Deploy TPM Plus PIN BitLocker On Windows 11 2026 | SBCSG | The Small Business Cybersecurity Guy

If your IT lead has spent the week being asked about YellowKey, this is the practical answer.

Move your high-risk Windows 11 devices to TPM plus PIN BitLocker. It is one Group Policy change, one command per device, and a day of user communication. The deployment fits in two weeks for a fifty-device fleet. The cost is helpdesk hours and some user grumbling, neither of which is fatal.

This guide assumes Windows 11 Pro or Enterprise, an Active Directory or Microsoft Entra ID environment, and basic familiarity with Group Policy or Intune. If you are running Windows 11 Home you cannot do this, and you need to talk to your vendor about why you are running Home for business devices in the first place.

What You Are Actually Changing

BitLocker has a key protector. The protector is the thing that decides what unlocks the drive at boot. The default protector on most Windows 11 business builds is TPM only. The drive unlocks automatically when the platform measurements match. The user sees no prompt. This is the configuration YellowKey targets.

A TPM plus PIN protector adds a user-entered code at boot. The TPM still measures the platform. The user still enters credentials at the Windows login. But before either of those happens, BitLocker now requires a four to twenty digit PIN to release the keys. Public reproduction of YellowKey so far cannot defeat this configuration, because the exploit relies on the automatic unlock that TPM plus PIN removes. Will Dormann, who reproduced the original PoC, confirmed this technically. Treat it as a strong mitigation, not as immunity, until Microsoft publishes a fix.

The drive does not need to be decrypted and re-encrypted. You are changing the protector, not the encryption.

Phase 1: Inventory (Half A Day)

You need to know the current protector state across the fleet. Guessing is not allowed.

For a small environment, run this on each machine, or push it via your RMM:

manage-bde -status c:

The “Key Protectors” section lists what is currently in use. The values you will see most often are “TPM” (TPM only), “TPM And PIN” (the target state), “Numerical Password” (the recovery key, which should always be present), and occasionally “External Key” or “Startup Key.”

For an Intune-managed environment, use the BitLocker encryption report under Devices, Monitor, Encryption report. Export to CSV. Sort by protector type. The TPM-only rows are your scope.

For an environment with Configuration Manager or a third-party RMM, you should have a BitLocker compliance view already. If you do not, that is a separate problem worth fixing.

Total time for a fifty-device fleet: roughly two to four hours, mostly waiting for reports to populate.

Phase 2: Scope The Rollout (One Hour)

You do not have to move every device on day one. You do have to be deliberate about which ones come first.

Priority class one, in this order: directors, finance, HR, legal, sales, field engineers, anyone who travels, anyone who works from a third location, and anyone with sensitive data cached locally. These are the laptops that get left in taxis. They go first.

Priority class two: developers, customer service, marketing, internal operations staff who are mostly desk-based but occasionally take a laptop home. They come second, on a slower timeline.

Priority class three: kiosks, shared meeting room PCs, fixed workstations that never leave the building. These can stay on TPM-only longer if you have controls around physical site access and visitor management. Document the decision.

Servers in a locked data centre with proper physical controls are a separate conversation. Server BitLocker plus PIN has operational implications around unattended reboots, and the right answer is often Network Unlock, BitLocker on a non-system data volume, or accepting the residual risk because the data centre physical controls do most of the work. Do not blindly apply this guide to servers without thinking about reboot dependencies.

Phase 3: Group Policy Configuration (One Hour)

In the Group Policy Management Console, edit the GPO you apply to operating system drives.

Navigate to: Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.

Open “Require additional authentication at startup.”

Set it to Enabled.

In the Options pane:

Untick “Allow BitLocker without a compatible TPM” or set it explicitly to “Do not allow.”
Set “Configure TPM startup PIN” to “Require startup PIN with TPM.”
Set “Configure TPM startup key” to “Do not allow startup key with TPM” unless you have a specific reason to support startup keys.
Set “Configure TPM startup” to “Allow TPM” or, if you want stricter control, “Do not allow TPM.”

Apply, link the GPO to the appropriate OU, and force a gpupdate /force on a test machine. Verify the policy is in place with gpresult /h gpresult.html and the BitLocker settings section.

For Intune, use Settings Catalog. Search for BitLocker. The equivalent settings live under “BitLocker, Operating System Drive Recovery.” Apply to a pilot group first.

Phase 4: Add The PIN Protector (Two Minutes Per Device)

This is the per-device change. The drive does not re-encrypt. You are adding a protector.

Open Command Prompt as administrator. Run:

manage-bde -protectors -add c: -tpmandpin

Windows will prompt for the PIN. Enter it twice. The PIN should be four to twenty digits. The NCSC password guidance applies to the PIN policy. For low-friction deployments, six digits is a sensible minimum. For higher security devices, eight digits.

Verify the change with manage-bde -status c:. The Key Protectors list should now include “TPM And PIN” alongside the existing “Numerical Password” recovery key.

Important: the existing TPM-only protector remains. To remove it, identify the protector ID with manage-bde -protectors -get c:, then manage-bde -protectors -delete c: -id "{the-tpm-only-id}". Do not delete the Numerical Password protector. That is your recovery key. Removing it without escrow is how you brick a laptop.

For a fleet rollout, script the PIN addition. The cleanest approach is to leave the user to set their own PIN through a self-service portal or scheduled task with user prompting. The PIN must be entered by the user, not pre-set by IT, otherwise you have created a different security problem.

Phase 5: Lock The Firmware (Ten Minutes Per Device)

TPM plus PIN does some work. Firmware lockdown does the rest. Without it, an attacker can still attempt boot order manipulation or external media boot, which are out of scope for YellowKey but in scope for related physical-access attacks.

For each device class, set in BIOS or UEFI:

A BIOS or UEFI administrator password. Document it in your password manager. Never the same as any user account.
Boot from external media: disabled, or set to require the BIOS password.
Boot order: HDD or SSD first, removable media last.
Secure Boot: enabled. Confirm with msinfo32 under “Secure Boot State.”

For a Dell, HP, or Lenovo fleet, the vendor management tools can push these settings centrally. Dell Command Suite, HP Manageability Integration Kit, Lenovo Vantage for enterprise. For unmanaged devices, this is a per-device firmware visit, which is the bit of this work that is genuinely tedious.

If your business cannot support disabled external media boot because of legitimate field engineering use cases, document the exception, and apply it only to devices that need it.

Phase 6: Verify Recovery Key Escrow (Half An Hour)

Every BitLocker-protected device must have its recovery key escrowed somewhere you can actually retrieve it. This is not optional. Lose the recovery keys and you have invented ransomware with your own logo on it.

For Microsoft Entra ID joined devices, the recovery key is automatically backed up. Verify by visiting https://entra.microsoft.com, opening Devices, BitLocker keys, and confirming the recovery key for a sample device is listed.

For on-premises Active Directory, the recovery key should be backed up to AD. Verify by opening the device computer object in Active Directory Users and Computers, selecting the BitLocker Recovery tab. If the tab is empty, the GPO that requires escrow is not applied, and you need to fix that before continuing.

Test the recovery process. Pick one device. Trigger a recovery key prompt (the easy way: change the boot order in BIOS, then revert). Retrieve the key from your escrow location. Enter it. Confirm it works. Do this once now, before you need to do it under pressure.

Phase 7: Decide What To Do About WinRE (One Hour Of Thinking)

The Windows Recovery Environment is the surface YellowKey attacks. There are three sensible positions, and you need to take one of them per device class.

Position A: leave WinRE enabled. Default state. WinRE is operationally useful for Startup Repair and other recovery scenarios. Users and IT can recover from boot failures without rebuilding. Risk: the YellowKey surface remains, mitigated by TPM plus PIN and firmware lockdown.

Position B: leave WinRE enabled but reduce the attack surface. Disable boot from external media at firmware level. Disable USB ports for non-keyboard devices via Group Policy (Computer Configuration, Administrative Templates, System, Removable Storage Access). Restrict who can physically access devices. This is the position I recommend for most SMBs.

Position C: disable WinRE temporarily for the highest-risk devices. Run reagentc /disable to deactivate the recovery environment. The trade-off: automatic Startup Repair stops working, and some OEM support workflows assume WinRE is present. If you take this position, document it as a known operational impact, and revisit when Microsoft publishes a fix.

There is no universally correct answer. For a finance director’s mobile laptop, position C may be appropriate for a few weeks. For a shared desk machine in a closed office, position A with normal controls is fine.

Phase 8: User Communication (Half A Day)

Users will not be delighted. Plan for that.

Send one email, two days before the change. Tell them: a new security step is being added at boot. It is a PIN. They choose it. It will appear before they see the Windows login. It is not a Windows password. They cannot reset it themselves via Microsoft Online, they need to call the helpdesk. The change is in response to current threat conditions and is recommended by the NCSC.

Provide a simple six step guide with screenshots. Explain that the PIN protects the device when it is lost or stolen, not when it is sitting on their desk. Set expectations on PIN strength.

Brief the helpdesk on the most common issues. Forgotten PIN: use the recovery key from Entra ID or AD. PIN prompt loop: usually a TPM reset, sometimes a firmware update is needed. Booting to recovery instead of Windows: check reagentc /info and Position B settings.

Phase 9: Pilot Then Fleet (One Week)

Pick three users for the pilot. One helpful, one grumpy, one who always finds the edge case. The grumpy one will tell you what is wrong with the rollout. The edge case one will tell you what is broken. Both are useful. Buy them coffee.

Run the pilot for forty-eight hours. Capture all issues. Adjust the documentation, the helpdesk script, and the user comms. Then proceed with the rest of class one, then class two, in batches of ten to twenty devices per day, with helpdesk standby for the first hour after rollout.

Total elapsed time for a fifty-device fleet: roughly two weeks, with the technical work concentrated in two days and the rest being communication, support, and rollout pacing.

How To Turn This Into A Competitive Advantage

The deliverable at the end of this work is not just a more secure fleet. It is an evidence pack.

You can produce, on request, a one page summary that shows: protector state across the fleet, firmware lockdown status, recovery key escrow verification, WinRE governance decision, and a tested lost-device playbook. That document answers nearly every supplier security questionnaire, insurance underwriting question, and ICO follow-up correspondence about appropriate technical measures.

Most of your competitors will not have that document. The ones that do will win the next contract.

How To Sell This To Your Board

Three numbers.

The cost of doing this work for a fifty-device fleet is roughly forty helpdesk hours plus the user time. At a fully loaded UK SMB IT cost, that is in the order of two to three thousand pounds.

The maximum ICO fine for a notifiable breach under UK GDPR is 8.7 million pounds or two per cent of global turnover, whichever is higher. The realistic fine for a stolen laptop with weak technical measures is six figures plus reputational cost, plus the regulator dialogue, plus the insurance position.

The asymmetry is roughly one thousand to one in favour of doing the work now. Boards generally understand that ratio without much further explanation.

What This Means For Your Business

A short checklist. Print it.

Run BitLocker protector inventory this week. Either manage-bde -status or your management platform.
Identify priority class one devices. Move them to TPM plus PIN within ten days.
Apply firmware lockdown alongside the protector change. Same devices, same window.
Verify recovery key escrow. Test the recovery flow on one device per class.
Take a documented position on WinRE per device class.
Update the lost-device playbook. Sixty minutes from missing report to documented protector state and ICO risk assessment.
Brief the board once, in writing, with the costed plan and the regulatory framing.
Watch for Microsoft’s eventual patch. Apply it as a priority when it arrives. The 2022 BitLocker fix required separate WinRE partition servicing under KB5025175, so plan for that pattern.

YellowKey did not change the maths of BitLocker. It changed which configurations are defensible.

The configuration the NCSC has recommended for years is defensible. The default is not, this week.

Two weeks of work fixes that.

Related reading:

Sources

Source	Article
NCSC	Windows device security guidance
Microsoft Learn	BitLocker countermeasures
Microsoft Learn	BitLocker overview
Microsoft Support	KB5025175: Updating the WinRE partition
BleepingComputer	Windows BitLocker zero-day gives access to protected drives, PoC released
Blackfort Technology	YellowKey: Technical Analysis
ICO	Encryption and data storage
SecurityWeek	Researcher Drops YellowKey, GreenPlasma Windows Zero-Days