...
The defaults for BitLocker are a pretty lame (i.e. anyone has access to the data on your laptop data), so here's how to do it properly.
...
Enable non-numeric PINs
Later on we want a PIN code will to be required for unlocking the drive. By default this can only consist of digits. For better security, we want to have all the characters availableFor reasons that are beyond me Microsoft have chosen a PIN (only digits) to be the default, and not a password (any character). Obviously we want to be able to use all the characters. This is done by enabling the "Allow enhanced PINs for startup" setting in the Local Group Policy Editor (gpedit.msc):
...
Windows will now generate a recovery key. Save this also on a USB stick. If you ever forget the PIN, you can a copy onto the TWO USB sticks (one backup is no backup) labelled "Bitlocker keys" in a physical key safe.
If the PIN ever gets lost/forgotten, or some boot parameters are changes, you need it to boot the computer with it:.
Now it's time to encrypt the drive. You can run a check to make sure your laptop really can be recovered with the key that is stored on the USB stick:
...
Run the Group Policy Editor again, and configure the enable "Require additional authentication at startup" settings so they look like this:.
Also, check the "Allow Bitlocker without a compatible TPM" box:
Once this is done, you can finally configure a PIN, but since you can (and should) use characters and numbers, it should be probably be called password instead:
password (mistakenly called PIN):
| Code Block |
|---|
manage-bde -protectors -add C: -tpmandpin |
...
Sometimes if you changed to BIOS settings, your system needs the the BitLocker Drive Encryption recovery key to boot.
Once that is done, you should suspend and then resume the BitLocker protection in the BitLocker Drive Encryption control panel.
...