0

I would like to protect my Windows 11 Pro desktop and laptop with Bitlocker and password/pin. Here's my struggle after I encryped the drive and want to protect the drives in the case the entire pc is stolen. Thanks for you help.

Do I setup password using bitlocker boot pin? I've read it's no longer available on Windows 11. Do I setup password using windows login? I've read that it can be reset by booting from usb. Do I setup admin and power-on passwords from BIOS? What happens to TPM chip when CMOS is reset on desktop? For laptop there's website that'll provide password reset for locked BIOS. I used local account setup on all the machines.

Open source software like VeraCrypt is so much simpler but windows update tends to break it often and not usable.

Improve this question

1 Answer 1

Reset to default
1

You can set it up to use a boot pin. In Windows 11, setting up a BitLocker PIN is still possible despite some discussions online about its availability.

To enable a BitLocker PIN in Windows 11, follow these steps:

  1. Open Local Group Policy Editor by typing gpedit.msc in the Start menu.
  2. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives
  3. Enable the setting Require additional authentication at startup.
  4. Ensure that Allow BitLocker without a compatible TPM is checked if your device does not have TPM.
  5. After configuring this policy, go to the Control Panel under System and Security -> BitLocker Drive Encryption, click on your drive, and select the option to Change how drive is unlocked at startup to set your PIN.

You can disable USBs in your BIOS if you like.

Improve this answer
5
  • Thank you Gabriel. Your suggestion worked well. Sorry for the late answer as I wanted to test among different pcs with or without TPM before I post again. Now I am ready to encrypt the fixed data drive. Do I need to follow the same procedure and set startup pin for fixed data drives? If so, it's a bit nuisance if there's more than one data drive. Thanks again.
    – Jmonkey
    Commented Apr 26 at 12:24
  • If my answer helped you, make sure to accept it as the solution. To encrypt fixed data drives you would do that in the OS. In your case, using the windows file explorer. You right click on the drive where you want to encrypt and setup bitlocker. The drives will stay encrypted until they are accessed with a password. The boot pin concept is only relevant for drives that you boot your OS from. You won't be doing that with fixed data drives. You can also have as many drives encrypted with bitlocker as your heart desires. I have a system with 18 drives.
    – Gabriel Fair
    Commented Apr 27 at 23:19
  • 1
    You answers are perfect and worked. I don't see anywhere for me to click an acceptable the aswers though. This is my first time posting.
    – Jmonkey
    Commented Apr 29 at 1:23
  • Great! Glad I could help. superuser.com/tour will show you how.
    – Gabriel Fair
    Commented Apr 29 at 3:33
  • 1
    For others' info - I had to reboot for Bitlocker to show me the new option to change startup unlock.
    – Ethan T
    Commented Jul 10 at 16:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .