BitLocker ask for a password at startup (pre-boot authentication)

Submitted by antoine on

To make BitLocker ask for a password at startup (pre-boot authentication), you need to enable BitLocker with a startup PIN (or password, depending on drive type).

Below is the correct way to set it up on Windows 10/11 Pro, Enterprise, or Education
(BitLocker is NOT available on Home edition unless upgraded.)

✅ Step 1 — Enable “Require PIN at startup”

By default, Windows only uses TPM (no password prompt).
We must change Group Policy first.

1️⃣ Open Group Policy Editor

Press Win + R, type:

gpedit.msc

Press Enter.

2️⃣ Navigate to:

Computer Configuration
 → Administrative Templates
   → Windows Components
     → BitLocker Drive Encryption
       → Operating System Drives

3️⃣ Open:

“Require additional authentication at startup”

Set it to:

  • Enabled
  • ✅ Check: Allow BitLocker without a compatible TPM (optional)
  • Under "Configure TPM startup":
    • Select Require startup PIN with TPM

Click Apply → OK

Also force an update of the group policies from the Terminal or Powershell else the next step could complain.

gpupdate /force

✅ Step 2 — Turn On BitLocker with Startup PIN

Now open Command Prompt as Administrator and run:

manage-bde -on C: -tpmandpin

It will prompt you to create a startup PIN.

✅ Step 3 — Backup Recovery Key (IMPORTANT)

After enabling, save your recovery key:

manage-bde -protectors -get C:

Or export it:

manage-bde -protectors -add C: -RecoveryPassword

Store it somewhere safe (USB or Microsoft account).

🔁 If BitLocker Is Already Enabled

If it's already on and you just want to add a PIN:

manage-bde -protectors -add C: -TPMAndPIN

🔐 What Happens Now?

On reboot, Windows will:

  • Show BitLocker screen
  • Ask for your PIN
  • Then continue booting

⚠️ Important Notes

  • Requires TPM 1.2 or 2.0 (most modern PCs have it)
  • Works only on Pro/Enterprise
  • PIN is numeric (not full keyboard password)
Tags
blog