How to enable BitLocker Pre-Boot PIN on TPM chip machine

BitLocker with TPM chip alone is quite secure. This is because BitLocker binds the encryption key required to decrypt the boot drive with the TPM chip on the motherboard to ensure that a computer has not been tampered with while the system was offline.

If the TPM chip is missing or changed; or if BitLocker detects changes to the BIOS, UEFI code, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. In recovery mode, the user must enter a recovery password to regain access to the data. For these reasons, using TPM-only validation is more convenient for sign-in since the TPM chip performs all the initial validation and access to data and OS still requires normal user login and password. If the encrypted disk is removed from the computer that contains the TPM chip, data can only be accessed by providing recovery password or the encryption keys stored and managed by TruGrid.

Additional BitLocker security via pre-boot authentication (PIN or password) is designed to prevent memory remanence attacks, which can occur by moving the DIMM (TPM chip) to another system.

To enable PIN or Password in addition to BitLocker TPM validation, BitLocker must first be enabled and encryption turned on. After that, Windows Policy must be enabled to require a PIN or Password; then the PIN or Password must be set. All of this happens outside of TruGrid.

One way to require a pre-boot PIN before booting the OS and letting TruGrid manage it altogether is to disable the TPM chip.

In this situation, TruGrid treats the system like a system without a TPM chip and automatically sets a pre-boot password for the boot disk and any other disk on the system.

To see how to implement TruGrid Device Management BitLocker encryption, please refer to this article.

Updated on: 08/03/2023