Bitlocker Encryption - Additional Startup Authentication Vs Standard

Hello all,

just a question on Bitlocker for the experts. I've tried to find an answer online to no avail.

I know in Windows 10 pro (and previous o/s) you can have different login methods after encryption. You can encrypt the hardrive by right clicking C: and selecting the "Turn Bitlocker on" method, following the standard/ recommended process. However, i also know that in gpedit.msc you can configure the "Require additional authentication at startup" so that you can enter a PIN/Password on boot.

My question is.. What is the difference between them both? If i choose *not* to have an additional authentication at startup but have the hardrive encrypted, what are the security implications here?

I would really appreciate help/guidance if possible :)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Without having preboot authentication, someone may start the machine. The encryption key is in RAM after starting and can be read by sophisticated attackers, then. You can also run a dma attack and a network attack on the machine, then. All that requires a sophisticated attacker.

So a preboot authentication is safer and if you choose it, use the PIN, not the password. Passwords can be brute forced, PINs cannot due to tpm lockout after just 32 attempts.
N00b2015Author Commented:
Thank you! Would you perhaps know why the "require additional authentication at startup" option is optional other than compulsory with bitlocker? Seeing as it's a vulnerability. Ideally, I do not want to use additional boot authentication and just encrypt the hardrive.
The risk is small. Only if someone in the know stole your laptop, he would be able to unlock it, someone really specialized. So you have to weigh comfort against security, as always.

If you use BL without preboot auth, make sure to gave unguessable passwords for all accounts and have the firewall activated with no exceptions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

N00b2015Author Commented:
Thankd again. Very helpful. Sorry for all the questions. Just trying to get my head around it. When you say un guess able password. Since there is no preboot authentication, I believe you are talking about the windows password? If so, is that more secure now with BL
"more secure now with bitlocker" - ? Plese explain what that should mean.
I tried to point out that using BL without preboot authentication should at least be accompanied by some security measures (no passwords of the 123456 style, firewall on).
N00b2015Author Commented:

thanks, i understand what you mean but when you set bitlocker to encrypt the hardrive (without preboot). It does not request you to set a PIN/Password, it just encrypts the drive. So my confusion is what complex password has to be set? Would you mean the windows o/s password itself?
Yes sure, the "OS"/user password(s).
N00b2015Author Commented:
Thank you for the clarification.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.