{"id":62862,"date":"2024-02-24T12:03:33","date_gmt":"2024-02-24T11:03:33","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=62862"},"modified":"2024-02-24T15:48:59","modified_gmt":"2024-02-24T14:48:59","slug":"bitlocker-protection-can-be-bypassed-remedy-with-pin","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/","title":{"rendered":"Bitlocker protection can be bypassed: Remedy with PIN"},"content":{"rendered":"<p>Set up Bitlocker with PIN during boot. Additional security for TPM protection.<\/p>\n<p><!--more--><\/p>\n<p>I recently came across an article and video showing that the <a href=\"https:\/\/www.drwindows.de\/news\/laufwerksverschluesselung-unter-windows-umgehung-von-bitlocker-anschaulich-im-video-erklaert\">Bitlocker protection can often be easily overridden<\/a>. Take a look at the video, it&#8217;s quite entertaining and well explained.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Video\" >Video<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#What_is_the_problem\" >What is the problem?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Enable_Bitlocker_pre-boot_pin\" >Enable Bitlocker pre-boot pin<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Activation_of_the_PIN_in_the_group_policies\" >Activation of the PIN in the group policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Assign_PIN_for_system_start\" >Assign PIN for system start<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Change_Bitlocker_PIN_remove_Bitlocker_PIN\" >Change Bitlocker PIN, remove Bitlocker PIN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/ekiwi-blog.de\/en\/62862\/bitlocker-protection-can-be-bypassed-remedy-with-pin\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Video\"><\/span>Video<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/XDGlYjZjjhE?si=kzySPoE95Pb5i860\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_is_the_problem\"><\/span>What is the problem?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Bitlocker encrypts the entire disc. But anyone familiar with solutions such as VeraCrypt may be surprised that you don&#8217;t have to enter a password when booting. This is because Bitlocker stores the key in the computer&#8217;s TPM chip. If the system is not modified, the TPM chip releases the key and Windows can boot directly.<\/p>\n<p>If the system is modified or the hard drive is removed, the correct key or the recovery key must be used. <\/p>\n<p>This is where the hack comes in and reads the communication with the TPM chip. Such attacks are not new; there have already been attempts in the past to cool the RAM, remove it and read the key.<\/p>\n<p>A Bitlocker PIN, which we have to enter before the actual Windows boot, provides a remedy. Bitlocker itself uses this on systems that do not have a TPM.<\/p>\n<p>In short, if you really want to be secure, you should only use Bitlocker with PIN protection. Unfortunately, activating the Bitlocker pin at boot is still a bit of a problem, so here is the new version for Windows 11.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Enable_Bitlocker_pre-boot_pin\"><\/span>Enable Bitlocker pre-boot pin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In our example, we assume that we have already encrypted our system drive with Bitlocker.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_1.png\" alt=\"\" width=\"630\" height=\"457\" class=\"aligncenter size-full wp-image-62863\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_1.png 630w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_1-300x218.png 300w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Activation_of_the_PIN_in_the_group_policies\"><\/span>Activation of the PIN in the group policies<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Now it gets a bit complicated. Activating the PIN does not work via the GUI and must first be activated in the system policies. Whew! So we start the group policy editor with WIN + R and then &#8220;gpedit.msc&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_2.png\" alt=\"\" width=\"399\" height=\"206\" class=\"aligncenter size-full wp-image-62867\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_2.png 399w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_2-300x155.png 300w\" sizes=\"auto, (max-width: 399px) 100vw, 399px\" \/><\/p>\n<p>We now navigate to the section &#8220;Computer Configuration &#8211; Administrative Templates &#8211; Windows Components &#8211; BitLocker Drive Encryption &#8211; Operating System Drives&#8221;. There we look for the option &#8220;Require additional authentication at startup&#8221; on the right-hand side.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_3.png\" alt=\"\" width=\"1034\" height=\"554\" class=\"aligncenter size-full wp-image-62871\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_3.png 1034w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_3-300x161.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_3-1024x549.png 1024w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_3-768x411.png 768w\" sizes=\"auto, (max-width: 1034px) 100vw, 1034px\" \/><\/p>\n<p>We activate the option and set &#8220;Require startup PIN with TPM&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_4.png\" alt=\"\" width=\"686\" height=\"636\" class=\"aligncenter size-full wp-image-62875\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_4.png 686w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_4-300x278.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<p>By default, only numbers can be used as a PIN. If you want to use a real password with letters and other characters, you must activate the option &#8220;Allow enhanced PINs for startup&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_5.png\" alt=\"\" width=\"715\" height=\"495\" class=\"aligncenter size-full wp-image-62879\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_5.png 715w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_5-300x208.png 300w\" sizes=\"auto, (max-width: 715px) 100vw, 715px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Assign_PIN_for_system_start\"><\/span>Assign PIN for system start<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We have now only created the option to set up the PIN. We now need to add this to the encryption and assign a PIN.<\/p>\n<p>To do this, we open a command prompt, importantly with admin rights. Here we can add the PIN with the following command.<\/p>\n<pre>\r\nmanage-bde -protectors -add c: -TPMAndPIN\r\n<\/pre>\n<p>We now assign the PIN and confirm it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_6.png\" alt=\"\" width=\"622\" height=\"343\" class=\"aligncenter size-full wp-image-62883\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_6.png 622w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_6-300x165.png 300w\" sizes=\"auto, (max-width: 622px) 100vw, 622px\" \/><\/p>\n<p>Done, we can now check the status with the following command.<\/p>\n<pre>\r\nmanage-bde -status\r\n<\/pre>\n<p>Here we can now see the settings under &#8220;Key Protectors&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_7.png\" alt=\"\" width=\"572\" height=\"337\" class=\"aligncenter size-full wp-image-62887\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_7.png 572w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_7-300x177.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/p>\n<p>When restarting, we are now asked for the password. Windows now only boots after the PIN has been entered. The attack method via the TPM chip no longer works.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_8.png\" alt=\"\" width=\"616\" height=\"206\" class=\"aligncenter size-full wp-image-62891\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_8.png 616w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2024\/02\/bitlocker_en_8-300x100.png 300w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Change_Bitlocker_PIN_remove_Bitlocker_PIN\"><\/span>Change Bitlocker PIN, remove Bitlocker PIN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Of course, the protection functions can also be deactivated again; we have written another blog article on this:<\/p>\n<ul>\n<li><a href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Remove_Bitlocker_PIN\">Remove Bitlocker PIN<\/a> \/ <a href=\"https:\/\/ekiwi-blog.de\/en\/50353\/bitlocker-activate-pre-boot-bitlocker-pin\/#Change_Bitlocker_PIN\">Change Bitlocker PIN<\/a><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With the PIN function, convenience suffers somewhat, as we now have to enter the PIN before booting. In return, the attack methods come to nothing. However, it is a good measure that offers additional protection, especially for laptops when travelling.<\/p>\n<p>I will definitely protect my mobile devices in this way. In the end, it&#8217;s just a shame that Microsoft doesn&#8217;t provide an easy way to configure this in the normal user interface or offer the option when setting up encryption.<\/p>","protected":false},"excerpt":{"rendered":"<p>Set up Bitlocker with PIN during boot. Additional security for TPM protection.<\/p>\n","protected":false},"author":1,"featured_media":18732,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1555],"tags":[1874,1602,1658,1558],"class_list":["post-62862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-en","tag-bitlocker-en","tag-security-en","tag-sicherheit-en","tag-windows-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/62862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=62862"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/62862\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/18732"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=62862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=62862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=62862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}