Privacy and Security Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Windows 11


  • Staff
BitLocker_OS_banner.png

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you'll need a special BitLocker recovery key to unlock it.

BitLocker will automatically unlock a OS drive encrypted by BitLocker with TPM at startup by default in Windows 11.

You can enable the Require additional authentication at startup policy to allow BitLocker to unlock the operating system drive with a PIN or USB flash drive.

This tutorial will show you how to enable or disable BitLocker to unlock the operating system drive at startup with a PIN or USB flash drive in Windows 10 and Windows 11.


You must be signed in as an administrator to enable or disable BitLocker to unlock the OS drive at startup with PIN and USB.

If you disable BitLocker to unlock the OS drive at startup with a PIN or USB when the OS drive is already set to unlock at startup with a PIN or USB, you will still be able to continue to unlock the OS drive at startup with the PIN or USB until you change to let BitLocker automatically unlock the OS drive with TPM.

If you Enable BitLocker to unlock the OS drive at startup with a PIN or USB, it will add Change how drive is unlocked at startup to BitLocker Manager operating System drive settings in Control Panel > BitLocker Drive Encryption.



Contents

  • Option One: Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Local Group Policy Editor
  • Option Two: Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB using REG file


EXAMPLE: Change how drive is unlocked at startup

Choose_how_to_unlock_your_drive_at_startup-1.png
Choose_how_to_unlock_your_drive_at_startup-2.png





Option One

Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Two.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

BitLocker_OS_gpedit-1.png

3 In the right pane of Operating System Drives in the Local Group Policy Editor, double click/tap on the Require additional authentication at startup policy to edit it. (see screenshot above)

4 Do step 5 (enable) or step 6 (disable) below for what you would like to do.


5 Enable BitLocker to Unlock OS drive at Startup with PIN and USBs

A) Select (dot) Enabled. (see screenshot below)​

B) Uncheck the Allow BitLocker without a compatible TPM box under Options, and click/tap on OK.​

C) Leave all settings under Options set to the default Allow.​

D) Click/tap on OK, and go to step 7 below.​

BitLocker_OS_gpedit-2.png

6 Disable BitLocker to Unlock OS drive at Startup with PIN and USB

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 7 below.​

BitLocker_OS_gpedit-3.png

7 You can now close the Local Group Policy Editor if you like.




Option Two

Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.


2 Enable BitLocker to Unlock OS drive at Startup with PIN and USB

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_BitLocker_unlock_OS_drive_at_startup_with_PIN_and_USB.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000007
"EncryptionMethodWithXtsFdv"=dword:00000007
"EncryptionMethodWithXtsRdv"=dword:00000007
"UseAdvancedStartup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000000
"UseTPM"=dword:00000002
"UseTPMPIN"=dword:00000002
"UseTPMKey"=dword:00000002
"UseTPMKeyPIN"=dword:00000002

3 Disable BitLocker to Unlock OS drive at Startup with PIN and USB

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_BitLocker_unlock_OS_drive_at_startup_with_PIN_and_USB.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=-
"EncryptionMethodWithXtsFdv"=-
"EncryptionMethodWithXtsRdv"=-
"UseAdvancedStartup"=-
"EnableBDEWithNoTPM"=-
"UseTPM"=-
"UseTPMPIN"=-
"UseTPMKey"=-
"UseTPMKeyPIN"=-

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


 

Attachments

  • BitLocker_OS.png
    BitLocker_OS.png
    7.1 KB · Views: 33
  • Disable_BitLocker_unlock_OS_drive_at_startup_with_PIN_and_USB.reg
    994 bytes · Views: 50
  • Enable_BitLocker_unlock_OS_drive_at_startup_with_PIN_and_USB.reg
    1.2 KB · Views: 49
Last edited:
Top Bottom