• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

BitLocker- encrypt OS drive without TPM, if TPM is present


Stilcho

New Member
Posts
4
#1
Hello to everyone,

I am new here and "fresh" with BitLocker encryption. I need to encrpyt OS drive of laptop with Windows 8.1 and TPM chip. I have read few articles about encryption of OS drives with BitLocker ( with TPM / without TPM ) but never got a direct answer to my questions. So ... I want to ask:

1. Is it possible to encrypt the drive without using the TPM in case that there is TPM chip in the laptop because from what I have read BitLocker work with TPM by default but I don't want to use it. :think: I have had already encrypt other laptops without TPM chips by setting up the group policies ( Computer Configuration \ Administrative Templates \ Windows Components \ Bit Locker Drive Encryption \ Operating System Drives and double click on Require additional authentication at startup ) and ... is it possible something like this to be made in this case ( when the laptop have TPM in it ). :think:
What I want is the user to be asked for password on startup, recovery key to be saved to a file on external device( not to use usb flash drive as a key ) and to be possible simply to change my HDD in the future without need to manage TPM.

If this is not possible ... here is my second question:
2. Can I setup encryption with TPM like that:
- user to be asked for PASSWORD on startup
- recovery key to be saved to a file ( I don't want every time to use usb flash drive with recovery on it to unlock the drive ... what I want is just user to be asked for a password and when he enter the correct password the drive to be unlocked )


I apologise for my bad english and the long questions but I hope that someone can help me for this. Thanks in advance.
 

My Computer

System One

  • OS
    Windows 7 Pro
    Computer type
    Laptop

Edwin

Well-Known Member
VIP Member
Guru
Posts
1,759
#2
Good morning or afternoon Stilcho and welcome to Windows Eight Forums:
BitLocker works for me as you described without TPM enabled. I think you can even set it to 'Auto-Unlock' if you're certain your PC is not accessed by anyone else but you.
I am not well that versed when it comes to TPM/BitLocker issues but there is many helpful members here that are more than willing to help you further. Be patient and check back often.
 

My Computers

System One System Two

  • OS
    Windows 7 Home Premium
    Computer type
    PC/Desktop
    System Manufacturer/Model
    HP Pavillion
  • PC2
    Tablet - Windows 10 Home

ARC1020

New Member
Power User
Posts
446
#3
It's not something I've tried myself, however if you look at the second screenshot in this tutorial of the group policy settings you mentioned (Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Drives), it also shows four settings for configuring TPM startup authentication. I'm guessing setting them to 'Do not allow' would do what you are asking, but like I said, it's not something I've tried. Maybe someone else will come along who has actually tried it.

Taken from here:
To configure operating system drive startup options for computers with a TPM, the following options are available:

- Configure TPM startup. You can choose to allow, require, or not allow the use of the TPM with BitLocker.

- Configure TPM startup PIN. You can choose to allow, require, or not allow the use of the TPM in combination with a PIN with BitLocker.

- Configure TPM startup key. You can choose to allow, require, or not allow the use of the TPM in combination a key stored on a removable device, such as a USB flash drive with BitLocker.

- Configure TPM startup key and PIN. You can choose to allow, require, or not allow the use of the TPM in combination with both a key stored on a removable device, such as a USB flash drive with BitLocker, and a PIN.



In answer to your second question about using a password with TPM, the same article says the following about using enhanced pins:

"If you are using PINs for authentication along with the TPM, you may want to enable the use of enhanced PINs to allow for increased complexity of PINs. Enhanced PINs support the use of characters, including uppercase and lowercase letters, symbols, numbers, and spaces. Not all computers support these characters before the operating system starts, so we recommend that users perform a system check during BitLocker setup to verify that their computer will support the BitLocker settings they have selected before encrypting the drive. Double-click the Allow enhanced PINs for startup policy setting, and click Enabled to provide the option of using enhanced PINs with BitLocker-protected operating system drives. If this policy setting is disabled or not configured, enhanced PINs cannot be used."

Regardless of whether you use TPM or not, you should have the option to save the recovery key to either a Microsoft account, flash drive, file or print it.
 

My Computer

System One

  • OS
    Win 8 64-bit

Stilcho

New Member
Posts
4
#4
Thank you for the quick reply Edwin. Now it's afternoon here in Bulgaria :) and I think it is good morning for you in Canada :) so ...
If I understand you correctly (
BitLocker works for me as you described without TPM enabled
) If I turn off the TPM chip I will be able to encrypt the OS drive just like I encrypt any other laptop without TPM chip in it :think: ( Turn the TPM On or Off ).
I want just opposite of "auto-unlock" ... I need to be sure that user always will be asked for password ( in case someone steals the laptop or if it is lost ). The other thing is that I want to skip management( administration ) of the TPM chip ( initializing the TPM or in case that I decide to change my HDD and so on ... ) so I don't want the TPM chip to be used for the encryption process and something to be stored in it at all.
I must mentioned that there is sensitive data on the HDD of this laptop so I don't want to make any experiments on it. I don't have where to test different cases so I want to know if there is a solution for me and to apply it without any experiments.
 

My Computer

System One

  • OS
    Windows 7 Pro
    Computer type
    Laptop

Stilcho

New Member
Posts
4
#5
Thank you for the reply ARC1020. That sounds like a solution for my 1st question but as you mentioned you have not tried it by yourself and the problem is that I don't want to experiment on the laptop because there is sensitive data on it( the hdd ). According to what you guess and what I have read in the article if I set "Do not allow" to all 4 options for configuring TPM startup authentication and check "Allow BitLocker without compatible TPM (...)" I will be able to encrypt the OS drive with BitLocker without using the TPM chip. Am I right?
Or I must stop usage of TPM chip directly from the BIOS or I don't know ... I`m not very familiar with TPM administration. I will be very happy if I succeed to encrypt this laptop without using its TPM chip.
 

My Computer

System One

  • OS
    Windows 7 Pro
    Computer type
    Laptop

Users Who Are Viewing This Thread (Users: 0, Guests: 1)