I am running Windows 7 RTM and have both physical drives BitLockered. Because my machine has a TPM it will boot all very nicely when I turn it on. But my employers would prefer if I was challenged for a password at boot time.
I have found this article: http://4sysops.com/archives/review-windows-7-bitlocker/ that tells me which group policy flags to set to get it BitLocker to challenge for a PIN at startup.
What I can't find is how to set this PIN given the system is already encrypted?
I have also come across http://technet.microsoft.com/en-us/library/dd875532%28WS.10%29.aspx and am curious to know which of these recommendations it is safe to apply to an already encrypted system?
Found the answer, assuming you have BitLocker up and running, make the changes:
To enable TPM & PIN at boot:
Using the Group Policy Editor (Start -> gpedit.msc and press Enter), go to :
and open the key
Then enable that Key and set "
Configure TPM startup Pin:" to"Require startup PIN with TPM"To set the actual PIN use in a CMD prompt
This will prompt you for a PIN which it then requires you to enter at Boot.
Windows 7 - type in search box(start) 'cmd" right click on the program found above; 'cmd' and select 'run as administrator" then use manage-bde -protectors -add c: -TPMAndPIN as stated above
http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx#BKMK_protectors
run as admin to delete the associated protectors: cscript manage-bde.wsf -protectors -delete
Then add just the TPM only: cscript manage-bde.wsf -protectors -add -tpm
To check which protectors are being used by your system run cscript manage-bde.wsf -status
If you are using Win 7 change manage-bde.wsf to manage-bde.exe and you are good to go.