• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Turn on BitLocker without TPM

I have Win 8.1 Pro. My system has TPM. Our security guy wants me to turn BitLocker on but does not want me to use TPM; he's concerned about accessing the drive if the motherboard fails. Instead, a USB key should be required.

Someone is going to say that TPM passwords can be saved and used to initialize a new TPM. True. But that's not relevant for me.

When I try to turn on BitLocker from the Control Panel dialog, it insists on turning on TPM. How can I avoid it and use a USB key instead?
0
BlearyEye
Asked:
BlearyEye
  • 4
  • 3
  • 3
  • +2
4 Solutions
 
Seth SimmonsSr. Systems AdministratorCommented:
turn off tpm in the bios
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
USE THE TPM.  Export the key.  If your TPM fails (or the motherboard) there is a 36 character password generated and given to you that can be used to unlock the drive.  Tell your IT guy to LEARN about the technology and stop being paranoid.   Better still, tell him to come here!  BEST, TELL HIM TO TRY IT ON ANOTHER DEVICE SO HE ACTUALLY UNDERSTANDS like a true professional would.
0
 
Brad GrouxCommented:
BitLocker can be configured to run without a compatible TPM chip, but it isn't recommended - as the TPM chip is what limits access to the drive.

Tell your IT guy that corporations with tens of thousands of employees utilize BitLocker + TPM (and even with PINs) without issue. Users can manage their own TPM recovery keys by printing them off or saving them to a USB - or IT can take the initiative and store the TPM recovery keys in Active Directory or MBAM (Microsoft BitLocker Administration and Monitoring).

If he still insists, here are the steps to disable the TPM requirement via GPO.

1.

In the Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

2.

From the right pane double-click “Require additional authentication” at startup.

3.

On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
McKnifeCommented:
LeeW says it. Setup a GPO that enforces AD backup of the recovery key - you can set it up so that encryption does not start until the key is (automatically) backed up. there's no way you can lose it (unless you squash all your domain controllers and backups ;-) )
0
 
BlearyEyeAuthor Commented:
Well, two people actually tried to answer the question. Thanks. As Seth suggested, I turned off TPM via CLI but BitLocker knew it was there and wanted to turn it back on.  

Since I'm heading out on a trip and the risk of theft is higher than when I'm home, I went ahead and turned on BitLocker with TPM. I got a key which I've saved in the appropriate ways.

Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?

I work at a small company btw and we don't have AD or MBAM.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
We all tried to answer the question.  We offered advice based on our interpretations of your apparent skill level and that of your technician.  When you don't understand something, you make assumptions - which is what it appears your technician is doing.  He should educate himself so that he can help you appropriately.  And if doesn't want to take the time to educate himself, your company should look for a professional who understands the value in staying up on technology and can advise you better.
0
 
McKnifeCommented:
"Now, after the fact, can I reverse the decision to use TPM if it becomes necessary? For example, can I turn off BitLocker, turn off TPM, use Brad's method to make TPM unnecessary, and turn BitLocker on again?" - Sure, anytime. You don't even Need to turn off (=decrypt) bitlocker in between. Just add another protector, a Startup key for example and then remove the tpm protector.
0
 
BlearyEyeAuthor Commented:
McKnife ... that looks plausible. The notion of protectors is helpful. I'll give it a try when I'm back in about a week. I think I can add a PIN protector at any rate.

On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?

Lee: Pressing the case for using TPM is fine but I still needed advice on my particular situation even if it was in your view sub-optimal. Sometimes we live in an imperfect world and have to make the best of it.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I completely agree with you.  There are plenty of times where I will do things not according to best practice because best practice won't work for a particular circumstance.  This is not one of those cases if you understand the technology.
0
 
McKnifeCommented:
"On a procedural question, now that BitLocker is enabled with TPM, suppose my motherboard is changed. Do I use the recovery key that BitLocker provided to start Windows anyway and then in Windows refresh TPM so it provides BitLocker the necessary credentials?" - when your Mainboard changes, the recovery key is required to start Windows. When in Windows, simply activate the tpm of the new board, remove the old tpm protector and add the new tpm as protector.
0
 
BlearyEyeAuthor Commented:
Mcknife: that's clear, thanks. Lee: sometimes you have to pick your battles. Unfortunately, this isn't one of them.
0
 
BlearyEyeAuthor Commented:
Am back in town and have looked at the responses. I think my question is adequately resolved: I know how to move forward if I need to disable TPM and use a USB key as protector, and overall I understand BitLocker better.

Thanks to all.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now