How to Enable BitLocker without TPM?

All replies

• 

  

  0

  Sign in to vote

  Have a look at these articles;

  http://windows.microsoft.com/en-au/windows7/learn-more-about-bitlocker-drive-encryption

  https://it.ucsf.edu/how_do/how-encrypt-using-windows-bitlocker

  http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

   

  Tuesday, March 24, 2015 1:37 AM
• 

  

  0

  Sign in to vote

  Thanks Venu, good background reading but they don't tell me how to "Enable BitLocker" with a Startup key within a task sequence or, more importantly, how we overcome the task sequence error 0x80004005 that we are experiencing. Group Policy is already set to "Allow BitLocker without a compatible TPM" and a formatted non-encrypted USB drive is inserted before the build process. We have already tested it all works manually using the BitLocker Drive Encryption wizards but we want to automate, if not all, of the process during the task sequence as much as possible. 

  Any ideas on how to resolve the 0x80004005 error during the "Enable BitLocker" step or a link to a 'how to' guide please?

  Thanks
  Scott

  Tuesday, March 24, 2015 10:46 AM
• 

  

  0

  Sign in to vote

  Hi,

  Please check smsts.log on the client for troubleshooting.

  How do you configure the Task sequence?

  Best Regards,

  Joyce

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Proposed as answer by Joyce L Wednesday, April 1, 2015 8:53 AM

  Wednesday, March 25, 2015 5:38 AM
• 

  

  0

  Sign in to vote

  So Technet says this (and it appears its supported, which I was thinking it wouldn't be):

  Choose the drive to encrypt

  Specifies the drive to encrypt. To encrypt the current operating system drive, select Current operating system drive and then configure the key management. To specify that the Trusted Platform Module (TPM) should be used for key management, select TPM only. To specify that the startup key should be on USB only, select Startup key on USB only. To specify the key management for both the TPM and USB select TPM and startup key on USB only. To encrypt a specific drive (a non-operating system data drive) select Specific drive.

  Note
  If you select USB, you must have a USB drive attached to the computer when the operating system deployment is performed. The startup key is written to the USB drive.

  Have you confirmed that you are using these settings? Just a heads up that domain Group Policies will not apply to a computer during an OSD Task Sequence so you can exclude that as having any influence over the process.

  Cheers

  Damon

  • Proposed as answer by Joyce L Wednesday, April 1, 2015 8:53 AM

  Wednesday, March 25, 2015 7:41 AM
• 

  

  0

  Sign in to vote

  It actually looks like someone has posted this before https://social.technet.microsoft.com/Forums/systemcenter/en-US/a69dd218-71f6-4782-9dcd-91b7b816852c/bitlocker-task-sequence-procedure-without-tpm

  Its probably worth logging a call with your Microsoft TAM - if you don't have one, it might be worth paying for a few hours of support to get a definitive answer. There is also this blog which touches on what you are trying to do:

  http://blogs.technet.com/b/pauljones/archive/2010/03/08/how-to-enable-bitlocker-with-sccm-osd.aspx

  I suspect most people in your situation have gone with third party encryption tools which is why there is such a lack of information around the issue.

  Cheers

  Damon

  
  
  

  • Edited by Damon. Johns Wednesday, March 25, 2015 7:56 AM

  Wednesday, March 25, 2015 7:54 AM
• 

  

  0

  Sign in to vote

  Thanks for your replies and apologies for the delay in replying.

  I have been receiving help from Microsoft Premier Support who initially advised to disable the "Prepare drive for BitLocker" step but it was the disabling of this step that caused all the problems. Once I re-enabled the step, in conjunction with the additional steps (below), the task sequence completed and the drive was encrypted successfully:-
  
  REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EnableBDEWithNoTPM /t Reg_Dword /d 1 /f
  reg add HKLM\Software\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
  MANAGE-BDE -ON C: -RP -SK E:\ -S
  
  We would appreciate your help with these queries please:-

  1. In the event a user has their USB key lost or stolen, they can contact IT for the 48-digit recovery password. This is tedious if the user is working away from the office for a long period of time and needs a replacement USB key. We could post a replacement USB key to the user but this means we would need to securely store each machine’s .BEK file(s). Other than a secure network share, what is the Microsoft best practice on securely storing each machine’s .BEK file(s) so that we may send it to a customer to copy to a new, formatted USB key?

  2. A Startup key is only one method of protection but if we can add a PIN or a password to the boot process that would provide 2 methods of protection, just like we have for our machines with a TPM. However, I understand a PIN can only be set with a TPM and when I try to add a password (“manage-bde -protectors -add c: -pw”) I get “ERROR: An error occurred (code 0x8031006d). A password cannot be added to the operating system drive”. Can we set a PIN or a password on our machines with no TPM, if so, how?

  3. Microsoft Premier Support mentioned MBAM for our machines with no TPM. If we can get our machines with no TPM into our existing MBAM infrastructure then that would be the best option because we can set a PIN, use the IT Service Desk portal, use the Self-Service portal and utilise the audit reports and SCCM reports. However, when I try the “Start MBAM Encryption Script” step (StartMBAMEncryption.wsf) it already works on the TPM machines but fails on the non-TPM machines because the script is looking for a TPM. How can we add our machines with no TPM into MBAM please?

  Thanks
  Scott

  
  

  • Edited by mr5h Thursday, April 2, 2015 11:01 AM additional info

  Thursday, April 2, 2015 10:52 AM
• 

  

  0

  Sign in to vote

  1. I can't really find anything useful on this either apart from Technet going over where you can and can't store the files. Perhaps others can comment?

  2. It would appear based on this information: https://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx that you can't set a pin or password with Bitlocker with no TPM 1.2 chip. This post also talks about your query re: using a pin with a USB start up key key https://social.technet.microsoft.com/Forums/windows/en-US/9734801b-e30c-4fcf-848c-5dabdabc23f9/windows-7-bitlocker-using-startup-pin-and-usb-flash-drive-but-without-a-tpmhow?forum=w7itprosecurity

  3. It would appear that based on this information: https://social.technet.microsoft.com/Forums/windows/en-US/51aee765-d060-48a9-9fba-89120cd107d0/do-we-use-mbam-to-enable-bitlocker-on-a-machine-without-tpm-chip?forum=w7itprosecurity that you can't use MBAM on hardware with no TPM chip in conjunction with Windows 7.

  Monday, April 6, 2015 6:14 AM
• 

  

  0

  Sign in to vote

  Be aware that Windows 8 and 10 will support Bitlocker without TPM and USB key device. Only Windows 7 requires TPM.

  Monday, April 6, 2015 7:51 AM
• 

  

  0

  Sign in to vote

  Thanks for the information, we understand Windows 7 without a TPM does not support a PIN or password.

  We installed the MBAM Agent 5 days ago but when we try to recover the password in the IT Service Desktop portal we get “Recovery key not found” which suggests it's not in the MBAM database. We've checked all reg keys in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement looks present and correct.

  Any ideas why this is not working? How can we add our machines with no TPM into MBAM please?

  Tuesday, April 7, 2015 1:04 PM
• 

  

  0

  Sign in to vote

  As suspected, a different Microsoft employee confirmed Windows 7 machines without a TPM are not compatible with MBAM, Windows 8 is though.

  Nevertheless, we managed to get the Enable BitLocker step to work by creating a step before that imports the required registry keys:-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
  "FDVPassphrase"=dword:00000001
  "FDVEnforcePassphrase"=dword:00000001
  "FDVPassphraseComplexity"=dword:00000002
  "FDVPassphraseLength"=dword:00000008
  "OSPassphrase"=dword:00000001
  "OSPassphraseComplexity"=dword:00000002
  "OSPassphraseLength"=dword:00000008
  "OSPassphraseASCIIOnly"=dword:00000000
  "OSRecovery"=dword:00000001
  "OSManageDRA"=dword:00000001
  "OSRecoveryPassword"=dword:00000002
  "OSRecoveryKey"=dword:00000002
  "OSHideRecoveryPage"=dword:00000001
  "OSActiveDirectoryBackup"=dword:00000001
  "OSActiveDirectoryInfoToStore"=dword:00000001
  "OSRequireActiveDirectoryBackup"=dword:00000001
  "EnableBDEWithNoTPM"=dword:00000001
  "UsePartialEncryptionKey"=dword:00000002
  "UsePIN"=dword:00000002
  "UseAdvancedStartup"=dword:00000001
  "UseTPM"=dword:00000000
  "UseTPMKey"=dword:00000000
  "UseTPMPIN"=dword:00000002
  "UseTPMKeyPIN"=dword:00000002
  "UseEnhancedPin"=dword:00000000
  "MinimumPIN"=dword:00000006
  "EncryptionMethod"=dword:00000002
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
  "UseMBAMServices"=dword:00000001
  "UseKeyRecoveryService"=dword:00000001
  "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\
    62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,73,\
    00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,00,\
    63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,\
    00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,\
    72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,\
    00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,\
    00,00
  "KeyRecoveryOptions"=dword:00000001
  "ClientWakeupFrequency"=dword:0000005a
  "UseStatusReportingService"=dword:00000001
  "StatusReportingServiceEndpoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,\
    00,62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,\
    73,00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,\
    00,63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,43,00,6f,00,6d,00,70,00,\
    6c,00,69,00,61,00,6e,00,63,00,65,00,53,00,74,00,61,00,74,00,75,00,73,00,53,\
    00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,53,00,74,00,61,00,74,00,75,00,\
    73,00,52,00,65,00,70,00,6f,00,72,00,74,00,69,00,6e,00,67,00,53,00,65,00,72,\
    00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
  "StatusReportingFrequency"=dword:000002d0
  "ShouldEncryptOSDrive"=dword:00000001
  "OSDriveProtector"=dword:00000004
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement\Configuration]
  "CustomerExperienceImprovementProgram"=dword:00000000
  

  Hope this helps others with a similar problem.

  • Marked as answer by mr5h Friday, May 1, 2015 1:40 PM

  Friday, May 1, 2015 1:40 PM
• 

  

  0

  Sign in to vote

  To enable Bitlocker without a TPM and using a USB startup key, add a restart (into the normal operating system) entry at the end of your task sequence, and move the enable bitlocker task sequence entry to the very end. The machine will complete OSD, restart into normal windows and...assuming you've set up GPOs to allow the use of bitlocker without a TPM and plugged in a blank USB key prior to the restart...start bitlockering the main OS drive.

  Sunday, October 23, 2016 11:21 AM