I'm trying to protect our Win10Pro Dell laptops using Bitlocker.
We'd like to add the initial PIN request.
We are following a lot of online articles enabling the Require additional authentication at startup key and setting Configure TPM startup Pin to Require startup PIN with TPM.
After that, I typed the command
manage-bde -protectors -add c: -TPMAndPIN
but we always receive the error:
ERROR: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.
Other way was by the command line command:
manage-bde -on c: -UsedSpaceOnly -RecoveryPassword -RecoveryKey e: -TPMAndPIN 123456
but again the 0x80310060.
OK. Here is what you need to do. Before I start with the details, let me highlight a few differences between your environment and my own:
These differences should be minimal, and you should still be able to get the outcome you want.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Select:
Require additional authentication at startup
Choose the following options:
Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Do not allow startup PIN TPM
Configure TPM startup key: Require startup key with TPM
Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
At this point, you should be able to go to
Control Panel > BitLocker Drive Encryption
and use the wizard. (If you have setup your Group Policy settings wrong, when you try to encrypt the drive, you will get a message in the encryption dialogue box saying that your Group Policy settings are in conflict, and you need to change them.) Otherwise, you should be able to save a startup key (or, in your case, enter a startup PIN) and continue with drive encryption.
When I first started researching this, my goal was to use a startup key exclusively, without using the TPM at all. The Microsoft documentation was pretty clear from the start, that to do that, you must use the command line tools. The Control Panel wizard will not do what you want. (While I am very much at home on the command line, Windows OS drive encryption is new territory for me. I wanted to stay on a well-traveled road.) The method above lays out how to use the TPM + startup key. You should be able to modify this slightly for your own needs, using the TPM + startup PIN.
Lastly, here is the excellent article that guided me through setting up Group Policy. The article walks you through how to setup BigLocker with the TPM + startup PIN + startup key. All the command line calls are listed; I haven't tried any of them, but maybe you will find them useful for a managed installation.
https://mrhorn.com/wp/posts/bitlocker-with-tpm-pin-usb-startupkey/
User contributions licensed under CC BY-SA 3.0