How to enable BitLocker to prompt for PIN during startup
You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO). To do this:-
- Click Start > Run.
- Type “gpedit.msc”
- Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- One the right pane, double-click on Require additional authentication at startup.
- Choose Enabled
- Uncheck the Allow BitLocker without a compatible TPM
- Under Configure TPM startup PIN:, choose Require startup PIN with TPM
After all that is done, you need type a few commands to get it going. Here’s how.
- Start your command prompt (make sure you run it as an administrator).
- Type; “manage-bde -protectors -add c: -TPMAndPIN”.
- Then type; “manage-bde -status” to check whether the TPMAndPin protector has been added.
After you’ve done this and still realise you’re not prompted for PIN during startup, you might want to try this. https://weikingteh.wordpress.com/2011/03/17/how-to-get-bitlocker-to-prompt-for-pin-during-startup/