Solved

Turn on BitLocker without TPM

Posted on 2015-02-11
12
180 Views
Last Modified: 2015-02-24
I have Win 8.1 Pro. My system has TPM. Our security guy wants me to turn BitLocker on but does not want me to use TPM; he's concerned about accessing the drive if the motherboard fails. Instead, a USB key should be required.

Someone is going to say that TPM passwords can be saved and used to initialize a new TPM. True. But that's not relevant for me.

When I try to turn on BitLocker from the Control Panel dialog, it insists on turning on TPM. How can I avoid it and use a USB key instead?
0
Comment
Question by:BlearyEye
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
turn off tpm in the bios
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
Comment Utility
USE THE TPM.  Export the key.  If your TPM fails (or the motherboard) there is a 36 character password generated and given to you that can be used to unlock the drive.  Tell your IT guy to LEARN about the technology and stop being paranoid.   Better still, tell him to come here!  BEST, TELL HIM TO TRY IT ON ANOTHER DEVICE SO HE ACTUALLY UNDERSTANDS like a true professional would.
0
 
LVL 14

Accepted Solution

by:
Brad Groux earned 125 total points
Comment Utility
BitLocker can be configured to run without a compatible TPM chip, but it isn't recommended - as the TPM chip is what limits access to the drive.

Tell your IT guy that corporations with tens of thousands of employees utilize BitLocker + TPM (and even with PINs) without issue. Users can manage their own TPM recovery keys by printing them off or saving them to a USB - or IT can take the initiative and store the TPM recovery keys in Active Directory or MBAM (Microsoft BitLocker Administration and Monitoring).

If he still insists, here are the steps to disable the TPM requirement via GPO.

1.

In the Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

2.

From the right pane double-click “Require additional authentication” at startup.

3.

On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
LeeW says it. Setup a GPO that enforces AD backup of the recovery key - you can set it up so that encryption does not start until the key is (automatically) backed up. there's no way you can lose it (unless you squash all your domain controllers and backups ;-) )
0
 
LVL 1

Author Comment

by:BlearyEye
Comment Utility
Well, two people actually tried to answer the question. Thanks. As Seth suggested, I turned off TPM via CLI but BitLocker knew it was there and wanted to turn it back on.  

Since I'm heading out on a trip and the risk of theft is higher than when I'm home, I went ahead and turned on BitLocker with TPM. I got a key which I've saved in the appropriate ways.

Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?

I work at a small company btw and we don't have AD or MBAM.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
We all tried to answer the question.  We offered advice based on our interpretations of your apparent skill level and that of your technician.  When you don't understand something, you make assumptions - which is what it appears your technician is doing.  He should educate himself so that he can help you appropriately.  And if doesn't want to take the time to educate himself, your company should look for a professional who understands the value in staying up on technology and can advise you better.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
Comment Utility
"Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?" - Sure, anytime. You don't even Need to turn off (=decrypt) bitlocker in between. Just add another protector, a Startup key for example and then remove the tpm protector.
0
 
LVL 1

Author Comment

by:BlearyEye
Comment Utility
McKnife ... that looks plausible. The notion of protectors is helpful. I'll give it a try when I'm back in about a week. I think I can add a PIN protector at any rate.

On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?

Lee: Pressing the case for using TPM is fine but I still needed advice on my particular situation even if it was in your view sub-optimal. Sometimes we live in an imperfect world and have to make the best of it.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
I completely agree with you.  There are plenty of times where I will do things not according to best practice because best practice won't work for a particular circumstance.  This is not one of those cases if you understand the technology.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
Comment Utility
"On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?" - when your Mainboard changes, the recovery key is required to start Windows. When in Windows, simply activate the tpm of the new board, remove the old tpm protector and add the new tpm as protector.
0
 
LVL 1

Author Comment

by:BlearyEye
Comment Utility
Mcknife: that's clear, thanks. Lee: sometimes you have to pick your battles. Unfortunately, this isn't one of them.
0
 
LVL 1

Author Comment

by:BlearyEye
Comment Utility
Am back in town and have looked at the responses. I think my question is adequately resolved: I know how to move forward if I need to disable TPM and use a USB key as protector, and overall I understand BitLocker better.

Thanks to all.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
The goal of this Micro Tutorial is to help navigate beginning users with the app store on Windows 8. It will explain exciting features how to maximize your PC through these apps. This will be demonstrated using Windows 8 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now