- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
The most convenient option for users is that BitLocker uses TPM as the sole protector during system startup. Users automatically gain access to encrypted drives, and no interaction is required.
Vulnerability of the volume master key
The TPM contains the storage root key to decrypt the VMK. However, this only happens if the validation profile check confirms that the system configuration has not changed. The drive is unlocked by BitLocker before the user is shown the login screen. At this point, the VMK is already stored unencrypted in the computer's RAM, where an attacker could read it using a memory dump.
Additional attack vectors arise from vulnerabilities such as CVE-2022-41099, which allows bypassing the BitLocker encryption of the operating system drive through WinRE.
Second-factor protection against VMK theft
In such cases, a PIN or a startup key provides additional protection because they require authentication before the operating system is booted. If an attacker gains physical access to the computer, a memory dump attack fails since the VMK is not decrypted before entering the PIN or attaching the startup key.
The PIN and startup key can be combined with the TPM protector, either individually or together. Since the key requires hardware in the form of a USB stick, most users prefer the more convenient PIN.
PIN lock after failed attempts
The TPM protects the PIN against brute force attacks by denying access after multiple (usually 32) incorrect entries and allowing another attempt only every 10 minutes. Microsoft has also raised the barrier for such attacks by increasing the default minimum PIN length to 6 characters from the previous 4.
In addition, the Group Policy Allow enhanced PINs for startup enables the use of more complex PINs that contain letters and other characters in addition to digits.
Setting authentication methods before enabling BitLocker
If you want to configure the authentication mechanisms or the recovery options for encrypted drives using Group Policy, you should do so before enabling BitLocker. The setting responsible for this is Require additional authentication at startup, located under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
It is important to note that under Settings for computers with a TPM, you can only specify one option as required. All others must be set to Do not allow, including Configure TPM startup if you want to use a PIN. Otherwise, the BitLocker activation wizard will display the following error message:
The Group Policy settings for BitLocker startup options are in conflict and cannot be applied.
After configuring the Group Policy, eligible users can enable BitLocker using the control panel wizard, which will prompt for the input defined in the GPO's protectors. In the case of TPM and PIN, this would be a minimum six-digit numeric code.
Alternatively, if you have chosen to use a startup key, the wizard will require you to provide or select a USB stick for that purpose.
Activating BitLocker via PowerShell or manage-bde
If you want to activate BitLocker using the command line instead, i.e., with PowerShell or manage-bde.exe, then you can specify those protectors configured in the GPO. Otherwise, you will encounter an error message.
Subsequently adding a PIN
If you have already enabled BitLocker on the operating system drive and activated the default TPM protector, changing the GPO setting described above will not automatically create the TPMAndPIN protector.However, in this case, you can add an additional protector using PowerShell or manage-bde:
manage-bde -protectors -add c: -TPMAndPIN
Using PowerShell, you would proceed as follows:
$pin = Read-Host -Prompt "Enter PIN:" -AsSecureString Add-BitLockerKeyProtector -MountPoint "c:" -TpmAndPinProtector -Pin $pin
Again, this method can only be used to create protectors that do not conflict with the assigned Group Policy.
It is good practice, recommended by Microsoft, to enhance the implicit authentication provided by a TPM with a preboot PIN or a startup key.
However, the interaction between Group Policies and BitLocker may not be immediately clear. The issue is that the BitLocker setup wizard will only configure PIN authentication if the corresponding GPO has been assigned to the computer before activating BitLocker.
However, you can add a new protector on the command line at any time. But it must not be disabled in the Group Policies; otherwise, the operation will fail.