If you are overly security conscious or just want to go that extra mile with BitLocker there is is the ability to get prompted for a pin when booting your machine.    Unfortunately, how to enable this is not a straight forward as selecting an option from a menu.   To do it you must run the following command

manage-bde -protectors -add e: -TPMAndPIN 1234

From the command line help..

manage-bde -protectors -add Volume
        [{-RecoveryPassword|-rp} [NumericalPassword]]
        [{-RecoveryKey|-rk} PathToExternalKeyDirectory]
        [{-StartupKey|-sk} PathToExternalKeyDirectory]
        [-TPM]
        [{-TPMAndPIN|-tp} PIN]
        [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]
        [{-TPMAndPinAndStartupKey|-tpsk} -tp PIN -tsk
            PathToExternalKeyDirectory]
        [{-ComputerName|-cn} ComputerName]
                [{-?|/?}] [{-Help|-h}]

Description:
    Adds key protection methods.

Parameter List:
    Volume      A drive letter followed by a colon. Example: "C:"
    -RecoveryPassword or -rp
                Adds a Numerical Password protector.
    -RecoveryKey or -rk
                Adds an External Key protector for recovery.
    -StartupKey or -sk
                Adds an External Key protector for startup.
    -TPMAndPIN or -tp
                Adds a TPM And PIN protector for the OS volume.
    -TPMAndStartupKey or -tsk
                Adds a TPM And Startup Key protector for the OS volume.
    -TPMAndPINAndStartupKey or -tpsk
                Adds a TPM And PIN And Startup Key protector for the OS volume.
    -tpm        Adds a TPM protector for the OS volume.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -protectors -add c: -RecoveryPassword
    manage-bde -protectors -add c: -rp -rk h:\
    manage-bde -protectors -add c: -TPMAndPIN 1234

Advertisements