Yubico Forum

Re: [Solved] Smartcard for Bitlocker in Windows 10

2016-12-14T05:15:50+01:00

I tried following this process (self signing certificate) - but when I use the Microsoft Technet instructions it says to insert the smart card (which of course you can't write to directly from Windows). I'm presuming you have to generate certificate manually and then import it (using the Yubikey PIV manager tool). How do I create the certificate manually on the Windows 10 PC such that it works for Bitlocker?

Statistics: Posted by rsrinivasan — Wed Dec 14, 2016 5:15 am

Re: [Solved] Smartcard for Bitlocker in Windows 10

2016-07-08T00:25:57+01:00

The key to be 'just create[d]' is the HKLM\Software\Policies\Microsoft\FVE registry key. The link provided originally has the full set of instructions but says to make an adjustment to a registry key. In this case the key does not exist and must be created and set as in the instructions. Always be careful playing around in the registry, it can be a real pain to recover from mistakes there!

Statistics: Posted by velosol — Fri Jul 08, 2016 12:25 am

Re: [Question] Smartcard for Bitlocker in Windows 10

2016-06-12T22:27:11+01:00

PleasingSpringbok wrote:

I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help.

Could anyone point me in the right direction here..?
I am completely lost

Statistics: Posted by werto — Sun Jun 12, 2016 10:27 pm

Re: [Question] Smartcard for Bitlocker in Windows 10

2016-05-31T10:04:27+01:00

I'm a little embarrassed to say this, but the solution was to just create the key and add the entry anyway. It really is that simple. Thanks to the people over at the TechNet forums for their help.

Statistics: Posted by PleasingSpringbok — Tue May 31, 2016 10:04 am

[Solved] Smartcard for Bitlocker in Windows 10

2016-05-31T10:04:45+01:00

I'm trying to use my Yubikey NEO's PIV Smartcard capabilities to unlock Bitlocker drives in Windows 10. The main problem seems to be that all of the information on the internet for this is intended for Windows 7. I've tried following a few different guides but the outcome is the same: When I try to add a smart card as an unlock method, I get a popup telling me that "A certificate suitable for bitlocker can't be found on your smart card."

I tried using Microsoft's instructions on "Creating a self-signed certificate for use with Bitlocker", available here. I think the main issue is that I can't edit the registry to enable self-signed certificates, since HKLM\Software\Policies\Microsoft\FVE does not exist in Windows 10. I also tried the instructions under "Sharing an EFS certificate with BitLocker" on the same page, but it lead to the same error. In either case there was no issue in actually loading the certificate onto the Yubikey (thank you for the GUI tool!)

Does this registry entry have an equivalent in Windows 10? It seems to be the bit that I'm missing.

The certificate request file I'm using is:

Code:

[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 99
ValidityPeriod = Years

[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

Statistics: Posted by PleasingSpringbok — Sun May 29, 2016 12:41 am