What You Need to Know About BitLocker
If you’re like most organizations, you rely on BitLocker.
It’s built-in, easy to roll out, and—on supported Windows 11 hardware — often enabled by default right from the factory or during clean installs. For many fleets, that meant quick wins with minimal friction.
In most environments, BitLocker runs in
TPM-only mode.
TPM-only is attractive because it’s hands-off and compatible with silent deployment via Intune—no extra steps for users.

80% of you use BitLocker in TPM-only mode — and nothing prevents attackers from reading your data if they have your laptop.
While several attack methods exist, the Cool RAM attack is the most unpreventable: once an attacker cools the RAM, the encryption keys can remain intact for minutes — even hours — after shutdown, allowing them to be extracted and used to decrypt the disk
Let’s hear it directly from Microsoft and the Windows Forum CVE advisory
Buried in a long and technical article, one line stands out: “The immediate steps are straightforward: …
enforce pre-boot authentication where possible.“
BitLocker PIN Mode - Not Perfect Either
BitLocker does offer other modes, like TPM+PIN which add pre boot authentication. And yes, they are more secure than TPM only.
But if you consider TPM only, you probably know why PIN modes are not widely adopted. Its basic manageability is not enterprise ready.
BitLocker PIN Mode
Manageability Challenges
BitLocker PIN mode introduces pre boot authentication, but its manageability often falls short of enterprise expectations.
Here are a few examples:
No true user authentication
The PIN is tied to the device, not the user. Microsoft even recommends sharing the PIN when multiple users share a machine, which breaks accountability.
No real MFA support
You can add a USB key but it is not enterprise grade. There is no support for phones or smartcards.
Deployment and recovery friction
PIN mode blocks silent deployment workflows, increases recovery prompts, and adds helpdesk load. It is not built for scalable enterprise manageability.
