Windows 10 Bitlocker + Hardware Encryption: Password option Unavailable?

[brontosaurus]

I've been using Samsung EVO SSD's hardware encryption with Bitlocker in Win 8 Pro with relatively minimal problems. I set it up so that the user has to input a password during startup.

I recently upgraded to Win 10 Pro, and I can enable bitlocker via hardware encryption (doesn't ask whether I want to encrypt a portion or entire drive, so I know it's using hardware encryption). But when given the choices of security, it does NOT provide an option to create a password. See image below:

http://i.imgur.com/7fytSYg.jpg

Not sure if anyone else experienced this, but this is rather an inconvenience as I don't want to input a PIN (numbers only). Hopefully this is something MS can update.

Is there a way to enable password to unlock hard drive for Win 10's bitlocker, or did I miss something obvious?

 

[Jovec]

Is there a way to enable password to unlock hard drive for Win 10's bitlocker, or did I miss something obvious?

In Win8 it was done via editing a group policy setting.

 

[brontosaurus]

@Jovec

I checked the group policy setting and compared it to the Win 8.1 Pro machine. As a reference, the machine with win 8.1 Pro is a custom desktop with samsung 850 evo (500 GB, 2.5" variety) and ASUS P8Z77-V LK mobo.

This shows Windows 8.1 machine's group policy setting and how bitlocker allows password input.

My Win 10 Pro machine is an XPS 13 9343 (infinity display 2015 version) with samsung 850 evo m.2 500 gb.

This shows Windows 10 machine's group policy setting and how bitlocker doesn't have a password option.

I thought the unlocking methods were different because maybe my XPS 13 machine has TPM, but this confirms my CPU does not work TPM.

Am I looking in the wrong setting?

 

[brontosaurus]

@Jovec

a side question..

Have you tried using a bluetooth wireless keyboard to input the bitlocker password during startup? I can't get mine to work, and I've read that bluetooth drivers are not fully loaded until fully booted into the Windows log-in page. I have a intel AC7260+bluetooth PCI type, and my bluetooth keyboard doesn't seem to pair until the log-in page...

 

[Jovec]

Bluetooth: If the Bluetooth receiver is managed by the OS then you cannot use a BT keyboard to unlock the OS drive with Bitlocker. It's possible that some keyboards may use BT between the keyboard and dedicated (USB) receiver. In such cases they should work. Depending on your security concerns, a wireless keyboard presents another attack surface.

Win 10 and Bitlocker with passwords and no TPM: Should still work. Run gpedit: then look at Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives and enable "Require additional authentication at startup." You should then be able to enable Bitlocker and it should ask you for a password.

I've just done a fresh install on a non-TPM laptop and enabled BL on the OS drive and it asks for a password at boot. Make sure you enable "Require additional authentication at startup" and not ""Require additional authentication at startup (Windows Server 2008 and Windows Vista)."

 

[brontosaurus]

@jovec,

Seems like I'm out of luck with my bluetooth keyboard.. It's a direct bluetooth pairing with OS, and not via dedicated receiver. But it makes sense that it doesn't work.

Regarding win 10 + bitlocker + samsung evo 850, everything's set properly. "Require additional authenticatino at startup" is enabled and not the other one with win server 2008 and vista.

I do recall with the win 8 + bitlocker + samsung evo 850, since this machine doesn't have TPM, if I don't have "Require additional authentication at startup" enabled, this error would come up. By enabling, it allows me to set up a pw and never bothered me about PIN because I never had TPM in the first place.

With this win 10 machine (same samsung ssd, different form factor), I just tried turning on bitlocker after DISABLING "require additional authentication at startup". It didn't give me that error message! See here. Does this mean this machine may have TPM installed?

Whether I enable the additional authentication at startup or not, I don't get asked to set a PW at boot.

Did you install Win 10 for your fresh install? Perhaps I should re-install it if nothing else.

 

[Jovec]

Did you install Win 10 for your fresh install? Perhaps I should re-install it if nothing else.

Fresh install.

Yes, you might have a TPM. Device manager should show it. After enabling "require additionalal authentication at startup" you might have to do more and explicitly block the TPM usage in that same options box to force the p/w option (if you have a TPM).

 

[tweakboy]

Somebody is paranoid !

 

[brontosaurus]

@Jovec,

Apparently I do have TPM, thanks for the suggestion. But I still can't figure out a way to force p/w option even after I explicitly block the TPM usage. I'll sort it out eventually.

-------------------------------------

Seems like I don't have enough posts to PM you.. and I don't want to create a new thread for this question:

A few months back you helped me out with secure erasing Samsung EVO 840/850 and properly set it up for bitlocker. So I've been using this machine with EVO 850 + Win 8.1 Pro and bitlocker hardware encrypted with no problems.

Today, I did a update+restart and my PW no longer worked on the bitlocker screen! Even showed my PW on the screen as I typed to see if i was mistyping, but I was typing it in correctly.

Are you aware of this kind of thing happening, where the PW just stops working? I'm kind of baffled..

 

[Jovec]

@Jovec,

Apparently I do have TPM, thanks for the suggestion. But I still can't figure out a way to force p/w option even after I explicitly block the TPM usage. I'll sort it out eventually.

You can't with a TPM. With a TPM, I believe you can only use 1) TPM, 2) TPM + USB drive, 3) TPM + 4 or 20 digit Pin or 4) TPM + USB + 4/20 Pin. At least that is what the docs in Win10 tell me.

It might be possible to disable the TPM in the BIOS to re-enable P/W.

Seems like I don't have enough posts to PM you.. and I don't want to create a new thread for this question:

A few months back you helped me out with secure erasing Samsung EVO 840/850 and properly set it up for bitlocker. So I've been using this machine with EVO 850 + Win 8.1 Pro and bitlocker hardware encrypted with no problems.

Today, I did a update+restart and my PW no longer worked on the bitlocker screen! Even showed my PW on the screen as I typed to see if i was mistyping, but I was typing it in correctly.

Are you aware of this kind of thing happening, where the PW just stops working? I'm kind of baffled..

Sorry, I don't have much for you here. What kind of update? 8.1 to 10? Or merely some standard Windows updates?

Double-check the obvious (correct computer, correct p/w, case, punctuation, etc). You can also try using the recovery string BL made you save when you first encrypted the drive.

 

[brontosaurus]

@Jovec

It was just a standard windows update within Win 8.1. Didn't see what it needed to update, just saw that the computer needed to update windows prior to restart. But after update was completed, when it restarted and bitlocker p/w screen came up, my p/w is now showing up as incorrect. Still scratching my head over it.. Unfortunately I didn't retain the key, so I'll just have to re-install.