Skip to content
Follow
Windows

How to Enable or Disable BitLocker to Unlock OS Drive with PIN or USB at Startup in Windows 11

Richard
Written by
Richard
May 6, 2026 Updated Jun 19, 2026 3 min read
Laptop secure boot screen glowing lock icon
Laptop secure boot screen glowing lock icon

You enable or disable BitLocker to unlock your OS drive with a PIN or USB at startup in Windows 11. This adds a crucial extra security layer on top of the default Trusted Platform Module (TPM 2.0).

BitLocker Drive Encryption is a Windows feature that protects your data by scrambling your entire hard drive. This stops anyone from accessing your files if your PC gets lost or stolen.

A startup PIN or USB drive, when paired with Trusted Platform Module (TPM) version 2.0, prevents a Windows 11 computer from starting without proper user verification. Computer users must enter the specific PIN or insert the correct USB drive each time the computer powers on.

Windows 11 enhanced security settings protect your computer. This guide explains how to turn on or turn off the feature that requires a PIN or USB drive at startup for your operating system drive. This protection helps prevent unauthorized access.

⚡ Quick Answer

Enable BitLocker startup authentication by navigating to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in Group Policy Editor and enabling “Require additional authentication at startup.” Ensure “Allow BitLocker without a compatible TPM” is unchecked unless your PC lacks a TPM.

Important: Backup Your Recovery Key

⚠️Warning
The BitLocker recovery key serves as the sole method to access encrypted data after problems arise. Users must save this specific BitLocker recovery key before altering security settings. Official Microsoft guides offer straightforward instructions for safely storing the BitLocker recovery key.

Enable or Disable BitLocker Settings (Admin Required)

You need administrator privileges to perform these steps. If you’re using Windows 11 Pro, you can use the Group Policy Editor.

Using Group Policy Editor

You can easily turn on or off the BitLocker PIN startup requirement for your Windows 11 PC using the Group Policy Editor.

  1. Press ⊞ Win+R, type gpedit.msc, and hit Enter.
  2. Go to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
    3. Double-click Require additional authentication at startup.
    4. Select Enabled. Ensure the box for Allow BitLocker without a compatible TPM is unchecked unless your PC lacks a TPM.
Group Policy Editor window for BitLocker require additional authentication at startup
Group Policy Editor window for BitLocker require additional authentication at startup
BitLocker settings window showing additional authentication options for Windows 11 startup
BitLocker settings window showing additional authentication options for Windows 11 startup

5. Click OK.

Using Registry Editor (GUI Alternative)

If you prefer not to use Group Policy, you can set up your BitLocker PIN startup requirement using the Registry Editor instead.

1. Press ⊞ Win+R, type regedit, and hit Enter.
2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.
3. In the right-hand pane, right-click, choose ‘New’ > ‘DWORD (32-bit) Value’, and name it UseAdvancedStartup. Set its value to 1.
4. Repeat this for the other keys below with their values:

  • EnableBDEWithNoTPM set to 0
  • UseTPM set to 2
  • UseTPMPIN set to 2
  • UseTPMKey set to 2
  • UseTPMKeyPIN set to 2

To restore the default behavior, delete the keys created above.

Using Command Line (manage-bde)

💡Tip
For advanced users, you can also use the manage-bde command-line tool. Open Command Prompt as an administrator and type: manage-bde -protectors -add C: -TPMAndPIN. This command sets up the PIN requirement for your C: drive.

Troubleshooting ‘PIN Not Available’

If your PIN isn’t working, check that your BIOS/UEFI is set to use UEFI mode and that Secure Boot is enabled. If you can’t enter a PIN, try using your recovery key to boot, then remove and re-add the PIN protector in the BitLocker settings menu.

Settings menu to change how BitLocker unlocks the OS drive
Settings menu to change how BitLocker unlocks the OS drive
Windows 11 BitLocker options for configuring PIN or USB startup authentication
Windows 11 BitLocker options for configuring PIN or USB startup authentication

Summary

Adding a BitLocker PIN or USB key at startup makes your Windows 11 computer more secure.

Can I use a BitLocker PIN on a device without a TPM?

Yes, you can, but it requires changing a specific Group Policy setting to allow BitLocker without a compatible TPM. Note that this is less secure than using a TPM 2.0 chip, as the encryption key is stored on the USB drive rather than inside a secure hardware chip.

What happens if I lose my BitLocker USB startup key?

If you lose your startup USB key, you will be locked out of your computer. You must use your 48-digit BitLocker Recovery Key to regain access. Always back up this recovery key to a safe location, such as your Microsoft account or a printed document, before enabling startup requirements.

Was this guide helpful?

Tags: #Windows 11
Was this helpful?
Richard

About the Author

Richard

Tech Writer, IT Professional

Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.

📚 Related Tutorials

How to Install TeamViewer via Command Line on Ubuntu
Ubuntu Linux How to Install TeamViewer via Command Line on Ubuntu
How to Disable App Installations on Non-System Drives in Windows 11
Windows How to Disable App Installations on Non-System Drives in Windows 11
How to Lock a BitLocker Drive in Windows 11
Windows How to Lock a BitLocker Drive in Windows 11
How to Back Up Your BitLocker Recovery Key in Windows 11
Windows How to Back Up Your BitLocker Recovery Key in Windows 11

No comments yet — be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *