none
BitLocker TPM Group Policy difference between Allow and Require RRS feed

  • Question

  • Hello,

    could somebody please explain the differences between "Allow" and "Require" for EACH of these BitLocker Group Policy options:

    1. Configure TPM startup: "Allow TPM" vs "Require TPM"
    2. Configure TPM startup PIN: "Allow startup PIN with TPM" vs "Require startup PIN with TPM"
    3. Configure TPM startup key: "Allow startup key with TPM" vs "Require startup key with TPM"
    4. Configure TPM startup key and PIN: "Allow startup key and PIN with TPM" vs "Require startup key and PIN with TPM"

    BitLocker TPM Allow Require Difference Group Policy

    Help is very appreciated!



    • Edited by Qu4rkz Friday, August 30, 2019 7:07 PM
    Friday, August 30, 2019 7:06 PM

All replies

  • These follow the English dictionary definitions.

    Allow means the user can choose to have or not have. Require means they can't choose.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Saturday, August 31, 2019 8:52 PM
  • I mean all these settings apply to "computers with a TPM", so if the user chooses

    Configure TPM startup: "Allow TPM"

    what does this relaxed setting exactly mean, i.e. who then decides if the TPM is used or not? The BIOS?

    Assuming it's the BIOS, if the BIOS disables TPM, what will happen when the bitlocker encrypted disk is booting and TPM is set to Allow (i.e. to "not required")?

    Another thing, if I want to enforce PIN only, thus disallow startup key, I guess the options have to be set to:

    1. Configure TPM startup: "Require TPM"
    2. Configure TPM startup PIN: "Require startup PIN with TPM"
    3. Configure TPM startup key: "Do not allow startup key with TPM"
    4. Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

    Is that correct? I am not 100% sure about the last setting but I assume "Do not allow startup key and PIN with TPM" only forbids the combination (startup key + PIN) while still allowing to use PIN only, right?

    Thanks!


    • Edited by Qu4rkz Sunday, September 1, 2019 8:53 AM
    Sunday, September 1, 2019 8:52 AM
  • BitLocker does not require use of a TPM, therefore if you don't require its use using the policy, the user can choose not to use it because you've "allowed" them to. Same with the other settings as none of them are prerequisites for BitLocker.

    None of this is about enabling of disabling the TPM itself, just its use by BitLocker.

    Correct for the last question.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, September 2, 2019 1:29 AM
  • BitLocker does not require use of a TPM, therefore if you don't require its use using the policy, the user can choose not to use it because you've "allowed" them to.

    Yes, BitLocker can be used without TPM since there is a checkbox "Allow BitLocker without a compatible TPM...".

    Still the purpose/behavior of "Allow TPM" is not clear.

    Monday, September 2, 2019 7:00 PM
  • You're overthinking this. The intent of the checkbox is simply to enable the configuration of the rest of the settings.

    Without the checkbox checked, a TPM is required.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, September 2, 2019 7:09 PM
  • The intent of the checkbox is simply to enable the configuration of the rest of the settings.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Nah this is not correct. Only the presence of a TPM module (or fTPM) decides if the settings below the checkbox are considered. That's also the reason why the controls are not disabled/greyed out when toggling the checkbox (which is usually done when dealing with WinAPI controls which depend on another control).

    Anyway, I just found the information which was a bit hidden and spread in the long description in the group policy window.

    According to the description, each of the 4 dropdown controls is a standalone authentication method and only one of them is allowed to be set to REQUIRED (otherwise a group policy error will be raised). According to this page, even mixed usage of Allow and Require might cause trouble.

    One might wonder how "Configure TPM startup" can be a standalone authentication method but yeah it can. It just means that BitLocker only checks for the presence of the TPM module that was installed when the disk was encrypted (so no need to enter PIN, password or startup key).

    So the correct way to enfore PIN-only is:

    1. Configure TPM startup: "Do not allow TPM"
    2. Configure TPM startup PIN: "Require startup PIN with TPM"
    3. Configure TPM startup key: "Do not allow startup key with TPM"
    4. Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"
    Wednesday, September 4, 2019 10:06 PM
  • You're correct about the dialog, but that still doesn't change the other answers. You also never asked about how to configure anything, you simply asked for a definition of "Allow" and "Require".

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, September 5, 2019 12:05 AM
  • You're correct about the dialog, but that still doesn't change the other answers. You also never asked about how to configure anything, you simply asked for a definition of "Allow" and "Require".

    Jason | https://home.configmgrftw.com | @jasonsandys

    Of course I asked how to configure PIN-only:

    Another thing, if I want to enforce PIN only, thus disallow startup key, I guess the options have to be set to: [...]

    Is that correct?


    Anyway, at least this question is answered now. Just the technical difference between Allow and Require is still not clear. For example what is the difference when changing the PIN-only configuration from

    Configure TPM startup: "Do not allow TPM"
    Configure TPM startup PIN: "Require startup PIN with TPM"
    Configure TPM startup key: "Do not allow startup key with TPM"
    Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

    to

    Configure TPM startup: "Do not allow TPM"
    Configure TPM startup PIN: "Allow startup PIN with TPM"
    Configure TPM startup key: "Do not allow startup key with TPM"
    Configure TPM startup key and PIN: "Do not allow startup key and PIN with TPM"

    Does this cause a difference when encrypting the disk or when booting the encrypted disk?


    My guess is that the settings only matter for the BitLocker setup process and that „Allow“ only makes sense when you want to offer the user multiple authentication choices. So in the example above there is probably no difference since „Allow“ only makes sense when setting at least two dropdowns to „Allow“. That also explains why mixing „Allow“ with „Require“ causes a policy error because it does not make sense to allow an authentication method while requesting another one.



    • Edited by Qu4rkz Thursday, September 5, 2019 11:51 AM
    Thursday, September 5, 2019 9:35 AM
  • > Of course I asked how to configure PIN-only:

    You're correct, that was in your second response.

    No, none of these settings have anything to do with how the volume is encrypted. They simply define how and where the keys are stored to enable the volume to be unlocked.

    You're still overthinking this IMO.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, September 5, 2019 1:42 PM
  • No, none of these settings have anything to do with how the volume is encrypted. They simply define how and where the keys are stored to enable the volume to be unlocked.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Don't get me wrong, I did not say that they change HOW the volume is encrypted. I wrote that they "cause a difference when encrypting the disk" and "only matter for the BitLocker setup process", so they change the behavior of the setup procedure when a disk is first encrypted (which you can see here). For example when setting more than one of the four authentication methods to "Allow", the user can choose during the setup procedure between those allowed methods. On the other side, if one of the four methods is set to "Require", the user can ONLY pick this method during the setup procedure.

    The linked page even explains how a misconfigured group policy causes the setup procedure for the drive encryption to fail. For example when the setup procedure shows this error message...

    This computer requires a startup option that isn’t supported by BitLocker Setup. Please contact your system administrator
     to enable BitLocker.

    ...then one has most likely set more than one dropdown in the group policy to "Require" which is not allowed.


    • Edited by Qu4rkz Thursday, September 5, 2019 4:39 PM
    Thursday, September 5, 2019 4:37 PM
  • Right, which is exactly what I've said all along. They *Allow* the user to choose if configured to allow or *Require* a specific setting if set to required.

    Ultimately, this is all moot if you use a proper enterprise management tool like MBAM though.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, September 5, 2019 5:32 PM