...
Initialise the TPM in Windows
Initialize Initialise the TPM in Windows by running tpminit.exe:
Let Windows create the password, and then save it to a USB stick for safekeeping.
...
Later on we want a PIN code will to be required for unlocking the drive. By default this can only consist of digits. For better security, we want to have all the characters available. This is done by enabling the "Allow enhanced PINs for startup" setting in the Local Group Policy Editor (gpedit.msc):
Enable BitLocker Drive Encryption
This is done through the BitLocker Drive Encryption control panel. Turn it on for the C: disk:
Windows will now generate a recovery key. Save this also on a USB stick. If you ever forget the PIN, you can boot the computer with it:
Now it's time to encrypt the drive. You can run a check to make sure your laptop really can be recovered with the key that is stored on the USB stick:
This encryption will take some time, but on a modern laptop that have a CPU that does crypto in hardware, and an SSD, it takes about 15 minutes:
Enable the PIN code
At this moment the C: partition is encrypted using the TPM. This means that the partition is unreadable when put into another computer.
The combination of the laptop and the disk (as you have it now) does not need any authentication, so not very useful.
Run the Group Policy Editor again and configure the "Require additional authentication at startup" settings so they look like this:
Once this is done, you can finally configure a PIN, but since you can (and should) use characters and numbers, it should be probably be called password instead:
| Code Block |
|---|
manage-bde -protectors -add C: -tpmandpin |
To change the PIN/password later, simply issue:
| Code Block |
|---|
manage-bde -changepin C: |