This value is never displayed to the user. The PIN can consist of 4 to 20 digits as specified by the Configure minimum PIN length for startup policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. During recovery, you need to insert this USB deviceįor a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). A key file on a USB flash drive that is read directly by the BitLocker recovery console.During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard A recovery password consisting of 48 digits divided into eight groups.When you supply the recovery information, you can use either of the following formats: In these situations, you must be able to supply either the recovery key or the recovery password to unlock the encrypted data on the drive. When you set up BitLocker, you must choose how access to BitLocker-protected drives can be recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot validate the boot components, the personal identification number (PIN) is forgotten, or the password is forgotten). You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout. The initialization process generates a TPM owner password, which is a password set on the TPM. Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require. There are multiple keys that can be generated and used by BitLocker. If Secure Boot for integrity validation is being used, it reports Uses Secure Boot for integrity validation BitLocker can be checked if it uses Secure Boot for integrity validation with the command line manage-bde.exe -protectors -get C.Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).Non-Microsoft application updates that modify the UEFI\BIOS configuration.It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. Not every TPM firmware update will clear the TPM. Some TPM firmware updates if these updates clear the TPM outside of the Windows API.Users need to suspend BitLocker for Non-Microsoft software updates, such as:
No user action is required for BitLocker in order to apply updates from Microsoft, including Windows quality updates and feature updates.