Home > News Tips

BitLocker Login Screen: What Is It & How to Turn It On?

Published/Updated on Thursday, December 19, 2024

M3 Software author Wilsey Young

Written by

Wilsey Young

English

BitLocker login screen, aka BitLocker blue screen, BitLocker preboot authentication, or BitLocker startup screen, refers to the blue screen during startup where users are prompted to provide the BitLocker startup PIN or startup key to let the Windows OS boot up.

The BitLocker login screen adds an extra layer of protection to your BitLocker encrypted system or drive. Some Windows users wonder how to set up the BitLocker login screen and some find that it does not show up on a newly-purchased PC with BitLocker enabled.

This post primarily shows how to turn on BitLocker login screen via Local Group Policy Editor and Command Prompt on a Windows 10 computer.

Why isn't there a BitLocker login screen when the system drive is BitLocker encrypted?

When the system drive of a Windows PC is encrypted with BitLocker, BitLocker relies on the TPM (Trusted Platform Module) chip to unlock the system drive so that the Windows OS can boot up as usual. Therefore, by default, BitLocker does not ask for a startup PIN or startup key before booting up, which explains why the Windows 10 BitLocker login screen does not appear.

However, the features like BitLocker login screen can be enabled by configuring BitLocker group policy settings for additional security and flexibility.
BitLocker login screen

The BitLocker login screen is quite different from the BitLocker recovery blue screen. You can check the following post to learn what it is: BitLocker Recovery Blue Screen: What Is It & How to Fix?

You can share this post by clicking the buttons below

 

How to turn on BitLocker login screen on Windows 10?

Follow the steps below if you want the BitLocker to ask for a Startup PIN or key before booting up.

Here's how to configure BitLocker group policy:

  1. Press the "Windows+R" keys to launch the "Run" dialog box, type "gpedit.msc" into the box, and hit the "Enter" key.
    gpedit msc
  2. Follow the path and go to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
  3. In the right panel, double-click the "Require additional authentication at startup" setting.
    require additional authentication at startup
  4. Switch from "Not Configured" to "Enabled."
  5. Check "Allow BitLocker without a compatible TPM", choose "Require startup PIN with TPM" under "Configure TPM startup PIN:", and click "OK."
    require startup PIN with TPM
  6. Double-click the "Enable use of BitLocker Authentication requiring preboot keyboard input on slates" option from the right pane.
  7. Switch from "Not Configured" to "Enabled" and click "OK."
    enable use of BitLocker authentication requiring preboot keyboard input on slates
  8. Close Local Group Policy Editor and restart your PC.

Now you need to set up a BitLocker startup PIN after configuring the BitLocker group policy:

  1. Type cmd in the Start menu search bar and select "Run as administrator."
    cmd run as administrator
  2. Input the following command and hit the "Enter" key on your keyboard: manage-bde -protectors -add c: -TPMAndPIN
    set BitLocker startup PIN in cmd
  3. Set the PIN (8-20 digits) as required and hit the "Enter" key. Note: You can not see the input digits or a moving cursor when typing PIN in the command window.
  4. Re-enter it to confirm and hit the "Enter" key again.
  5. When commands are all executed, the BitLocker login screen is successfully set. You will be prompted to enter a BitLocker startup PIN each time the computer starts.

Bonus tips: Difference between BitLocker startup PIN and BitLocker startup key

BitLocker startup key can also be configured in the same way as the BitLocker startup PIN mentioned above. Some BitLocker users are curious about the difference between them. Here is how they mainly differ in BitLocker login screen:

  • BitLocker startup PIN is a password consisting of 8 to 20 digits that are used to unlock the system drive before the Windows OS boots up. The startup PIN is manually set by users before or after the BitLocker encryption.
  • BitLocker startup key is a cryptographic key stored on a USB drive that is used to unlock the system during startup. In other words, users will be required to insert the USB drive containing the startup key into the computer before the Windows OS boots up.

You can set either BitLocker startup PIN or BitLocker startup key individually, and you can also combine both for greater security, requiring both the PIN and the startup key during system startup.

Why not share this post with your friends?

 

M3 Software author Wilsey Young
Wilsey Young

Wilsey is a columnist who has learned and accumulated professional knowledge in Windows, BitLocker encryption, data recovery, etc. at M3 Software. His solid knowledge and abundant expertise in data recovery, data backup, hard drives, and more enable him to produce informative and easy-to-read articles.

About | Refund Policy | Privacy Policy | Uninstall | Contact Us
Copyright© 2024 M3 Software. All Rights Reserved.