Scenario 6: Specifying How to Unlock BitLocker-Protected Operating System Drives (Windows 7)

  • Article

Applies To: Windows 7

This scenario describes how you can use Group Policy settings to control which unlock methods can be used with operating system drives in your organization. By default, a TPM is required to turn on BitLocker and no additional unlock methods are required. If you want to use BitLocker without a TPM or to require an additional authentication method with the TPM, use the steps in this scenario to configure the settings to support those unlock methods.

Before you start

To complete the procedure in this scenario:

  • You must be able to provide administrative credentials.

To specify how to unlock BitLocker-protected operating system drives

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Operating System Drives.

  4. To configure authentication methods in addition to the TPM, in the details pane, double-click Require additional authentication at startup to open the policy setting, and then click Enabled.

  5. To support BitLocker on computers running Windows 7 that do not have a TPM, select the Allow BitLocker without a compatible TPM check box.

  6. To configure operating system drive startup options for computers with a TPM, the following options are available:

    • Configure TPM startup. You can choose to allow, require, or not allow the use of the TPM with BitLocker.

    • Configure TPM startup PIN. You can choose to allow, require, or not allow the use of the TPM in combination with a PIN with BitLocker.

    • Configure TPM startup key. You can choose to allow, require, or not allow the use of the TPM in combination a key stored on a removable device, such as a USB flash drive with BitLocker.

    • Configure TPM startup key and PIN. You can choose to allow, require, or not allow the use of the TPM in combination with both a key stored on a removable device, such as a USB flash drive with BitLocker, and a PIN.

Note

If you choose to require a startup option, the other startup options must be disallowed.

Note

If you require removable drives to be BitLocker-protected, you cannot use a startup key with your operating system drive.
If you require the use of a TPM, a startup key, and a PIN to unlock the operating system drive, you must use the Manage-bde.exe command-line tool to choose that authentication method and enable BitLocker. Use the following command to add the TPM, PIN, and startup key authentication method, replacing VolumeName with the drive letter of the operating system drive and RemovableDriveLetter with the letter of the removable drive where you will be storing the startup key:
manage-bde -protectors -add -tpsk VolumeName: -tsk RemovableDriveLetter:
Use the following command to turn on BitLocker and encrypt the drive, replacing VolumeName with the drive letter of the operating system drive:
manage-bde -on VolumeName:

  1. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  2. If you are using PINs for authentication along with the TPM, you may want to enable the use of enhanced PINs to allow for increased complexity of PINs. Enhanced PINs support the use of characters, including uppercase and lowercase letters, symbols, numbers, and spaces. Not all computers support these characters before the operating system starts, so we recommend that users perform a system check during BitLocker setup to verify that their computer will support the BitLocker settings they have selected before encrypting the drive. Double-click the Allow enhanced PINs for startup policy setting, and click Enabled to provide the option of using enhanced PINs with BitLocker-protected operating system drives. If this policy setting is disabled or not configured, enhanced PINs cannot be used.

  3. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  4. Close the Local Group Policy Editor.

  5. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.

By completing this procedure, you have configured Group Policy settings to control which unlock methods can be used with operating system drives in your organization.