Tip of the Day: Bitlocker without TPM or USB


Today’s tip…

Windows 8 now allows the OS drive to be encrypted without TPM and USB.

You can use a password as a protector for OS drive.

You will have to enable the below GPO under BitLocker Drive Encryption/Operating System Drive/Require Additional Authentication at Startup.

Make sure you check “Allow BitLocker without a Compatible TPM (requires a password or a startup key on a USB flash drive).

clip_image001

This will help for machines who are in countries where TPM is not allowed like Russia, China etc..


Comments (11)

  1. Xavier says:

    Good tip.

    Is the TPM chip and / or the drive encryption not yet allowed in Russia?

    This statement seems to be opposite to several Microsoft Windows 7 Customer Solution Case Studies available from microsoft.com/casestudies, including but not only companies like Moscow Integrated Power Company, Stavropolskiy Broiler and Moscow North District
    Prefecture.

  2. JB says:

    Is there any way to do this on Windows 7 Enterprise? I appears only usb flash drive is allowed. But I would prefer a password.

    1. If you do not have TPM, the only option is Recovery Key. If you have hardware to support it, the option for PIN and/or password is available.

  3. alex says:

    Xavier, TMP is allowed in Russia if manufacturer or vendor certify it with FSB. Manufacturers usually do not bother and simply disable it. However there are some vendors who are willing to certify hardware.

    JB, sadly on Windows 7 without TPM your only options to use BitLocker is USB key. You can also use EFS to protect your data to some extent, but it is not FDE.

  4. Doug says:

    I’ve tried this on 2 different machines after upgrading from W7 pro to W10 Pro. Neither machine will start bitlocker, both fail saying I haven’t done the gpedit as shown. What next?

    1. If the system is reporting that the policy is not set up correctly, I’ll need to see how you have it set up. Additionally, did you have the system Bitlockered prior to upgrading or are you trying to do that now that it has been upgraded? Bitlockering and upgrading to Windows 10 (without any other issue) works like a charm. I don’t have a system that doesn’t have TPM, and my virtual machines are encrypting without issue as well.

      http://answers.microsoft.com/en-us/windows/forum/windows_10-win_upgrade/bitlocker-in-windows-10-without-tpm/f79add65-17c2-4a5d-92d6-e4d2a387119f?auth=1

  5. John Estrella Jr says:

    I’m having the same issue as Doug. I enabled “Require additional authentication at startup” and made sure “allow BitLocker without a compatible TPM” but when enabling BitLocker, I still receive the same error saying “This device can’t use a Trusted Platform Module….” I have a Windows 10 (upgraded from Windows 7 Pro) laptop which didn’t have any encryption prior to the upgrade. Have tried it using a local admin as well as domain admin account.

    1. If it is still reporting that you are attempting to utilize TPM that is not there, I’d verify that the GPO is configured properly and successfully applies to the system. The process is just enable and configure the GPO, then go back into Bitlocker, turn it on with a flash drive attached for the recovery key or have a print out of the recovery key, then the system will reboot.

  6. Courtney says:

    I recently was having some trouble with Bitlocker. I had to enter the recovery key everytime I started up my tablet. So I went into system and security and suspended bitlocker. Then I went to resume protection and now I get a Bitlocker drive encryption error where it says I don’t have a compatible TPM. Can I resume protection by doing this?

    1. Yes, but that will take you back to having to enter your recovery key. If you do not have TPM or compatible TPM, nor use a USB key to store your recovery key, you will need to entry your recovery key to unlock each time.