Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, March 26, 2017 6:55 PM
Hi All,
I'm trying to configure the " Startup Key and PIN with TPM" without success.
I have created a new GPO in a new OU and only defined "Require additional authentication at startup".
All the options are "Do not Allow" except for the "Require Startup Key and PIN with TPM".
Trying to enable bitlocker on the OS drive i get "The PC requires a startup option that isn't supported by bitlocker setup".
The computer is equipped with a TPM and each Authentication option works on it except the latter.
Also, The GPO text goes to say"Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard."
Is it referring to the same "Startup Key and PIN with TPM" or is it a different option?
Thank you.
All replies (9)
Monday, April 17, 2017 9:24 AM ✅Answered
The -startupkey will only enable the startupkey.
I can only see -tpmandpinandstartupkey but no pinandstartupkey.
That's it should be. as we could see below:
For without TPM, only one option-> Password or startupkey
For pinandstartupkey, it must be with TPM.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, March 28, 2017 7:20 AM
Hi CloudTester,
That's different one.
According to your error message "The PC requires a startup option that isn't supported by BitLocker setup", it is usually caused by having more than one required option for additional authentication for an OS Drive at startup.
You can’t require more than one startup type. Check if your group policy configuration is as below:
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, March 29, 2017 3:08 AM
Hi Karen,
As i stated ,All the options are "Do not Allow" except for the "Require Startup Key and PIN with TPM", So it is defined as you pointed out.
I have successfully enabled TPM+PIN+StartupKey using the manage-bde command but its still not clear to me if its possible to enable PIN+StartupKey as written in the GPO text or is it referring to the latter option.
Friday, March 31, 2017 3:07 AM
Hi Karen,
As i stated ,All the options are "Do not Allow" except for the "Require Startup Key and PIN with TPM", So it is defined as you pointed out.
I have successfully enabled TPM+PIN+StartupKey using the manage-bde command but its still not clear to me if its possible to enable PIN+StartupKey as written in the GPO text or is it referring to the latter option.
That's right.
As its statement, if you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
Startup key need stored in the USB flash drive. Thus the option that you select "Require Startup Key and PIN with TPM" is meet above situation.
The wizard only provide the password option.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, April 3, 2017 7:28 PM
So there is no option to enable startup PIN and a USB without a TPM ,right?
Thursday, April 6, 2017 10:05 AM
So there is no option to enable startup PIN and a USB without a TPM ,right?
yes, there is no GUI method.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, April 10, 2017 3:32 PM
No GUI method??? As i understand there is no method at all unless it involves a TPM.
Can you Please provide a link or provide the command structure to enable PIN+USB without a TPM.
Thank you.
Wednesday, April 12, 2017 9:14 AM
Hi,
The adding syntax and parameter as below
manage-bde –protectors –add [<Drive>] [-forceupgrade] [-recoverypassword <NumericalPassword>] [-recoverykey <PathToExternalKeyDirectory>]
[-startupkey <PathToExternalKeyDirectory>] [-certificate {-cf <PathToCertificateFile>|-ct <CertificateThumbprint>}] [-tpm] [-tpmandpin]
[-tpmandstartupkey <PathToExternalKeyDirectory>] [-tpmandpinandstartupkey <PathToExternalKeyDirectory>] [-password][-adaccountorgroup <securityidentifier> [-computername <Name>]
[{-?|/?}] [{-help|-h}]
You could set -startupkey parameter:
Manage-bde: protectors
https://technet.microsoft.com/en-us/library/ff829848(v=ws.11).aspx
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 12, 2017 3:30 PM
The -startupkey will only enable the startupkey.
I can only see -tpmandpinandstartupkey but no pinandstartupkey.