0

I understand that I have to change the group policy in win 11 to require additional verification at startup, but what are the cmd's to set it up? Bitlocker by default is just TPM.

I would like to be able to use usb stick and pin together to startup my machine. Thanks

D Yuri
  • 1
  • Bitlocker is best set up to start your machine normally. Put a BIOS drive lock on your system to start it and so no one else can start it. Keep your bitlocker PW well protected and known and remember that if you use a start up key and forget it, your data is gone. – John Mar 27 '23 at 19:53
  • What is the output of `manage-bde -protectors -get` – Ramhound Mar 27 '23 at 20:05
  • its just using TPM atm – D Yuri Mar 27 '23 at 20:20
  • 2
    You can use [Add-BitLockerKeyProtector](https://learn.microsoft.com/en-us/powershell/module/bitlocker/add-bitlockerkeyprotector?view=windowsserver2022-ps) to configure a `TpmAndPinAndStartupKeyProtector` BitLocker protector. I would make a backup of your disk before you attempt to try changingthe protector. There is no room for error when you deal with FDE. – Ramhound Mar 27 '23 at 20:54

1 Answers1

0

The syntax would be:

manage-bde -protectors -add C: -TPMandPINandStartupKey -tp 12345678 -tsk E:

["12345678" being the PIN and e:\ being the usb key's drive letter]

Bernd Schwanenmeister
  • 335
  • 1
  • 4