I updated my T500 to use Bitlocker with the TPM. Now, to further secure it against brute force password attacks, I want to add a PIN to the startup. I see that gpedit.msc option to Require additional authentication at startup but I am not sure of the sequence of events.
With bitlocker already protecting my C drive, if I set the option to Require TPM startup pin, where do I set the initial pin? When I look at the C drive options it doesn't show anything other than suspend, or manage. Manage only shows save or print recovery key again.
So, how do I tell bitlocker and the tpm to use a pin and where do I set that pin? Do I need to decrypt, set the policy, then re-encrypt? I do not want to get locked out with it wanting a pin I have not yet set.
(1) First go into your Group Policy (run-> gpedit.msc) as an administrator. In the group policy settings, goto
Local Computer Policy > ..... >Bitlocker Drive Encryption > Operating Systems Drives
Find 'Require additonal authentication at startup', and set to enable. Then under the title for 'Configure TPM startup pin', set to "Require startup PIN with TPM". Apply/save and exit.
(2) Now goto your command (CMD) prompt as an administrator. We will now force Bitlocker to use both TPM and PIN. Type in:
manage-bde -protectors -add c: -TPMAndPIN
where 'c:' is your drive. If in doubt, look at some examples first by adding the "-?" command at the end, e.g. "manage-bde -protectors -?"
This will lead to a command line prompt for you to enroll a PIN. This has to be numbers. If you want to use letters, you have to go back to Group Policy (step 1) and do the addional step of enabling Enhanced startup PINS.
Now after all this is done, if successful, you can see that the options have changed when entering the "Manage bitlocker" GUI under control panels. Furthermore, when you first bootup into windows, you should be prompted for a preboot authentication PIN. Dont forget to backup your recovery keys just in case they prompt you of course.