This article describes steps one can take to enable or disable additional BitLocker authentication by allowing one to unlock the PC OS drive using a PIN and USB when the computer starts in Windows 11.
BitLocker helps protect your data on your computer so only authorized users have access to it. New files created on a BitLocker-enabled drive will automatically be protected as well.
BitLocker will automatically check the PC at startup to make sure that the computer has not been tampered with, including BIOS changes and other security risks.
By default, a PC with a TPM chip which is recognized by BitLocker will automatically unlock the PC during startup. Users can add additional security measures to be used at startup to provide added protection for encrypted data.
You can require users to insert a USB drive that contains a startup key as well as a PIN at startup before the computer can fully boot up.
Below is how to do that.
How to require a BitLocker USB and PIN at startup on a PC with Windows 11
As described above, you can require users to insert a USB drive that contains a startup key as well as a PIN at startup before the computer can fully boot up.
Here’s how to do that.
You must first enable BitLocker on the OS drive. If you haven’t added BitLocker, read the post below to do so.
How to turn on or off Bitlocker in Windows 11
Enable PIN to unlock BitLocker at startup in Windows 11
With BitLocker enabled on your OS drive, open the Control Panel and browse to the BitLocker page.
Control Panel\System and Security\BitLocker Drive Encryption
Then click on the link that reads “Change how drive is unlocked at startup“.
Next, select the “Enter a PIN (recommended)” link to continue.
Enter and confirm the PIN and click Set PIN. A PIN of 6-20 numbers long is required.
Close the Control Panel app to exit.
Unlock BitLocker with a USB drive at startup on Windows 11
Now that you have set up a PIN to unlock BitLocker at startup, you can choose to also require a USB drive to unlock BitLocker.
To do that, go back to the Control Panel app, and browse to the System and Security -> BitLocker Drive Encryption.
Then click on the link that reads “Change how drive is unlocked at startup“.
Next, click the link that reads “Insert a USB flash drive” to continue.
Then insert a USB flash drive and click Save.
If you wish to disable BitLocker requiring a USB flash drive or a PIN at startup, read the post below.
How to set up BitLocker to automatically unlock PC at startup via TPM in Windows 11
That’s it.
Conclusion:
This post showed you how to add additional BitLocker security by requiring a PIN and USB flash drive with a BitLocker key at startup on Windows 11.
If you find any error above or have something to add, please use the comment form below.