{"id":50353,"date":"2023-04-07T17:57:23","date_gmt":"2023-04-07T16:57:23","guid":{"rendered":"https:\/\/ekiwi-blog.de\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/"},"modified":"2023-08-06T10:31:40","modified_gmt":"2023-08-06T09:31:40","slug":"bitlocker-activate-pre-boot-bitlocker-pin","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/","title":{"rendered":"Bitlocker &#8211; Activate Pre-Boot Bitlocker PIN"},"content":{"rendered":"<p>Increased security with Bitlocker encryption to protect against cold boot attacks.<\/p>\n<p><!--more--><\/p>\n<p>Bitlocker is the default encryption for Windows systems and Microsoft is trying to offer a balancing act between security and convenience here. Normally, the computer has a TPM chip, this provides the key and Windows boots normally. The data is encrypted, but the user does not have to enter an extra password when booting.<\/p>\n<p>What is practical can lead to the encryption being circumvented by <a href=\"https:\/\/www.youtube.com\/watch?v=0L9KAw0REkM\" target=\"_blank\" rel=\"noopener\">cold-boot attacks<\/a> and special software. A remedy is a PIN, which is entered before booting Windows.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Enable_bitlocker_and_encrypt_hard_disk\" >Enable bitlocker and encrypt hard disk<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Enable_start_pin_in_group_policies\" >Enable start pin in group policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Set_PIN_for_drive\" >Set PIN for drive<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Change_Bitlocker_PIN\" >Change Bitlocker PIN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Reboot_and_enter_PIN\" >Reboot and enter PIN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Remove_Bitlocker_PIN\" >Remove Bitlocker PIN<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Enable_bitlocker_and_encrypt_hard_disk\"><\/span>Enable bitlocker and encrypt hard disk<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If we have not already done so, we first activate Bitlocker encryption. To do this, we right-click on the system drive and click &#8220;Enable BitLocker&#8221;. Note: <a href=\"https:\/\/ekiwi-blog.de\/en\/18625\/bitlocker-and-remote-desktop-rdp-access-is-denied\/\">Bitlocker is only available<\/a> in the Professional and Enterprise versions of Windows.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8364\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_1.png\" alt=\"\" width=\"532\" height=\"479\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_1.png 532w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_1-300x270.png 300w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\" \/><\/p>\n<p>In the first step we have to save the recovery key, we can do this e.g. in the Microsoft account, alternatively we can also <a href=\"https:\/\/ekiwi-blog.de\/en\/53877\/disable-windows-print-key-for-snipping-tool\/\" title=\"Disable Windows Print Key for Snipping Tool\">print the key<\/a> or save it in a text file. Then click on &#8220;<em>Next<\/em>&#8220;. Run the wizard to the end and then wait for the hard disk to be encrypted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8365\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_2.png\" alt=\"\" width=\"416\" height=\"262\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_2.png 416w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_2-300x189.png 300w\" sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Enable_start_pin_in_group_policies\"><\/span>Enable start pin in group policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After Bitlocker is enabled, we need to enable the startup pin in the group policies. To do this, we press the <strong>Windows key + R<\/strong> and then enter &#8220;<em>gpedit.msc<\/em>&#8221; and confirm with Enter.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8366\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_3.png\" alt=\"\" width=\"399\" height=\"206\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_3.png 399w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_3-300x155.png 300w\" sizes=\"auto, (max-width: 399px) 100vw, 399px\" \/><\/p>\n<p>Here we go to &#8220;Computer Configuration &#8211; Administrative Templates &#8211; Windows Components &#8211; <a title=\"Mount Bitlocker drive in Linux\" href=\"https:\/\/ekiwi-blog.de\/en\/26194\/mount-bitlocker-drive-in-linux\/\">BitLocker Drive<\/a> Encryption &#8211; Operating System Drives. On the right-hand side we find the entry &#8220;Request additional authentication at start-up&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8367\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_4.png\" alt=\"\" width=\"1005\" height=\"558\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_4.png 1005w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_4-300x167.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_4-768x426.png 768w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\" \/><\/p>\n<p>In the settings we activate the option and set the setting &#8220;Configure TPM system start PIN&#8221; to &#8220;Start PIN required for TPM&#8221;. We accept the setting with OK.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8368\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_5.png\" alt=\"\" width=\"686\" height=\"637\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_5.png 686w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_5-300x279.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<p>By default, only numeric PINs are accepted. Those who wish to use an alphanumeric password can also define this in the group policy editor.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8369\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_6.png\" alt=\"\" width=\"686\" height=\"636\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_6.png 686w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_6-300x278.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Set_PIN_for_drive\"><\/span>Set PIN for drive<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now the PIN or password is missing. We can set this at the command prompt with the command &#8220;manage-bde&#8221;. We open a command prompt with administrator rights.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8370\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_7.png\" alt=\"\" width=\"660\" height=\"364\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_7.png 660w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_7-300x165.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/p>\n<p>We then enter the following command:<\/p>\n<pre>manage-bde -protectors -add c: -TPMAndPIN\r\n<\/pre>\n<p>Now we can enter a PIN and confirm it. If an error occurs that no pre-boot keyboard was found: &#8220;ERROR: An error has occurred (code 0x803100b5):&#8221;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8371\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_8.png\" alt=\"\" width=\"810\" height=\"286\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_8.png 810w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_8-300x106.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_8-768x271.png 768w\" sizes=\"auto, (max-width: 810px) 100vw, 810px\" \/><\/p>\n<p>With &#8220;manage-bde -status&#8221; we can check if everything worked. Numerical password&#8221; should appear here.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8372\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_9.png\" alt=\"\" width=\"699\" height=\"295\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_9.png 699w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_9-300x127.png 300w\" sizes=\"auto, (max-width: 699px) 100vw, 699px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Change_Bitlocker_PIN\"><\/span>Change Bitlocker PIN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>It is also possible to change the PIN in the command prompt. To do this, we enter the following command:<\/p>\n<pre>manage-bde -changepin c:\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8373\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_10.png\" alt=\"\" width=\"637\" height=\"130\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_10.png 637w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_10-300x61.png 300w\" sizes=\"auto, (max-width: 637px) 100vw, 637px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Reboot_and_enter_PIN\"><\/span>Reboot and enter PIN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now comes the moment of waiting, we test if everything works. To do this, we restart the computer. When the computer starts, we are asked to enter the PIN:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8374\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_11.jpg\" alt=\"\" width=\"681\" height=\"301\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_11.jpg 681w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_11-300x133.jpg 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/p>\n<p>Windows is not loaded until the PIN has been entered.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Remove_Bitlocker_PIN\"><\/span>Remove Bitlocker PIN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Of course, we can also remove the PIN entry again. First we open the group policy editor again, here we reset the setting &#8220;Request additional authentication at start-up&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8375\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_12.png\" alt=\"\" width=\"686\" height=\"636\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_12.png 686w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/01\/bitlocker_12-300x278.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<p>Now we open a command prompt <a title=\"Windows: Start device manager with admin rights\" href=\"https:\/\/ekiwi-blog.de\/en\/49979\/windows-start-device-manager-with-admin-rights\/\">with admin rights<\/a> again and enter the following command:<\/p>\n<pre>manage-bde -protectors -add c: -TPM\r\n<\/pre>\n<p>The computer then restarts as usual without entering the start PIN and loads the key from the TPM chip.<\/p>","protected":false},"excerpt":{"rendered":"<p>Increased security with Bitlocker encryption to protect against cold boot attacks.<\/p>\n","protected":false},"author":1,"featured_media":8332,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1555],"tags":[1874,2795,1857,1559,2068],"class_list":["post-50353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-en","tag-bitlocker-en","tag-manual","tag-microsoft-en-2","tag-tutorial-en","tag-windows-en-2"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/50353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=50353"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/50353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/8332"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=50353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=50353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=50353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}