Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Turn on BitLocker without TPM

Posted on 2015-02-11
12
Medium Priority
?
249 Views
Last Modified: 2015-02-24
I have Win 8.1 Pro. My system has TPM. Our security guy wants me to turn BitLocker on but does not want me to use TPM; he's concerned about accessing the drive if the motherboard fails. Instead, a USB key should be required.

Someone is going to say that TPM passwords can be saved and used to initialize a new TPM. True. But that's not relevant for me.

When I try to turn on BitLocker from the Control Panel dialog, it insists on turning on TPM. How can I avoid it and use a USB key instead?
0
Comment
Question by:BlearyEye
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40603407
turn off tpm in the bios
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 500 total points
ID: 40603598
USE THE TPM.  Export the key.  If your TPM fails (or the motherboard) there is a 36 character password generated and given to you that can be used to unlock the drive.  Tell your IT guy to LEARN about the technology and stop being paranoid.   Better still, tell him to come here!  BEST, TELL HIM TO TRY IT ON ANOTHER DEVICE SO HE ACTUALLY UNDERSTANDS like a true professional would.
0
 
LVL 14

Accepted Solution

by:
Brad Groux earned 500 total points
ID: 40603776
BitLocker can be configured to run without a compatible TPM chip, but it isn't recommended - as the TPM chip is what limits access to the drive.

Tell your IT guy that corporations with tens of thousands of employees utilize BitLocker + TPM (and even with PINs) without issue. Users can manage their own TPM recovery keys by printing them off or saving them to a USB - or IT can take the initiative and store the TPM recovery keys in Active Directory or MBAM (Microsoft BitLocker Administration and Monitoring).

If he still insists, here are the steps to disable the TPM requirement via GPO.

1.

In the Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

2.

From the right pane double-click “Require additional authentication” at startup.

3.

On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 56

Expert Comment

by:McKnife
ID: 40604352
LeeW says it. Setup a GPO that enforces AD backup of the recovery key - you can set it up so that encryption does not start until the key is (automatically) backed up. there's no way you can lose it (unless you squash all your domain controllers and backups ;-) )
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40608549
Well, two people actually tried to answer the question. Thanks. As Seth suggested, I turned off TPM via CLI but BitLocker knew it was there and wanted to turn it back on.  

Since I'm heading out on a trip and the risk of theft is higher than when I'm home, I went ahead and turned on BitLocker with TPM. I got a key which I've saved in the appropriate ways.

Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?

I work at a small company btw and we don't have AD or MBAM.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40608577
We all tried to answer the question.  We offered advice based on our interpretations of your apparent skill level and that of your technician.  When you don't understand something, you make assumptions - which is what it appears your technician is doing.  He should educate himself so that he can help you appropriately.  And if doesn't want to take the time to educate himself, your company should look for a professional who understands the value in staying up on technology and can advise you better.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 40608882
"Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?" - Sure, anytime. You don't even Need to turn off (=decrypt) bitlocker in between. Just add another protector, a Startup key for example and then remove the tpm protector.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40609770
McKnife ... that looks plausible. The notion of protectors is helpful. I'll give it a try when I'm back in about a week. I think I can add a PIN protector at any rate.

On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?

Lee: Pressing the case for using TPM is fine but I still needed advice on my particular situation even if it was in your view sub-optimal. Sometimes we live in an imperfect world and have to make the best of it.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40610103
I completely agree with you.  There are plenty of times where I will do things not according to best practice because best practice won't work for a particular circumstance.  This is not one of those cases if you understand the technology.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 40610224
"On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?" - when your Mainboard changes, the recovery key is required to start Windows. When in Windows, simply activate the tpm of the new board, remove the old tpm protector and add the new tpm as protector.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40610331
Mcknife: that's clear, thanks. Lee: sometimes you have to pick your battles. Unfortunately, this isn't one of them.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40628465
Am back in town and have looked at the responses. I think my question is adequately resolved: I know how to move forward if I need to disable TPM and use a USB key as protector, and overall I understand BitLocker better.

Thanks to all.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question