Win10 - Surface Go - Bitlocker with TPM and advanced pin
Preface: #
The aim of this article is to configure Bitlocker to ask for a password on boot so the protected system will not be avilable without user interaction.
This is updated to 2020-11-11, on Win10 20H2
NB: I am not advocating the use of bitlocker instead of other approaches, nor I am saying that it's secure.
I am writing this guide for cases where you are forced or need to use a device with Win10, and are able to at least make it a bit more secure or more difficult for an attacker to access your data.
Modify group policies: #
execute gpedit.msc to edit the Bitlocker policies and go to:
- Computer Configuration
- Administrative Templates
- Windows Components
- BitLocker Drive Encryption
- Operating System Drives
then edit:
- Require additional authentication ad startup
- Enable use of bitlocker authentication requiring preboot keyboard inputs
- Allow enhanced PINs for startup
- this allow us to use alphanumeric long "passphrases" instead of short numeric only PINs
I've found out that the "Enable use of bitlocker authentication requiring preboot keyboard inputs" is still needed also if the newer firmwares allos the tablet to show a keyboard when selecting the bitlocker input field with the touchscreen.
Encrypting the drive: #
Then open the bitlocker utility from the control panel and click on "Turn on bitlocker":
Then you will be able to choose how you want to unlock your boot drive,
choose PIN and enter your pin (sorry, no screenshot)
The choose how you want to save your recovery key, needed to unlock the drive in case you loose your pin or the encryption has some problems.
Dualbooting: these problems might arise in case ubuntu isn't installed correctly with secureboot, as I did one time,
since when Ubuntu upgrades the kernel and it's boot sequence, Windows detect this as something broken in the secureboot process and asks you for the recovery key.
This article should solve this issue: Surface Go Dual Boot Secureboot
then choose to encrypt the entire drive (the screenshot has the wrong selection):
and choose the newer encryption method:
you will be asked if you want to follow a pre-encryption check to be sure that the newly encrypted drive will work as intended, I choose yes (sorry, no screenshot)
Your system will reboot,
you will be asked to unlock the drive:
and the system will boot.
At this point the drive will encrypt, you can monitor the status of the process from the tray:
then you are set.