Bitlocker - no password option available

I have a laptop with tpm and bitlocker support. I am trying to set up a simple password on startup by bitlocker just like veracrypt, though when I try to set bitlocker all I see is this: enter image description here

There is no password option even when I move forward in the setup - only "Save to a file". am I supposed to memorize the key on that file or what? why can't I just set a password?


Add TPM startup PIN (for BitLocker)

This method is simple but requires about 3 minutes. You can add the BitLocker boot time PIN protection on Windows 10 after the initial setup of BitLocker, using the following steps:

  1. Open Local Group Policy Editor, by searching for Local Group Policy in the Windows 10 search bar or via the Control Panel.
  2. In the Local Group Policy Editor, navigate to:

Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives

Open the item called "Require additional authentication at startup".

  1. In "Require additional authentication at startup", change "Not Configured" to "Enabled". Also make sure "Allow startup PIN with TPM" is selected under "Configure TPM startup PIN".

Configure TPM startup PIN

  1. Press OK and restart the system

  2. After Windows 10 starts again, search for "Manage BitLocker" by searching for it in the Windows 10 search bar. Now you will see an additional option for changing how the drive is unlocked at startup and setting or changing the PIN.

(Verified on Windows 10 Pro - Version 1909 & 21H1)


Why is there no easy to use option?

In the recent versions of Windows 10, the default behavior is to store the decryption key in the TPM. The encryption process ends up being transparent for most users. At the same time, the provided protection would prevent a malicious actor from taking the drive out of the system and trying to access its data elsewhere. For in-system protection, the OS, by default, relies on the Windows 10 User Login interface and other account management protection. The assumption partly is that a malicious actor most likely does not have admin access to the system, and if they do, they probably have already passed the drive decryption. The protection that the boot-time PIN provides in many cases when considering the exploit risk may not justify the inconvenience. However, in some cases, there is justification to use a PIN in addition to the TPM.