I've just encrypted my drives using Bitlocker but since I don't have TPM, I went with USB key. Is it possible to switch that method to PIN or is it too late now and I have to re-encrypt the drives?
Asked
Active
Viewed 4,114 times
3 Answers
1
Well, apparently it's not possible.
Only four options are available:
TPM only TPM and PIN TPM and Startup Key USB only
Therefore, USB it is for me ;)
1
If you later decide to add a TPM to your computer, you can initialise it by running tpm.msc and choosing "Initialize TPM" and "Turn TPM On...". This will prompt you to create an owner password for the TPM.
You can then configure Bitlocker to use the TPM at startup by running cmd.exe as Administrator and typing:
manage-bde.exe -protectors -add TPMandPIN c:
This will prompt you to create a numerical PIN. On restart you will have to enter the PIN, then enter the recovery key. Once Windows is started you will need to suspend then resume Bitlocker to tell it the changes are valid. On future restarts you will only need to enter the PIN.
I could not find a way to tell Bitlocker to start using the TPM instead of the USB key using the GUI. It seems straightforward using manage-bde.exe. I used documentation from Microsoft Technet to figure it out. There does not seem to be a setting to tell Bitlocker which protector to use. I assume it tries all of them and once the USB key is removed it only finds the TPM one and uses that.
Rob Fisher
- 151
- 5
0
It is possible to change the protectors, but if you don't have TPM then only USB is available to you.
I have TPM and use TPM + PIN + USB as the protector.
The most important thing is for you to store your recovery key somewhere safe as without that you will NOT be able to access your data if you lose your key.
-
I have recently installed a TPM. How is it possible to change the protectors? – Rob Fisher Aug 25 '15 at 21:14