How to set up a password to protect bitlocker key with tpm?
My computer is a dell xps12 (2013) laptop running on windows 8.1 pro, uefi and secure boot enabled.
I successfully enabled tpm and encrypted system partition with bitlocker. I was a bit surprised it didn't ask me for password or any unlock method by default and really thinks it's a way to complicated to set up (I encrypted system partitions with truecrypt in the past without any problem...)
So what I want to do now is to encrypt the key that I believe is now stored on TPM with a solid password. I suppose I have to "manage bitlocker->Change how drive is unlocked at startup" for this drive, but I have an error message when doing that : "The group policy settings startup options are in conflict and cannot be applied."
I suppose the key of my problem is in "local group policy editor" so here's my configuration there:
computer configuration > Administrstive Templates > System > TPM Services :
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption > Operating systems drives :
- Allow secure boot for security validation: enabled
- Require additional authentication at startup: enabled
- Require additional authentication at startup (windows server): disabled
- Allow enhanced pin at startup: enabled
- Configure minimum pin lenght at starup:enabled
- Configure use of hardware-based encryption for OS: enabled
- Configure uses of passwords for operating system drives: disabled
- All others : not configured
I hope my question is clear enough.
Thanks by advance.
windows-8 security encryption bitlocker tpm
asked Jun 5 '15 at 16:01
mikymiky
1112
add a comment |
My computer is a dell xps12 (2013) laptop running on windows 8.1 pro, uefi and secure boot enabled.
I successfully enabled tpm and encrypted system partition with bitlocker. I was a bit surprised it didn't ask me for password or any unlock method by default and really thinks it's a way to complicated to set up (I encrypted system partitions with truecrypt in the past without any problem...)
So what I want to do now is to encrypt the key that I believe is now stored on TPM with a solid password. I suppose I have to "manage bitlocker->Change how drive is unlocked at startup" for this drive, but I have an error message when doing that : "The group policy settings startup options are in conflict and cannot be applied."
I suppose the key of my problem is in "local group policy editor" so here's my configuration there:
computer configuration > Administrstive Templates > System > TPM Services :
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption > Operating systems drives :
- Allow secure boot for security validation: enabled
- Require additional authentication at startup: enabled
- Require additional authentication at startup (windows server): disabled
- Allow enhanced pin at startup: enabled
- Configure minimum pin lenght at starup:enabled
- Configure use of hardware-based encryption for OS: enabled
- Configure uses of passwords for operating system drives: disabled
- All others : not configured
I hope my question is clear enough.
Thanks by advance.
windows-8 security encryption bitlocker tpm
asked Jun 5 '15 at 16:01
mikymiky
1112
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31
add a comment |
My computer is a dell xps12 (2013) laptop running on windows 8.1 pro, uefi and secure boot enabled.
I successfully enabled tpm and encrypted system partition with bitlocker. I was a bit surprised it didn't ask me for password or any unlock method by default and really thinks it's a way to complicated to set up (I encrypted system partitions with truecrypt in the past without any problem...)
So what I want to do now is to encrypt the key that I believe is now stored on TPM with a solid password. I suppose I have to "manage bitlocker->Change how drive is unlocked at startup" for this drive, but I have an error message when doing that : "The group policy settings startup options are in conflict and cannot be applied."
I suppose the key of my problem is in "local group policy editor" so here's my configuration there:
computer configuration > Administrstive Templates > System > TPM Services :
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption > Operating systems drives :
- Allow secure boot for security validation: enabled
- Require additional authentication at startup: enabled
- Require additional authentication at startup (windows server): disabled
- Allow enhanced pin at startup: enabled
- Configure minimum pin lenght at starup:enabled
- Configure use of hardware-based encryption for OS: enabled
- Configure uses of passwords for operating system drives: disabled
- All others : not configured
I hope my question is clear enough.
Thanks by advance.
windows-8 security encryption bitlocker tpm
asked Jun 5 '15 at 16:01
mikymiky
1112
My computer is a dell xps12 (2013) laptop running on windows 8.1 pro, uefi and secure boot enabled.
I successfully enabled tpm and encrypted system partition with bitlocker. I was a bit surprised it didn't ask me for password or any unlock method by default and really thinks it's a way to complicated to set up (I encrypted system partitions with truecrypt in the past without any problem...)
So what I want to do now is to encrypt the key that I believe is now stored on TPM with a solid password. I suppose I have to "manage bitlocker->Change how drive is unlocked at startup" for this drive, but I have an error message when doing that : "The group policy settings startup options are in conflict and cannot be applied."
I suppose the key of my problem is in "local group policy editor" so here's my configuration there:
computer configuration > Administrstive Templates > System > TPM Services :
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption
- all 8 items : not configured
computer configuration > Administrstive Templates > Windows Components > BL drive encryption > Operating systems drives :
- Allow secure boot for security validation: enabled
- Require additional authentication at startup: enabled
- Require additional authentication at startup (windows server): disabled
- Allow enhanced pin at startup: enabled
- Configure minimum pin lenght at starup:enabled
- Configure use of hardware-based encryption for OS: enabled
- Configure uses of passwords for operating system drives: disabled
- All others : not configured
I hope my question is clear enough.
Thanks by advance.
windows-8 security encryption bitlocker tpm
windows-8 security encryption bitlocker tpm
asked Jun 5 '15 at 16:01
mikymiky
1112
asked Jun 5 '15 at 16:01
mikymiky
1112
asked Jun 5 '15 at 16:01
mikymiky
1112
asked Jun 5 '15 at 16:01
mikymiky
1112
asked Jun 5 '15 at 16:01
mikymiky
1112
1112
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31
add a comment |
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31
add a comment |
1 Answer
1
active
oldest
votes
Is this in a domain environment (if so you may have other policies being applied and that may cause the conflict)?
For Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
- Require additional authentication at startup: Enabled (you did not specify the other settings under this configuration you chose.)
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
- Allow BitLocker without a compatible TPM: Unchecked (for maximum security as long as you have a TPM module enabled)
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
I am not sure if the "Configure uses of passwords for operating system drives: disabled" could be the issue but I will play with some machines and update if I find out anything.
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f924327%2fhow-to-set-up-a-password-to-protect-bitlocker-key-with-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is this in a domain environment (if so you may have other policies being applied and that may cause the conflict)?
For Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
- Require additional authentication at startup: Enabled (you did not specify the other settings under this configuration you chose.)
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
- Allow BitLocker without a compatible TPM: Unchecked (for maximum security as long as you have a TPM module enabled)
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
I am not sure if the "Configure uses of passwords for operating system drives: disabled" could be the issue but I will play with some machines and update if I find out anything.
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
add a comment |
Is this in a domain environment (if so you may have other policies being applied and that may cause the conflict)?
For Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
- Require additional authentication at startup: Enabled (you did not specify the other settings under this configuration you chose.)
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
- Allow BitLocker without a compatible TPM: Unchecked (for maximum security as long as you have a TPM module enabled)
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
I am not sure if the "Configure uses of passwords for operating system drives: disabled" could be the issue but I will play with some machines and update if I find out anything.
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
add a comment |
Is this in a domain environment (if so you may have other policies being applied and that may cause the conflict)?
For Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
- Require additional authentication at startup: Enabled (you did not specify the other settings under this configuration you chose.)
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
- Allow BitLocker without a compatible TPM: Unchecked (for maximum security as long as you have a TPM module enabled)
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
I am not sure if the "Configure uses of passwords for operating system drives: disabled" could be the issue but I will play with some machines and update if I find out anything.
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
Is this in a domain environment (if so you may have other policies being applied and that may cause the conflict)?
For Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:
- Require additional authentication at startup: Enabled (you did not specify the other settings under this configuration you chose.)
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
- Allow BitLocker without a compatible TPM: Unchecked (for maximum security as long as you have a TPM module enabled)
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- You can only Require ONE additional startup item under this setting, otherwise you will see the error you indicated. Based on your question, I recommend the following settings:
I am not sure if the "Configure uses of passwords for operating system drives: disabled" could be the issue but I will play with some machines and update if I find out anything.
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
answered Aug 25 '16 at 2:36
Johnny KeetonJohnny Keeton
543
543
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f924327%2fhow-to-set-up-a-password-to-protect-bitlocker-key-with-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
So change those not configured to something
– Ramhound
Jun 5 '15 at 16:37
@Ramhound I dit it with the most basic choices i think, but still got the same error. I really don't understand why it needs so much configuration and why it is user based: I just want to set a password before encrypted disk is mounted.
– miky
Jun 6 '15 at 18:31