How to enable BitLocker password and why it may not be requested after encryption

If you encrypt the Windows 10 disk system section using BitLocker without a TPM module, then at the encryption preparation stage you will be offered an unlock method using a password that can be selected, specify a password that will be needed to enter every time the system is loaded.

However, if your laptop or computer is equipped with the TPM module, this option is not proposed: the disk will be successfully encrypted, but the password request will not appear: the keys required to unlock will be stored in the appropriate chip of your device. If you wish, this behavior can be changed and to make the password (or, more precisely, the PIN code, which can contain not only numbers) requested each time when it is turned on as an additional protection measure.

Enabling PIN query (password) for an encrypted Windows 10 system disk

Before proceeding, consider: all the actions described below are more convenient to perform even before encryption. You can do one of the following ways:

• If the system disk is already encrypted, then first decipher it. To do this, you can right-click on the disk, select the BitLocker Control Context menu item, and then "Disable BitLocker", confirm the decryption and wait for the completion of the process. Then go to the following steps 1-5.
• Without decrypting disk. Before that, I strongly recommend saving the BitLocker recovery key in the Microsoft account or anywhere else, you can do it by opening the disk context menu and selecting the BitLocker Management item, and then "archive the recovery key". Next, perform steps 1-5, then run the command line on the administrator name and enter the command-bde -Protectors -Add C: -Tpmandpin. The result of execution you will be offered to set a PIN code that will later be requested when turned on. However, this approach does not always work, and even if successful, the PIN control in the "BitLocker" section of the disk may not be available.

The procedure itself for turning on the password (PIN code) when using a TPM (trusted platform module) will consist of the following steps:

1. Press keys Win + R. On the keyboard (Win key is a Windows emblem key), enter gpedit.msc. and press ENTER to run the local group policy editor.
2. In the Local Group Policy Editor, go to the Computer Configuration section - administrative templates - Windows components - BitLocker disk encryption - operating system disks.

   

3. Find the item "This policy parameter allows you to configure an additional authentication requirement at startup", double-click on it and install "Inclusive".

   

4. In the "Configuring PIN setting of a trusted platform module, set" Allow PIN startup with a trusted platform module ", apply settings.
5. If you do not want to be limited to a PIN code from numbers, in the same section of the Local Group Policy Editor, include the "This Policy Setting allows you to allow the use of improved PIN when you start the computer" and apply settings.

After the steps described were done, you can start the BitLocker disk encryption (right click on the drive in the conductor - enable BitLocker) and set the use of a PIN code to decrypt, or to enable the PIN-code after execution of encryption: go to the BitLocker management In the context menu of the disk and click "Changing the method of unlocking a disk when loading", you can also change the PIN code.

If you forget the PIN code, then to decrypt the BitLocker volume, you will need to enter the recovery key, save or print which to the user is offered at the initial encryption of the disk partition.