You will not get the option to reset Pin in bitlocker when using TPM+PIN+StartupKey protectors in vista sp1

ganand — Sat, 26 Apr 2008 12:17:00 GMT

Aah i dont write blogs in such a nice format but this was written for an another document and i am putting same copy-paste here to save time.Hope this helps.

=======

SYMPTOMS

When you are using TPM+PIN+StartupKey protector on vista sp1 bitlocker enabled vista client you will not get the option to reset the pin when you go to Bitlocker drive encryption applet in control panel. The only option you receive when you choose "select keys to manage" is duplicate the recovery passowrd.

CAUSE

This is by design. Please use manage-bde.wsf to delete the exiting TPM+PIN+StartupKey protector and then add a new one if you need to reset the PIN. The GUI shows resetting PIN option only when there is a TPM+PIN protector.

RESOLUTION

1 Open the command prompt with administrator privilege.
2 Type:- cd c:\windows\system32
3 Type:- cscript manage-bde.wsf -protectors -delete c: (where c: is the volume being protected)
4 This command will remove all key protectors unless you provide additional parameters.
5 Press enter
6 Type :- cscript manage-bde.wsf -protectors -add (volume to be protected, for eg. c: ) -rp -rk (volume to store recovery key, for eg. f:) -tpsk -tp (pin that you want to be set for eg. 1234) -tsk (volume where you want to store the startup key for eg. g:)
7 Finally the command will appear as:- cscript manage-bde.wsf -protectors -add c: -rp -rk f: -tpsk -tp 1234 -tsk g:
8 You have sucessfully reset the pin.

======

The Information provided here is "AS IS"

Gaurav Anand

Group Policies regarding Bitlocker and TPM

ganand — Mon, 08 Oct 2007 13:32:00 GMT

Last time we talked about what TPM is and how it works and also about clean boot of pcr’s. This time I will like to throw some light on group policies involved with bitlocker.

I will only talk about a few and not all. There is a group policy which if enabled makes user to store backup recovery information in AD which later helps in recovering the OS partition by the help of help desk admin. By default this group policy is enabled but we can disable it too. If due to some problem when you are in the process of enabling bitlocker and unable to access DC, you will get an error message and it won’t let you to enable bitlocker as it is not able to see DC and won’t be able to store backup recovery information. There are few options with this group policy…. Require bitlocker backup to AD DS. If this is unselected you will be able to enable bitlocker even if unable to see DC but will get an event logged on and no error message to the user. You can backup recovery passwords or key packages or both and TPM owner password hash too. You can also choose encryption algorithm and key size but by default it is AES 128-bit with diffuser. I will try to explain what we mean by diffuser in one of the next entries. There is another group policy which makes user to use multi factor authentication which is TPM + pin or TPM + startup key on USB. With longhorn bitlocker (also with vista sp1) you will be able to use TPM+ pin+ USB too. Similarly there are few other group policies for TPM like turn on TPM owner password backup to AD, by default this policy is enabled. You can also block a few TPM commands with another group policy.

Computer configuration-administrative templates-windows components-bitlocker drive encryption

Computer configuration-administrative templates-system-trusted platform module services.

Gaurav Anand

------------------------------

This posting is provided "AS IS" with no warranties, and confers no rights.

Digging in : Bitlocker

You will not get the option to reset Pin in bitlocker when using TPM+PIN+StartupKey protectors in vista sp1

Group Policies regarding Bitlocker and TPM