1. Prerequisite:
- Your computer has physical TPM chip and you are running Windows operating system
- You enabled BitLocker on your drive
You can check out this HowtoGeek link for further instructions or this Standford tutorial if you are using Windows 8. - Your system supports Enhanced Pin feature for BitLocker.
2. Basic steps:
- Boot up computer. If the system didn't prompt you for BitLocker pin then you are the perfect audience this article is targeting. No prompting means the system is automatically load BitLocker pin which appears to be the default setting for Windows 10 and is a very weak security policy
- Login with your Admin account (the account that allows you install new softwares) and open Group Policy (press Windows+R, type “gpedit.msc” into the Run dialog, and press Enter).
- Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.
- Double-click the “Require Additional Authentication at Startup” Option in the right pane. Select "Enabled", make sure "Allow BitLocker without a compatible TPM" is unchecked, and click "OK".
- Double-click the "Allow enhanced PINs for start up". Select "Enabled", and click "OK".
- Go to "Control Panel\System and Security\BitLocker Drive Encryption" and then choose "Enter a PIN". When you enter a pin, put in a string with numbers and characters instead. If you meet all the prerequisite and execute correctly, the system will accept your pin and it will work.
BitLocker password when used with TPM chip is technically more secure than the pin because the password string has characters on top of the numbers. This password string is not to be confused with the BitLocker Password when used without the TPM chip.
