Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 21220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PIN Prompt for new users - machine already encrypted

Mark Sime

Hello 

I have Full Disk Encryption set up, and works fine. I noticed though, when another user logs into a machine that is already encrypted with a password, they are prompted to create a password when they first log in.

Is there anyway to stop this, that once a bit locker password has been set, that's it set for that machine, regardless of who logs in. I dont want new users having to set the pin of a machine thats already encrypted and had a pin set already. 

Windows 10 environment.

Cheers.



This thread was automatically locked due to age.
Parents
  • 0

    Hi - You've said password AND PIN here, which is it please?

     

    Once a PIN is set this is set as a device - not a user. The same prompt shouldn't be coming up again for another user.

     

    However if perhaps you've created a password for a device that has BitLocker but the device has TPM and PIN  and the policy assigned so it's also trying to enforce a PIN onto the device despite a password already been set?!

     

    On the device could you please launch an admin command prompt and type 

     

    manage-bde -status

     

    This should list the key protectors for the drive. The numerical password is the recovery key. What else is listed please?

  • 0 in reply to MichaelMcLannahan

    Thanks for the rapid response. Its PIN, sorry for the confusion. 

    Under Key protectors, there is 'numerical password' as you said plus 'TPM and PIN'

    Not sure if you see the screen show below,its the authentication settings for bit locker, all at default settings.  Bitlocker logon mode is set to TPM and PIN

     

  • 0 in reply to Mark Sime

    Thanks for that Mark, this all looks good to me.

    Out of curiosity what release of W10 is this? The newer versions of Windows 10 (1607 or 1703 I can't recall) require a 6 digit PIN (despite the Sophos window still requesting four) and I wonder if your PIN isn't being accepted if it's 4 digits?

     

    So this device (it's just one right?) has a TPM that's "ready to use" listed in TPM.MSC (the TPM snapin)

  • 0 in reply to MichaelMcLannahan

    Its Windows 10, ver 1709, the recent creators update. 

     

    The PIN is set is 10 characters, comprising upper and lower case letters, with 3 numbers and a special character 

     

    The TPM status is 'The TPM is ready foir use'

  • +1 in reply to Mark Sime

    Ah ok - Can you try just using numbers only for the PIN please and see if that sticks? 

    You can't use special characters as a PIN as they're not supported by BitLocker. It only supports standard en-us keyboard. This is MS design, not Sophos at fault as such?

     

    https://community.sophos.com/kb/en-us/123582

Reply Children
  • 0 in reply to MichaelMcLannahan

    That's strange - i was aware of the MS restriction on special characters. My original PIN had a ! in it, and this was accepted, and i was able to use that as PIN authentication. It was only when i logged in as someone else, i was prompted to set a new one. 

     

    That said, i just changed the PIN to numeric only, and not getting prompted to change this when i log in as someone else. I then changed this back to the original (we are setting a standard across the firm) and not getting prompted to change when logging in as someone else.

    Strange. Anway, i have food for though incase i see this again. Thanks for your time Michael, its really appreciated.

     

    Mark

  • 0 in reply to Mark Sime

    Great news! 

     

    No problem at all

     

    All the best

Unfiltered HTML