none
Bitlocker with USB key instead of TPM - TPM Incompatible RRS feed

  • Question

  • Hi,

    I have Bitlocker set up and running with MBAM. Generally it's working very well and I'm pleased with it. The machines with TPM chips have had encryption triggered through MBAM and those without have had it configured manually using a USB startup key.

    I have one problem machine though, an old Toshiba Tecra M5. This has a TPM 1.2 but from reading forums elsewhere apparently the BIOS predates Bitlocker and is not compatible. Toshiba haven't published an updated BIOS although they could be updated by returning them to a Toshiba service centre.

    Trying to enable Bitlocker with the TPM route fails then due to the BIOS problem. If I try to manually enable Bitlocker in the same way as I've done with the non TPM machines it doens't offer me the USB key option as it detects the TPM module. I've tried disabling the TPM in the BIOS and uninstalling it in device manager but it reappears after a reboot.

    Is there anything I can do to force Bitlocker to ignore the TPM and encrypt using a USB key instead?

    Thanks,

    Tim

    Wednesday, February 8, 2012 2:11 PM

Answers

All replies

  • Hi,

    Did you check if this computer can read from a USB device during the boot process?

    Did you enable the related settings?

    Please refer to the following information:

    Can I use BitLocker on an operating system drive without a TPM version 1.2?

    Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

    To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

    To enable BitLocker on a computer without a TPM, you must enable the Require additional authentication at setupGroup Policy setting, which is located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. You must select the Allow BitLocker without a compatible TPMcheck box. After this setting is applied to the local computer, the non-TPM settings appear in the BitLocker setup wizard.

    See Can I use BitLocker on a computer without a TPM 1.2?

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    Thursday, February 9, 2012 3:23 AM
  • Hi Sabrina,

    Thanks - but I've done all that. Bitlocker is working with laptops without TPMs. The problem is that when you try to encrypt the C: drive because it detects the TPM it doesn't offer the option of using a USB key. 

    Tim

    Thursday, February 9, 2012 10:15 AM
  • Hi,

    What about configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard to test this issue?

    See: Enabling BitLocker by Using the Command Line

    Also, you may try to use the script which stated in the following similar thread to test:

    http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9734801b-e30c-4fcf-848c-5dabdabc23f9

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscriptionuser and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    • Marked as answer by Sabrina Shen Thursday, February 16, 2012 8:21 AM
    Friday, February 10, 2012 7:53 AM
  •  

    Hi,

     

    How are you? I would appreciate it if you could drop me a note to let me know the status of the issue. If you have any questions or concerns, please feel free to let me know. I am happy to be of further assistance. 

    Regards,

     

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    Wednesday, February 15, 2012 6:52 AM
  • I've noticed this exact same issue with my (older) desktop PC at home, now upgraded to Windows 8.1 from Windows 7 - It has a TPM 1.2 module, and I've enabled that via the BIOS, but BitLocker balks at it every time I start the wizard without providing the option for a USB key.

    Did you ever come up with a solution to that issue?


    P.S. - I've tried enabling it from the command line as well, though I get errors re: the TPM there as well.
    • Edited by BackScatter Wednesday, November 27, 2013 7:21 PM
    Wednesday, November 27, 2013 7:17 PM