BitLocker: Configuration with Boot PIN – USB drives do not allow BitLocker encryption

If you use a boot PIN for additional security with BitLocker, it may happen that USB drives can no longer be encrypted with BitLocker.

The TPM protection of BitLocker is convenient but offers possibilities for bypassing. Therefore, there is the option of a PIN, which must be entered at system startup.

Only after entering the PIN will the hard drive is decrypted.

However, this method has a disadvantage: it may happen that when attempting to encrypt a USB drive, we are confronted with an error message.

❌ The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.

The solution is to configure the option “Allow startup PIN with TPM” in the group policy editor.

You can find the setting here: Administrative Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives – Require Additional Authentication at startup.

The boot PIN remains active and must be entered. You should now be able to use BitLocker for USB drives.

Leave a Reply

Your email address will not be published. Required fields are marked *