Win11 no password option for Bitlocker setup

I've assembled a new PC (Ryzen 3900X, MSI X570, NVMe SSD, Windows 11 Pro) and am trying to enable Bitlocker with a startup password. There's no TPM, and I'm bypassing the TPM requirement via the gpedit settings suggested here (I've also tried several variations): Windows BitLocker not offering unlock-by-password option. This approach has worked on my previous (Windows 10 Pro) computers.

When I try to turn on Bitlocker, the configuration checks out ok but there's no startup-password option, only a PIN option. I've enabled enhanced PINs, but I'd still prefer to have the password option (which allows longer character sequences than the PINs). Any guess why that isn't showing up?

1) I'd be shocked if that board doesn't have built in TPM (firmware TPM).
2) What specific board do you have? Link to it would help tremendously.
3) Why specifically are you trying to turn on/use BitLocker? On what drive? That answer(s) will influence the route taken (or not needed).

Thanks, you're correct--I hadn't realized there's a FTPM setting. So I'll either try enabling that, or just settle for the PIN.
So far I've only got the one drive (boot/system), but I'll be adding three data drives later. I just have a default policy of encrypting all my devices.

Gary998812 said:

Thanks, you're correct--I hadn't realized there's a FTPM setting. So I'll either try enabling that, or just settle for the PIN.
So far I've only got the one drive (boot/system), but I'll be adding three data drives later. I just have a default policy of encrypting all my devices.

Click to expand...

You've not answered question #3. That would give an idea of what you mean by "I'll either try enabling that, or just settle for the PIN."

As a BitLocker user myself, I'm confused by what you mean? And enabling TPM doesn't require BitLocker at all.

Sorry, what I meant was: I like to encrypt all my devices for my security/privacy in the unlikely event that they're lost or stolen. I was thinking that perhaps enabling TPM would then let me use Bitlocker with a password option as I'm accustomed to. Or I could just use Bitlocker as I've already set it up, with an enhanced PIN. I don't much care about the TPM either way, except to the extent that it might affect my Bitlocker options.

Gary998812 said:

Sorry, what I meant was: I like to encrypt all my devices for my security/privacy in the unlikely event that they're lost or stolen. I was thinking that perhaps enabling TPM would then let me use Bitlocker with a password option as I'm accustomed to. Or I could just use Bitlocker as I've already set it up, with an enhanced PIN. I don't much care about the TPM either way, except to the extent that it might affect my Bitlocker options.

Click to expand...

OK, let me try to answer this way in keeping things simple (and assuming the drives were not encrypted before the new build).

You can only enable/setup BitLocker when the OS is up and running. And if you choose enable BitLocker on an OS drive, there is no pin or password option, only a 48-digit key option in which you have to option to save to your Microsoft account, or anywhere else except the drive being encrypted. That once the OS drive is encrypted the key will be embedded in the BIOS so whenever the OS is restarted the drive will unlock automatically - no need to supply a key. However, if you do a BIOS update or make certain hardware changes, BitLocker may (will) ask for your key to insure you're the owner and that the changes weren't some attempt to backdoor it. For this reason, it's a good idea to have your keys available during any BIOS updates or hardware changes.

With Non-OS drives, you can choose to use a password or pin to unlock the drive when setting up BitLocker instead of an also supplied 48-digit key. When encrypting a non-OS drive, you'll have the option to allow the PC to automatically unlock those drives when the PC boots, or be required to provide the password each time the system boots. (I'd suggest auto unlock, but that's me).


Transfer of already BitLockered drives:

For the OS drive (in keeping things simple) transfer to a new system requires BitLocker to be removed as the 48-digit key is married to the board/TPM chip the drive was encrypted one. For non-OS drives using BitLocker, you can move them around since they aren't married to the system they were encrypted on. Here you'll just need your password (or key) to unlock the drive on the new system.

So, if the drives were encrypted (BitLocker) before being moved to a new system, that's one thing as explained. If the drives are going to be encrypted "after" the OS is installed that's another thing.

Also, though there is a procedure to BitLocker drives with put TPM, it would be a lot simpler to just enable TPM and follow the BitLocker procedure once the app is started. However, as stated (FYI), enabling TPM does NOT require BitLocker.

Hope this helps/clarifies :)

I appreciate your taking the time to address my questions--sorry for any lack of clarity. My data drives were previously Bitlocker-encrypted, but have been decrypted in preparation for the transfer to the new computer. The system drive (the only one present in the new computer so far) has a clean install of Win11 Pro, so no prior encryption.

When I've previously Bitlocker-encrypted my system and data drives on other computers, I had no TPM and instead set up a boot-time password. If I enable TPM on my new computer and then turn on Bitlocker, I understand that by default I won't be prompted to set up a password or PIN, but with gpedit I can change the policy to so that I will be prompted for one (thus creating a two-factor authentication to be used at boot time), correct? I want to set up a PIN (or preferably, a password) even if I enable TPM, because otherwise if my whole computer were to be stolen (not just the drive), it would boot up without requiring credentials (except of course for Windows account logins), correct?

So I'm already close to what I want, but ideally I'd be able to set up a Bitlocker password (rather than PIN), either with or without enabling TPM (I don't care much either way).

Gary998812 said:

I appreciate your taking the time to address my questions--sorry for any lack of clarity. My data drives were previously Bitlocker-encrypted, but have been decrypted in preparation for the transfer to the new computer. The system drive (the only one present in the new computer so far) has a clean install of Win11 Pro, so no prior encryption.

Click to expand...

Then use this tutorial for encrypting your OS drive...

And this one for your data...

Thanks, I was already doing all that. The OS-drive tutorial only mentions Bitlocker's PIN and USB-drive options (which is what I'm getting), but not the password option (which was previously available when I used Bitlocker on Windows 10 computers, and which I've enabled in my new computer in gpedit, in accordance with the instructions in the link in my initial post, but it's still not showing up).

I just activated BitLocker on the C drive of my primary computer. It works seamless.

I also have 2 other computers that do not have TPM. My understanding is that you can save the key file to a flash drive and that the computer would not ask for a BitLocker password when you start your computer.

My question is if someone has access to the flash drive and the hard drive (and/or computer), can they gain access to the encrypted drive if they do not know the Windows logon password (with just the flash drive)?

Thanks!

Hollywood said:

I just activated BitLocker on the C drive of my primary computer. It works seamless.

I also have 2 other computers that do not have TPM. My understanding is that you can save the key file to a flash drive and that the computer would not ask for a BitLocker password when you start your computer.

My question is if someone has access to the flash drive and the hard drive (and/or computer), can they gain access to the encrypted drive if they do not know the Windows logon password (with just the flash drive)?

Thanks!

Click to expand...

Your Bitlocker question seems unrelated to the topic of this thread. It would be helpful if you started your own thread for your question, so that people who are receiving notifications for this thread don't start getting notified of answers to your unrelated question. Thanks!

Gary998812 said:

Your Bitlocker question seems unrelated to the topic of this thread. It would be helpful if you started your own thread for your question, so that people who are receiving notifications for this thread don't start getting notified of answers to your unrelated question. Thanks!

Click to expand...

I in good faith asked a related question about BitLocker without TPM which this thread is about. I apologize if I crashed your party.

The thing to always ask yourself is this: does an answer to your question help answer the original question? If not, a separate thread is called for; that's what threads are for. Again, thanks for understanding!

"ideally I'd be able to set up a Bitlocker password" - why would you want that? The PIN is more secure. Passwords can be brute-forced, PINs can't, since they are defended by TPM lockout (only 32 tries!). The PIN is by far better.

Comport Colin said:

"ideally I'd be able to set up a Bitlocker password" - why would you want that? The PIN is more secure. Passwords can be brute-forced, PINs can't, since they are defended by TPM lockout (only 32 tries!). The PIN is by far better.

Click to expand...

I think some here are speaking on things they know nothing about. BitLocker is NOT a Windows log in scheme, it is a drive encryption scheme. Windows Hello has nothing to do with BitLocker. Though they both touch on TPM, that's where the distinction ends.

A BitLocker key (48 digit) for example is embedded in the TPM chip just as a 4-digit Windows Hello PIN so it is just as secure.

This info has been posted throughout these forums since Windows 11 announcement. I think some need to research before speaking on things they do not understand.

• What is Windows Hello
• TPM Overview
• Trusted Platform Module Technology Overview
• What is BitLocker
• BitLocker FAQ

Those are just snippets of the info out there if one cares to look. Yeah, TPM ties into those, but each is its own entity with its own purpose.

I managed to get very muddled up with bitlocker and haven't yet had the nerve to reinstate it. I allowed Microsoft to keep the keys in my account which meant I could gain access and I had also written them down. One of the problems I had was in moving the SSD from one pc to another even after removing bitlocker first. At the moment I am relying on fTPM, secure boot and core isolation, plus pin and not saving any of my passwords.

I understand the author. He asks how to set a password (which can be 256 characters) instead of a 20 character pin. Unfortunately, I'm also looking, and I don't find how to enable it for my system drive. Has Microsoft removed this feature?

Hollywood said:

I just activated BitLocker on the C drive of my primary computer. It works seamless.

I also have 2 other computers that do not have TPM. My understanding is that you can save the key file to a flash drive and that the computer would not ask for a BitLocker password when you start your computer.

My question is if someone has access to the flash drive and the hard drive (and/or computer), can they gain access to the encrypted drive if they do not know the Windows logon password (with just the flash drive)?

Thanks!

Click to expand...

Add a bios password as well as bitlocker pin. This makes it virtually impossible for somebody to access encrypted drive even if pc is stolen. Withoit bios password, somebody could bypass windows login.