none
Bitlocker - TPM and hardware encrypotion. RRS feed

  • Question

  • I am trying to set up Bit locker for our organization and am hitting a snag - I have set the GPO to require hardware encryption, All of our laptops have TPM 1.2 and even with the TPM enabled the Bit locker encryption fails to fall back to software as I have that disabled. I just cant figure out why it wants to fall back to software when there is a valid TPM chip on-board ready to configure. This occurs with the TS step and also on the bit locker control panel UI - it sets up TPM, and reboots but still fails to fall back to software. 

    force hardware encryption just means that it forces the use of a TPM, correct? or am I missing something? 

    Monday, April 4, 2016 6:00 PM

Answers

  • Hi,

    You are indeed missing something. Hardware encryption is not directly related to the TPM. They are different technologies.

    Hardware encryption refers to hard drives that are able to encrypt themselves. This is why it is called Hardware encryption. These hard drives are able to be encrypted without the use of a Full-Disk Encryption tool like Bitlocker. If you tell Bitlocker to use hardware encryption, you are telling Bitlocker to use your Hard Drive's built-in encryption technologies. See https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption for more information.

    The TPM (Trusted Platform Module) is the chip built into modern laptops that provides different elements of security. It has nothing to do with hardware encryption.

    You need to find out if your hard drive supports hardware encryption. If it does, then you can use that GPO to require hardware encryption, and Bitlocker will use the hardware's built-in encryption ability. If your hard drives do not have hardware encryption as a feature, then you will need to use Bitlocker in its normal way, which is software-based encryption.

    Hope it helps.

    Monday, April 4, 2016 8:00 PM

All replies

  • Hi,

    You are indeed missing something. Hardware encryption is not directly related to the TPM. They are different technologies.

    Hardware encryption refers to hard drives that are able to encrypt themselves. This is why it is called Hardware encryption. These hard drives are able to be encrypted without the use of a Full-Disk Encryption tool like Bitlocker. If you tell Bitlocker to use hardware encryption, you are telling Bitlocker to use your Hard Drive's built-in encryption technologies. See https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption for more information.

    The TPM (Trusted Platform Module) is the chip built into modern laptops that provides different elements of security. It has nothing to do with hardware encryption.

    You need to find out if your hard drive supports hardware encryption. If it does, then you can use that GPO to require hardware encryption, and Bitlocker will use the hardware's built-in encryption ability. If your hard drives do not have hardware encryption as a feature, then you will need to use Bitlocker in its normal way, which is software-based encryption.

    Hope it helps.

    Monday, April 4, 2016 8:00 PM
  • Hi,
    Would you mind letting me know the result of the suggestions? If you need further assistance, feel free to let me know. I will be more than happy to be of assistance.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 11, 2016 1:15 AM
    Moderator