Windows 10: Need to enable startup pin along with silent bitlocker disk encryption. Which policy in...

Need to enable startup pin along with silent bitlocker disk encryption:Silent drive encryption is working with the device configuration policy but not getting option to set up PIN. Please suggest.

:)

 

BitLocker hardware encryption cannot be activated on Win10 10586/1511

Hey,

I'm having trouble enabling hardware encryption with BitLocker using Windows 10 build 10586 on a clean install with a Samsung 850 SSD. The encryption worked flawlessly before on build 10240.

I've spent hours and attempted multiple solutions and made several tests.

As mentioned, on the same machine, if clean installing build 10240 (RTM, before November update) right now, the encryption works.

I have UEFI on with Legacy/CSM off, Fast Boot on, Secure Boot on, and a clean GPT installation after using the 'diskpart clean' command.

As always, it's required to change a group policy to allow additional authentication at startup. I did that.

On a clean installation of build 10586, the wizard will say 'parameter is incorrect' when attempting to start encryption.

Microsoft did announce some BitLocker-related changes for build 10586: https://technet.microsoft.com/en-us/library/mt403325

There are also new group policies added. I've tried all combinations. They now allow you to try and force a specific encryption cipher. Samsung uses XES-AES256. I tried forcing that (as well as all other combinations) but the same error returns.

Now, here's where it gets interesting, and possibly why no reports about this have surfaced yet:
If you enable the encryption on build 10240, and then upgrade to 10586, the encryption will remain and will work properly on build 10586.

If you then attempt to 'Reset this PC', and choose the 'keep nothing' option, it will warn you that BitLocker will be disabled. Once it's done cleaning, if you attempt to enable encryption, it will again show the error.

Even if you don't reset the PC, but simply disable BitLocker on 10586 and then attempt to re-enable it, it will no longer work.

tl;dr: Hardware encryption via BitLocker on build 10586 cannot be enabled on a clean install. Currently-known workaround is installing 10240, encrypting it, then upgrading to 10586.

Any solutions would be appreciated, thanks!

 

Bitlocker Blank blue screen at PIN screen

Our organization requires Laptops to be Encrypted with a PIN #. One of our Laptops is giving me trouble. I have Bitlocker turned on and fully encrypted and have require Startup PIN with TPM in the Require additional authentication at startup in GPEDIT. I also have the Enable use of Bitlocker Authentication Requiring preboot Keyboard input on Slates enabled. When turning on the Laptop Bitlocker comes up with the light blue screen where you enter the PIN but the screen is blank. It doesn't say Bitlocker or have a box to enter the PIN #. Now I can just type the pin # and press enter and it works and loads windows as normal. I obviously can't give this Laptop to a user like this.

Anybody have any suggestions as to a resolution to this issue.
Thank You.

 

How to enable/configure BitLocker authentication

For example in a company, the IT project manager configures "allowing" for 2 options instead of "requiring" to leave the choice of authentication at startup to employees.



In the menu shown in step 4 it is only possible to require one option. Still in business if the I.T. wants to require only key and pin together, it needs this third option "Configure TPM startup key and PIN". And also as I said in my previous comment explained otherwise, if the I.T. allowing "Configure TPM startup PIN" and "Configure TPM startup key" in Local Group Policy Editor, employees could not configure both at the same time for startup in step 10 of the tutorial in “BitLocker Drive Encryption” wizard. And, the BitLocker Drive Encryption wizard must not allow this possibility because the employees could configure a thing that the I.T. would not.




Yes the setting "Configure TPM startup", on "Require TPM" invalidates the other 3 menus. Menus are confusing because they are designed for businesses. To configure bitloker startup authentication you should go through the BitLocker Drive Encryption wizard and leave the Local Group Policy Editor menus on allow.


note: In BitLocker Drive Encryption wizard there is no "key and PIN" option you have to configure it in command line.