Authentication type

Your choice of pre-boot authentication type (PBA) differs depending on whether the computers whose hard disks you want to encrypt contain a Trusted Platform Module (TPM) or not.

In the example below, the BitLocker pre-boot authentication is explicitly used. For information about DriveLock pre-boot authentication for BitLocker, refer to the corresponding chapter.

The following options are available on the Authentication type tab:

  1. Select the first option No pre-boot authentication,

    • if there is a TPM built in on the hard disks you want to encrypt. In this case, an additional authentication when booting the computer is not required.

      The protector DriveLock uses is called TPM only.

    • Here, BitLocker accesses a TPM which has to be activated first in BIOS.
    • If you chose this option, you can close the dialog and continue because you do not need to specify a password on the next tab.

  2. Select the second option BitLocker pre-boot authentication (see figure),

    • if there is no TPM built in on the hard disks you want to encrypt or if you are not sure whether it is active.
    • In this case, DriveLock uses the original Windows BitLocker PBA.

    • Open the Password options tab to assign a password or select one of the other options.

      The options on this tab are only available if you have selected BitLocker pre-boot authenticationas the authentication type.
      The other tabs are inactive because the corresponding options refer exclusively to the DriveLock pre-boot authentication type.

  3. In both cases, we recommend checking the Automatically unlock all data partitions check box. With this option set, both the system partition and all data partitions are unlocked after authentication on the computers you assign the BitLocker policy to.

    Unlike Microsoft, DriveLock unlocks the data partitions automatically for all users of a computer. The unlocking process by DriveLock BitLocker Management works independently of the Windows Bitlocker functionality; this means, for example, that the call manage-bde -status still returns "Automatic Unlock: Disabled" for drives that DriveLock unlocks.

  4. The TPM platform validation can be modfied with the Mitigate TPM security ... option. The option is useful, for example, when BitLocker-encrypted laptops keep requesting the recovery key as soon as the laptop is not connected to the docking station. The new option affects any pre-boot authentication type, as DriveLock uses TPM-based protection mechanisms as soon as TPM is available (TPM only, TPM/PIN, TPM/StartupKey). The option is disabled by default.