Solved

Turn on BitLocker without TPM

Posted on 2015-02-11
12
200 Views
Last Modified: 2015-02-24
I have Win 8.1 Pro. My system has TPM. Our security guy wants me to turn BitLocker on but does not want me to use TPM; he's concerned about accessing the drive if the motherboard fails. Instead, a USB key should be required.

Someone is going to say that TPM passwords can be saved and used to initialize a new TPM. True. But that's not relevant for me.

When I try to turn on BitLocker from the Control Panel dialog, it insists on turning on TPM. How can I avoid it and use a USB key instead?
0
Comment
Question by:BlearyEye
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40603407
turn off tpm in the bios
0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 40603598
USE THE TPM.  Export the key.  If your TPM fails (or the motherboard) there is a 36 character password generated and given to you that can be used to unlock the drive.  Tell your IT guy to LEARN about the technology and stop being paranoid.   Better still, tell him to come here!  BEST, TELL HIM TO TRY IT ON ANOTHER DEVICE SO HE ACTUALLY UNDERSTANDS like a true professional would.
0
 
LVL 14

Accepted Solution

by:
Brad Groux earned 125 total points
ID: 40603776
BitLocker can be configured to run without a compatible TPM chip, but it isn't recommended - as the TPM chip is what limits access to the drive.

Tell your IT guy that corporations with tens of thousands of employees utilize BitLocker + TPM (and even with PINs) without issue. Users can manage their own TPM recovery keys by printing them off or saving them to a USB - or IT can take the initiative and store the TPM recovery keys in Active Directory or MBAM (Microsoft BitLocker Administration and Monitoring).

If he still insists, here are the steps to disable the TPM requirement via GPO.

1.

In the Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

2.

From the right pane double-click “Require additional authentication” at startup.

3.

On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 54

Expert Comment

by:McKnife
ID: 40604352
LeeW says it. Setup a GPO that enforces AD backup of the recovery key - you can set it up so that encryption does not start until the key is (automatically) backed up. there's no way you can lose it (unless you squash all your domain controllers and backups ;-) )
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40608549
Well, two people actually tried to answer the question. Thanks. As Seth suggested, I turned off TPM via CLI but BitLocker knew it was there and wanted to turn it back on.  

Since I'm heading out on a trip and the risk of theft is higher than when I'm home, I went ahead and turned on BitLocker with TPM. I got a key which I've saved in the appropriate ways.

Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?

I work at a small company btw and we don't have AD or MBAM.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40608577
We all tried to answer the question.  We offered advice based on our interpretations of your apparent skill level and that of your technician.  When you don't understand something, you make assumptions - which is what it appears your technician is doing.  He should educate himself so that he can help you appropriately.  And if doesn't want to take the time to educate himself, your company should look for a professional who understands the value in staying up on technology and can advise you better.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40608882
"Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?" - Sure, anytime. You don't even Need to turn off (=decrypt) bitlocker in between. Just add another protector, a Startup key for example and then remove the tpm protector.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40609770
McKnife ... that looks plausible. The notion of protectors is helpful. I'll give it a try when I'm back in about a week. I think I can add a PIN protector at any rate.

On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?

Lee: Pressing the case for using TPM is fine but I still needed advice on my particular situation even if it was in your view sub-optimal. Sometimes we live in an imperfect world and have to make the best of it.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40610103
I completely agree with you.  There are plenty of times where I will do things not according to best practice because best practice won't work for a particular circumstance.  This is not one of those cases if you understand the technology.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40610224
"On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?" - when your Mainboard changes, the recovery key is required to start Windows. When in Windows, simply activate the tpm of the new board, remove the old tpm protector and add the new tpm as protector.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40610331
Mcknife: that's clear, thanks. Lee: sometimes you have to pick your battles. Unfortunately, this isn't one of them.
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40628465
Am back in town and have looked at the responses. I think my question is adequately resolved: I know how to move forward if I need to disable TPM and use a USB key as protector, and overall I understand BitLocker better.

Thanks to all.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Whats the use of master secret 4 85
3DES_EDE_CBC_SHA - 112  Cipher..... 2 187
How to prevent "~WRL21.tmp" from producing in Win8 3 93
RMS / DRM - differences? 3 93
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question