROTECTION
BACK UP RECOVERY KEY
CHANGE PIN
TURN OFF BITLOCKER
 

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
I tried SUSPEND PROTECTION but it reactivates Bitlocker upon reboot, so it's of no use for the purpose of disabling Bitlocker altogether

I'll try the elevated commands

UPDATE: I tried the elevated command to disable the PIN but upon reboot the system asks for the USB flash drive with the recovery key. I guess the only way to disable/enable Bitlocker is by turning it OFF and have the drive decrypted/re encrypted each time :(
 
Last edited:

My Computer

System One

  • OS
    Windows 8.1x64 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    self made
    CPU
    Intel Core i7 6700K
    Motherboard
    Asus Z170-A
    Memory
    Corsair Vengeance LPX 32GB (4 x 8GB) DDR4 2400MHz
    Graphics Card(s)
    Intel HD Graphics 530
    Sound Card
    Onboard Realtek HD
    Monitor(s) Displays
    LG 23EA53 23" LED IPS
    Screen Resolution
    1920x1080 32bit
    Hard Drives
    Samsung 256GB 830 Series SSD main+HGST 4TB 7200RPM as 2nd internal
    PSU
    Thermaltake Toughpower Grand 850W TPG-850M
    Case
    Corsair Obsidian 650DW-1 Midtower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech K800
    Mouse
    Logitech M510
    Antivirus
    NIS2014
Back
Top