You better add Pin Protection to your Bitlocker configuration

Martin Brinkmann
Jul 30, 2021
Updated • Jul 30, 2021
Windows tips
|
6

Bitlocker is a popular encryption technology by Microsoft that is used to protect data on Windows devices. Home users and Enterprise customers may protect the system and data using Bitlocker.

Bitlocker works in a convenient way by default, as users don't need to enter a pin or password during boot, as all of this is handled by the system automatically.

Tip: check out our how to setup Bitlocker on Windows 10 guide.

Setting up a pin is optional, but highly recommended, as a recent story on Dolos Group's blog suggest. The company received a laptop from an organization that was configured with the standard security stack of the organization. The laptop was fully encrypted with TPM and Bitlocker, had a BIOS password set, locked BIOS boot order and used secure boot to prevent unsigned operating systems from booting.

turn on bitlocker

The security researchers discovered that the system was booting right to the Windows 10 login screen; this meant that users did not have to type a pin or password prior to that, and that the key was pulled from TPM.

The researchers looked up information on the TPM chip and discovered how it communicates. Bitlocker is not using "any of the encrypted communication features of the TPM 2.0 standard", and that means that communication is in plain text.

The laptop was opened and probes were used to record data during boot. The open source tool https://github.com/FSecureLABS/bitlocker-spi-toolkit was used to detect the Bitlocker key in the data; it was then used to decrypt the Solid State Drive of the laptop.

The researchers managed to get into the sytem after booting its image in a virtual environment. From there, they managed to connect to the company VPN.

Mitigation

Bitlocker supports setting a pre-boot authentication key. If that key is set, it needs to be entered before the system boots; this works similarly to how VeraCrypt and other third-party encryption programs work. VeraCrypt displays a password and PIM prompt during boot if the system drive is encrypted. Users need to type the correct password and PIM to get the drive to be decrypted and the operating system booted.

The researchers suggest that users set the PIN to protect the system and its data.

Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).

Setting up a Bitlocker pre-boot authentication PIN

Note: Bitlocker Drive Encryption is available on Windows 10 Pro and Enterprise. Home devices have drive encryption, which is different. You may want to consider using VeraCrypt instead to better protect the data on your Home devices. On Windows 10, you can check if Device Decryption is used by opening the Settings, searching for device decryption and selecting the option from the results.

  1. Open the Group Policy Editor:
    1. Use the keyboard shortcut Windows-R
    2. Type gpedit.msc and press the Enter-key.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives using the folder structure of the sidebar.
  3. Double-click on Require Additional Authentication at Startup in the main pane.
  4. Set the policy to Enabled.
  5. Select the menu under "Configure TPM startup PIN" and set it to "Require startup PIN with TPM".
  6. Click OK to save the changes that you just made.

You have prepared the system to accept a PIN as a pre-boot authentication method, but you have not set the PIN yet.

  1. Open Start.
  2. Type cmd.exe.
  3. Select Run as Administrator to launch an elevated command prompt window.
  4. Run the following command to set a pre-boot PIN: manage-bde -protectors -add C: -TPMAndPIN
  5. You are prompted to type the PIN and to confirm it to make sure it is identical.

The PIN is set, and you will be prompted to enter it on the next boot. You may run the command manage-bde -status to check the status.

Now You: do you encrypt your hard drives? (via Born)

Summary
You better add Pin Protection to your Bitlocker configuration
Article Name
You better add Pin Protection to your Bitlocker configuration
Description
If you are using Bitlocker drive encryption to protect your Windows devices, you better make sure you have set a pre-boot authentication PIN.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Tom Hawack said on October 15, 2019 at 6:21 pm
    Reply

    I don’t know how reliable ‘Windows Defender Firewall’, because here on Windows 7 with the OS’s firewall, some applications phone home although I’ve added an inbound and an outbound rule to block them. For instance, ‘EditPad’ Lite which attempts to connect to connect to news.jgsoft.com and which fails to do so only because I block that connection with a DNSCrypt-proxy blacklist rule, and here what shows DNSCrypt-proxy query log :

    127.0.0.1 news.jgsoft.com A REJECT 0ms quad9-dnscrypt-ip4-filter-pri

    quad9 is the DNS used with DNSCrypt-proxy. This means that Windows Firewall does not prevent an application added to its filters to connect to the Web, not always anyway.

    So I do hope Windows Defender Firewall does a better job.

    1. jan said on October 17, 2019 at 4:48 pm
      Reply

      Hi Tom,
      You write:”I don’t know how reliable ‘Windows Defender Firewall….”.
      Let me tell you, based on my own experience, that firewall is really a POS (Piece Of Shit). It is really unreliable

  2. Stv said on October 15, 2019 at 7:38 pm
    Reply

    Every software is able to write a firewall condition under windows i think, Windows Firewall is a trash

    The first software that i always install (when i need internet in vboxed windows) is Simple Wall.

    https://github.com/henrypp/simplewall

    1. Cor said on October 15, 2019 at 9:22 pm
      Reply

      I also really like his version of Chromium https://github.com/henrypp/chromium

      1. owl said on October 24, 2019 at 10:12 am
        Reply

        https://github.com/henrypp/simplewall
        I also, “Simple Wall” is a favorite. That’s enough.

        henrypp/chromium: Chromium builds with codecs | GitHub
        https://github.com/henrypp/chromium
        Chromium builds with codecs https://chromium.woolyss.com/
        Download latest stable Chromium binaries (64-bit and 32-bit) |
        https://chromium.woolyss.com/
        It is very interesting.
        And, “Notes” There are must-see value.
        https://chromium.woolyss.com/#notes

  3. ULBoom said on October 15, 2019 at 9:26 pm
    Reply

    There’s an easy page for blocking/allowing programs to go out in the main firewall window, click on:
    Allow and App or feature through Windows Firewall.

    Otherwise, good overview of rules creation. I’ve never had a program sneak out if its rule is set up right.

    Yes, Windows defaults to letting most anything through as do other firewalls I’ve used. Probably preferrable to blocking everything except in critical security situations.

  4. B said on October 15, 2019 at 10:30 pm
    Reply

    To quickly achieve the same end result as the steps above, I always install “OneClickFirewall” – less complex than anything like WFC, it just gives you a right click context menu on any exe for “Block internet access” and “Restore internet access”. Very handy!

    https://winaero.com/download.php?view.1886

    1. Rush said on October 16, 2019 at 7:42 pm
      Reply

      @ B

      I downloaded the OCF program but I did not install it.

      Virus Total found one two red engines:

      Antiy-AVL – Trojan/Win32.Fuerboos

      and

      MaxSecure – Trojan.Malware.7164915.susgen

  5. Paul(us) said on October 15, 2019 at 10:45 pm
    Reply

    Nice article Ashwin.

    Sometimes I like to quit (disable the Internet connection temporarily) all internet connection than I use the free software program for windows Net disabler v.1. 0 ( Latest release ’17-02-21).
    https://www.sordum.org/9660/net-disabler-v1-0/

  6. Software tester 0101 said on October 15, 2019 at 11:23 pm
    Reply

    Here is the easiest methode to block Windows programs from accessing the internet ; Application name is FAB (Firewall Application blocker) it is a Portable freeware , usage is just drag and drop the Application icon
    https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/

  7. Ray said on October 16, 2019 at 12:29 am
    Reply

    Thanks Ashwin. I always forget about the internals of Windows Firewall.

    Just set up some outbound rules to block some apps that shouldn’t have internet access. Thanks again!

  8. Dave said on October 16, 2019 at 4:17 am
    Reply

    Ashwin, it doesn’t work.

    Try this. Install steam and login. Rules wil be automatically created to allow steam.

    Now log out and close steam. Change the firewall rules to block.

    Open steam again and login in.

    Go back to the firewall to find new allow rules created for it.

    Basically, anyone willing to pay microsoft to be added to a “trusted list” gets a free ticket past the windows firewall wether you want them to or not.

    Now go get Windows Firewall Control (I reccomend finding a pre MWB version) and install it and setup it up. Then turn on secure rules. Now repaet the steps with Steam and it will stay blocked.

  9. limonec said on October 16, 2019 at 5:45 am
    Reply

    Fast, free and simple solution for the beginners and non-professional: Firewall App Blocker https://www.sordum.org/8125/firewall-app-blocker-fab-v1-6/

    1. The Gobbler said on October 16, 2020 at 9:02 am
      Reply

      Sordum’s Firewall App Blocker is great. Just right-click any exe file and it gets blocked in Windows Firewall, without going through all those steps. Also note, this feature is also in Sordum’s Easy Context Menu. All free.

  10. Parry Hotter said on October 16, 2019 at 3:47 pm
    Reply

    The heck with all of that. Just use a superior and much easier to use front end for the built in firewall. Malwarebytes Windows Firewall Control is excellent.

  11. Petter said on October 16, 2019 at 6:29 pm
    Reply

    I’ll just put this here: TinyWall

  12. Jafp said on December 17, 2019 at 7:40 pm
    Reply

    What gets me most is that large number of windows processes is trying to get access to internet. Why? Windows DOES not need access to internet even to install it and can run without internet. The only possible exception being network management.
    Just another case of spyware?
    MS should be legislated to provide full description and reasons for those services demand for access as it is potentially abusing privacy.

    1. Hank said on October 16, 2020 at 9:08 am
      Reply

      @Jafp

      Your logic is sketchy and lacks reasonable facts. Perhaps you need to be legislated.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.