Avoid pre-boot authentication screen

Question

Hi all, 
 We've started to work with Safeguard Encryption some weeks ago, and we have a question: 
 We've encrypted many computers yet, but we've discovered that some of them (Some, not all of them) ask for a pre-boot authentication password....we don't want this because it means having a permanent password (not upgreadable) which will be different from the AD password and from the 2FA pin. Having Sophos configured in that way means for us: 
 - pre-boot authentication password (not changing) 
 - AD password (changing) 
 - 2FA pin (changing) 
 - Again sophos password to sincronize with server (changing) 
 We'll be very grateful if we can avoid this first pre-boot authentication screen (the blue bitlocker's screen). 
 As I said before, not all but some of the encrypted computers shows that blue screen. Computers with those different behaviors works all with x64 windows 10. 
 Is there a way to configure this pre-boot authentication screen to avoid it?? 
 
 Thanks in advance

MichaelMcLannahan · Accepted Answer

Hello Dani - yes, very possible but this depends on computer hardware. 
 BitLocker works with key protectors. These are help protect the data on the drive and can be hardware or software based. 
 What you'll want to enable and create a policy for is TPM only. Assuming the TPM is not only present in the PC (you can check in BIOS to see if it's present) and also it's enabled. 
 The Key Protector of TPM will then allow the PC to boot without that pre-auth screen you see. MS DO recommend you use TPM AND PIN to enhance security, but you can chose to use just TPM only. 
 I would say though that from the sounds of it you have a mixed estate, and while some PC's HAVE TPM (or at least TPM that can be used), some do not. This would mean that on those PC's without a TPM chip (or one that can be accessed) the PC that's running Windows 10 (8 onwards to be precise) will enable password as your fallback mode. 
 You could set a startup key as your alternative key protector - This could be a mini USB key plugged into a spare port on the laptop. I don't personally like this option as the key can get lost/bent/stolen/forgotten etc... But it would give you an alternative when a PC does not have TPM?

MichaelMcLannahan · Answer

Yes - exactly that! 
 Windows 8 and above will support "software" TPM if a real TPM isn't present - but this will mean a pre-auth blue screen as you said. 
 So yes - You want to enable TPM throughout your organisation if possible OR if not possible - a USB stick (start-up key) instead. 
 USB can be anything - doesn't have to be a mini one but just makes it look a little tidier if there's not a huge USB stick sticking out the side of the laptops as it'll then get removed/broken etc.. If it's a fixed workstation that doesn't have TPM then I'd just stick any USB in a spare socket at the rear. 
 To be quite honest I wanted the pre-auth screen here. IT tells the user their device IS encrypted straight away. It's a good "advert" if you like for encryption. It's also more secure too.

MichaelMcLannahan · Answer

Hi. Yes easy to change the PIN but this is done locally on the client, not the server. The server is never aware of what the PIN is.

Log into the PC, navigate to This PC/My Computer. Right click the C Drive and select “Change BitLocker PIN”.

Note on newer versions of Win10 this is 6 digits and not four.

You can also change the PIN via manage-bde command but the first method via traditional Explorer is faster and easier.

To do this more complex version launch an Admin command prompt. Type (without the quotes)

“manage-bde -changepin C:”

Hope this helps?