Solved

Non-TPM computers with Bitlocker - need some orientation

Posted on 2016-08-30
14
54 Views
Last Modified: 2016-09-09
I have some Windows 10 Pro computers that will likely have Bitlocker turned on.  They don't have TPM.
I will be accessing and rebooting these computers remotely.

The computers are in a secure location.
I'm wondering if the required USB drive for booting can be left in the computer?
etc......
0
Comment
Question by:Fred Marshall
  • 6
  • 6
  • 2
14 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 41777356
They would have already had to prepare a suitable flash key with which to boot the computer. Yes it would need to be in the drive when you restart.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41777357
Here is a decent article that will help explain bitlocker using a flash drive

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41777374
So, as I get it, there is a USB boot key and there is also a recovery key which can be saved as a file somewhere?
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 93

Expert Comment

by:John Hurst
ID: 41777379
The startup key on the Flash drive is for Bitlocker and must be there when you restart. That is not also (to the very best of my knowledge) a boot key as well. The system will start itself (not off the key) but need the key to start up.

So if you are remotely servicing Windows 10 computers without TMP, they need to be able to start themselves so that the encryption key can be on the flash drive.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41777406
John,  Yes, I understand.  The "startup key" is what I referred to as a "boot key" as it's needed to boot.

But what about the recovery key that can be saved to a text file?  It sounds like it's a different animal.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41777408
The encryption key is not a text file. You cannot do anything with it except have it there at boot time. That is for Bitlocker that you mentioned.

What otherwise would you mean by recovery key?

I am not sure just how you would start up with a boot drive in the USB slot when you need the encryption drive as well.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41777438
John,

The boot drive is the encrypted hard drive.
The boot key OR startup key is on a USB drive.

Regarding the "recovery key" on the page you linked:

Next you’ll need to choose a secure password that will be used to access the drive.
You’re prompted to store the recovery key which is used in the event you lose your password or smartcard.   If you store it as a file make sure that it’s not on the same drive that you’re encrypting.
The screen shot shows clearly that this may be saved on a USB drive, as a .txt file or may be printed.  
I'm trying to understand how it's used: "in case you lost the password"...... ????
0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 250 total points
ID: 41777607
The recovery key can be entered manually in case your stick gets damaged/lost/eaten by the cat.
Don't save it on the stick but place it somewhere where you have access in an emergency.
Anyway you can't do that remotely you have to be on the local console.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 41777826
this may be saved on a USB drive, as a .txt file or may be printed

My apologies. I misinterpreted that (upon reading it again).

So try a test. May you can do this with one USB key. Test first.

From your first question "I'm wondering if the required USB drive for booting can be left in the computer?"

The answer to your question remains: yes.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41778409
mpfister:  But I don't want it to be eaten by the cat!  :-)
I'm guessing that having a spare USB stick is the likely approach as these computers are remote.
I can ask that one be rebooted but that's about all because they are ALSO headless.  So without some trouble, no typing at all.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41790338
thanks
0
 
LVL 26

Author Closing Comment

by:Fred Marshall
ID: 41790341
thanks
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41790347
You are very welcome Fred, and I was happy to work with you.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 41790829
@Fred: You never know ... maybe it has some "mouse" driver on it... sorry ... couldn't resist ;-)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reset server 2008 R2 default permissions 2 22
Windows Restrict installation 11 38
Windows 10 bootup error 22 48
Disable TLS1.0 on Win 2012 server 7 19
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question