BitLocker encrypts entire volumes, but its security depends entirely on the protector configuration. TPM-only mode auto-unlocks the drive, which is transparent but vulnerable to cold boot and DMA attacks. Adding a PIN or a startup key creates true multi-factor protection. This lesson covers BitLocker modes, TPM deep dive, recovery strategies, and how to deploy BitLocker enterprise-wide with MBAM.
BitLocker can use multiple protectors: TPM only, TPM+PIN, TPM+Startup Key, or Recovery Password. The TPM validates the boot chain and releases the Volume Master Key only if the measured boot log matches. A PIN adds a 'something you know' factor; the drive won't unlock without it even with the TPM. This prevents an attacker who steals a powered-off laptop from decrypting the drive. Without a PIN, an attacker can boot the machine and the TPM will release the key automatically.
The system will now prompt for a PIN at boot. This protector is stored in the TPM alongside the PIN hash.
# Enable BitLocker on C: drive with TPM+PIN and recovery password
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmPinProtector -Pin (ConvertTo-SecureString "123456" -AsPlainText -Force) -RecoveryPasswordProtector💡 Always choose AES-256 encryption method; older devices may default to AES-128. The cipher strength matters for long-term data protection.
The TPM stores measurements of firmware, bootloader, OS loader, and drivers into Platform Configuration Registers (PCRs). BitLocker seals the VMK to a set of PCRs (default: 0,2,4,7,11 for UEFI). If any component is tampered with, the PCR values change, and the TPM refuses to unseal the VMK—triggering recovery mode. You can customize PCRs to seal against specific configuration changes, but beware: a BIOS update will change PCR0 and trigger recovery if you're not prepared.
| PCR Index | What It Measures | Change Impact |
|---|---|---|
| 0 | Core System Firmware | BIOS/UEFI updates trigger recovery |
| 2 | Extended or pluggable code | Option ROM updates |
| 4 | Boot Manager | Bootloader changes |
| 7 | Secure Boot State | Disabling Secure Boot blocks unseal |
| 11 | BitLocker access control | Specific to BitLocker control |
BitLocker recovery is a critical process. Back up the recovery key to Active Directory (via GPO) or to Azure AD/Intune. Without a backup, a simple TPM reset or motherboard replacement could render data permanently inaccessible. For large deployments, use Microsoft BitLocker Administration and Monitoring (MBAM) or Intune to enforce encryption, escrow keys, and report compliance.
⚠️ A lost recovery key means total data loss. Test the recovery process on a pilot group before enforcing encryption across the enterprise.
Verify exercises to earn ★ 150 XP and unlock next lab level.