[ragona]

Ahhh, I was very concerned until I got to the part about pre-boot verification. That is definitely a critical part of full disk encryption, and should really be the default. (Although I’ll admit that it’s really annoying sometimes.)

[accrual]

I agree the pre-boot verification and PIN should be a default. Otherwise, just having the hardware makes it insecure. All hardware is insecure with physical access of course, but it should be more difficult to access even for someone with a logic analyzer.

Regarding annoyance, one of the most significant inconveniences I've experienced is the inability to boot when the hardware changes significantly, e.g. installing a new graphics card.

Fortunately the solution is easy: boot with the old hardware configuration, pause Bitlocker, install new hardware, resume Bitlocker. I feel this is safe as it requires you (with your PIN) to unlock the drive to perform the pause operation.

[e12e]

I guess "standard" bitlocker is just a defense against the "legacy" attack of someone stealing/mirroring your hd;not a defense against the more likely "current" attack of someone stealing your laptop :/

[GordonS]

When I first setup Bitlocker on Windows 10, I was hunting for the option to enter a pre-boot password, but couldn't find it. I don't even think it have me the option of entering a PIN.

For some reason, if you have a TPM installed you need to jump through hoops to add a pre-boot PIN, and more so if you want to enable a pre-boot password. I had to flip various Windows security policy settings before it would work.

a TPM and pre-boot PIN/password work against different attack vectors - I really don't understand why Microsoft would want to hide these options.

[ragona]

Yeah, I had to jump through the same hoops. They're really odd, and they seem like low hanging fruit in terms of improving the customer experience for BitLocker.