Secure BitLocker key with a PIN

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
• Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
• Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023

The most convenient option for users is that BitLocker uses TPM as the sole protector during system startup. Users automatically gain access to encrypted drives, and no interaction is required.

Vulnerability of the volume master key

The TPM contains the storage root key to decrypt the VMK. However, this only happens if the validation profile check confirms that the system configuration has not changed. The drive is unlocked by BitLocker before the user is shown the login screen. At this point, the VMK is already stored unencrypted in the computer's RAM, where an attacker could read it using a memory dump.

Additional attack vectors arise from vulnerabilities such as CVE-2022-41099, which allows bypassing the BitLocker encryption of the operating system drive through WinRE.

Second-factor protection against VMK theft

In such cases, a PIN or a startup key provides additional protection because they require authentication before the operating system is booted. If an attacker gains physical access to the computer, a memory dump attack fails since the VMK is not decrypted before entering the PIN or attaching the startup key.

The PIN and startup key can be combined with the TPM protector, either individually or together. Since the key requires hardware in the form of a USB stick, most users prefer the more convenient PIN.

PIN lock after failed attempts

The TPM protects the PIN against brute force attacks by denying access after multiple (usually 32) incorrect entries and allowing another attempt only every 10 minutes. Microsoft has also raised the barrier for such attacks by increasing the default minimum PIN length to 6 characters from the previous 4.

Attempts to set up a protector with a four digit PIN fail on newer Windows versions

In addition, the Group Policy Allow enhanced PINs for startup enables the use of more complex PINs that contain letters and other characters in addition to digits.

Allow complex PINs via Group Policy

Setting authentication methods before enabling BitLocker

If you want to configure the authentication mechanisms or the recovery options for encrypted drives using Group Policy, you should do so before enabling BitLocker. The setting responsible for this is Require additional authentication at startup, located under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Only one of the additional methods may be specified

It is important to note that under Settings for computers with a TPM, you can only specify one option as required. All others must be set to Do not allow, including Configure TPM startup if you want to use a PIN. Otherwise, the BitLocker activation wizard will display the following error message:

The Group Policy settings for BitLocker startup options are in conflict and cannot be applied.

Error message in the BitLocker activation wizard when multiple startup options are configured via GPO

After configuring the Group Policy, eligible users can enable BitLocker using the control panel wizard, which will prompt for the input defined in the GPO's protectors. In the case of TPM and PIN, this would be a minimum six-digit numeric code.

If you have configured a startup PIN via Group Policy users must set it during the BitLocker activation process

Alternatively, if you have chosen to use a startup key, the wizard will require you to provide or select a USB stick for that purpose.

If the Group Policy requires the use of a startup key then you must provide a USB stick when activating BitLocker

Activating BitLocker via PowerShell or manage-bde

If you want to activate BitLocker using the command line instead, i.e., with PowerShell or manage-bde.exe, then you can specify those protectors configured in the GPO. Otherwise, you will encounter an error message.

When activating BitLocker via the command line you must adhere to the settings in the GPO

Subsequently adding a PIN

If you have already enabled BitLocker on the operating system drive and activated the default TPM protector, changing the GPO setting described above will not automatically create the TPMAndPIN protector.However, in this case, you can add an additional protector using PowerShell or manage-bde:

manage-bde -protectors -add c: -TPMAndPIN

Using PowerShell, you would proceed as follows:

$pin = Read-Host -Prompt "Enter PIN:" -AsSecureString
Add-BitLockerKeyProtector -MountPoint "c:" -TpmAndPinProtector -Pin $pin

Again, this method can only be used to create protectors that do not conflict with the assigned Group Policy.

Create BitLocker protector for TPM and PIN with PowerShell

Summary

It is good practice, recommended by Microsoft, to enhance the implicit authentication provided by a TPM with a preboot PIN or a startup key.

However, the interaction between Group Policies and BitLocker may not be immediately clear. The issue is that the BitLocker setup wizard will only configure PIN authentication if the corresponding GPO has been assigned to the computer before activating BitLocker.

However, you can add a new protector on the command line at any time. But it must not be disabled in the Group Policies; otherwise, the operation will fail.