Bitlocker with USB key instead of TPM - TPM Incompatible
Hi,
I have Bitlocker set up and running with MBAM. Generally it's working very well and I'm pleased with it. The machines with TPM chips have had encryption triggered through MBAM and those without have had it configured manually using a USB startup key.
I have one problem machine though, an old Toshiba Tecra M5. This has a TPM 1.2 but from reading forums elsewhere apparently the BIOS predates Bitlocker and is not compatible. Toshiba haven't published an updated BIOS although they could be updated by returning
them to a Toshiba service centre.
Trying to enable Bitlocker with the TPM route fails then due to the BIOS problem. If I try to manually enable Bitlocker in the same way as I've done with the non TPM machines it doens't offer me the USB key option as it detects the TPM module. I've tried
disabling the TPM in the BIOS and uninstalling it in device manager but it reappears after a reboot.
Is there anything I can do to force Bitlocker to ignore the TPM and encrypt using a USB key instead?
Thanks,
Tim
February 8th, 2012 9:16am
Hi,
Did you check if this computer can read from a USB device during the boot process?
Did you enable the related settings?
Please refer to the following information:
Can I use BitLocker on an operating system drive without a TPM version 1.2?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment.
This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without
TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This
system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, you must enable the
Require additional authentication at setupGroup Policy setting, which is located in
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. You must select the
Allow BitLocker without a compatible TPMcheck box. After this setting is applied to the local computer, the non-TPM settings appear in the BitLocker setup wizard.
See Can I use BitLocker on a computer
without a TPM 1.2?
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback
here.Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2012 10:28pm
Hi Sabrina,
Thanks - but I've done all that. Bitlocker is working with laptops without TPMs. The problem is that when you try to encrypt the C: drive because it detects the TPM it doesn't offer the option of using a USB key.
Tim
February 9th, 2012 5:20am
Hi,
What about configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard to test this issue?
See:
Enabling BitLocker by Using the Command Line
Also, you may try to use the script which stated in the following similar thread to test:
http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9734801b-e30c-4fcf-848c-5dabdabc23f9
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback
here.Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 2:58am
Hi,
What about configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard to test this issue?
See:
Enabling BitLocker by Using the Command Line
Also, you may try to use the script which stated in the following similar thread to test:
http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9734801b-e30c-4fcf-848c-5dabdabc23f9
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback
here.Sabrina
TechNet Community Support
February 10th, 2012 10:53am
Hi,
How are you? I would appreciate it if you could drop me a note to let me know the status of the issue. If you have any questions or
concerns, please feel free to let me know. I am happy to be of further assistance.
Regards,
Sabrina
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.Sabrina
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2012 1:57am