BitLocker protection on Windows 7 Ultimate

I enabled my TPM on my Dell laptop and then I enabled BitLocker encryption on C partition.I also saved unique key to USB and network location.Now my C parttion is encrypted but after rebooting I decided to remove USB and disconnected patch cable to test the laptop if it's going to look for that key ??? I can logon to that laptop without any problems...What Am I missing ...I don't want to use my AD to store unique identifiers..Why it's not looking for USB or network location where I saved recovery key..!?
mirekgAsked:
Who is Participating?
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
yes it is very possible to crack any windows password what you want to do is enable a pin in bitlocker

We need to open the Group Policy editor for the machine. Goto Start -> and type in gpedit.msc and press 'Enter'. Then Goto: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and right click the option "Require additional authentication at startup" and select "Edit". The screen is displayed below:


Select "Enabled" and then select "Require startup PIN with TPM" under the "Configure TPM startup PIN:" dropdown. Click "Apply, "OK" then close the dialog and Group Policy editor. This now allows us to configure the pre boot PIN from the command prompt.

Step # 9: Goto Start and type in cmd but do NOT press enter. Once the cmd application displays in the start menu, right click it and state "Run as Administrator". Click "Yes" on any security dialogs that may appear. To configure the pin we need to use the manage-bde.exe tool. To configure the PIN, enter the following and then press 'Enter':

manage-bde -protectors -add %systemdrive% -tpmandpin

You will be prompted to enter a PIN. (Note: I did notice if you still have the USB with the keys inserted into the machine, this process does not work - the command prompt never asks you to enter the PIN; make sure to remove it before doing this process). The PIN by default can only be numeric. There is an option in the group policy editor from Step # 7, to allow complex PINs for this process, but wars not all systems support it. Since you may not find that out until reboot, and not be able to log back in, I suggest just using a numeric PIN. You will be prompted to enter it twice, and upon success, see a screen like the one below:


Step # 10: Reboot and test the PIN. Upon rebooting, after the quick flash of your system manufacture screen, you should receive an old MS-DOS style screen prompting you for your PIN. It tells you the function keys can be used to represent numbers, but I always just use the keypad and it works fine. If needed, the option is there. Upon entering the correct PIN the machine will continue booting into Windows. One note on the pre-boot PIN: I have found that if you have your USB containing the keys inserted upon boot, it assumes you are validated and skips the prompting of the PIN. Since your USB drive should be locked away, you will be prompted for the PIN, but again, another nice option if needed.
0
 
David Johnson, CD, MVPOwnerCommented:
in the original computer with tpm it will use the tpm.. only if you change computer will it need the recovery key ie. usb/networkpath
0
 
mirekgAuthor Commented:
So let's say the laptop is stolen is it possible to crack the regular password ??? At the present time I have two accounts on this laptop myself as an admin and the user....
0
 
mirekgAuthor Commented:
I just created dummy document on encrypted laptop I copied that document to not encrypted USB and I can read it...Is that normal behavior..???
0
 
David Johnson, CD, MVPOwnerCommented:
Yes, why would you think otherwise?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.