The trusted platform module (TPM) is a hardware component installed in many newer computers by computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Here is an example of an FDE solution with PBA “how to download DriveLock software and install DriveLock” that I have tested. kindly take a look at this guide as well “Important DriveLock components to master.
– Note: On devices without TPM version 1.2 and above, you can still use BitLocker to encrypt the Windows OS drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
Note: There is no dare consequence of having BitLocker without a TPM, the difference here is that the encryption key will be saved to a USB instead of being stored on the chip itself.
The following error below was prompted when I tried simulating what could happen on devices without TPM. "This device can't use a Trusted Platform Module. Your administrator must select the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes".
To resolve this error, we will have to configure the local Group Policy settings to “Allow BitLocker without a compatible TPM”. For more information on Group Policy, please see the following guides “what is Group Policy Object and how can it be launched“, how to analyze group policies applied to a user and computer account, and for a comprehensive list of articles I have written on GPO, please visit the following link.
There are numerous ways to launch the Group Policy Editor in Windows 10.
– Open the Group Policy Editor by pressing the Windows Key + R and type “gpedit.msc”
– Or from the Windows search box, type “gpedit.msc” and press Enter.
This will open the Local Group Policy Editor as shown above. Navigate to the following path as shown below. - Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives
On the right pane of the window, you will see an option called “Require additional authentication at startup”.
– Double-click on that option.
– This is currently set to “Not Configured”. We will have to change this by selecting the “Enabled” radio button.
– This will check the Allow BitLocker without a compatible TPM box by default as shown below.
Click on Okay. As you can see the policy has been enabled.
Note: These Group Policy changes take effect immediately,, there is no need for reboot or apply GPupdate. See this guide for more information on GPUpdate Switches: GPUpdate vs GPUpdate force
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.