Enable 'Require additional authentication at startup' bitlocker

Check whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM).

Table of Contents

Potential risk

TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.

Remediation options

Option 1 - Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup

To the following REG_DWORD value: 1

Option 2 - Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup

To the following value: Enabled