Security, Windows knowhow

Windows: Enable Bitlocker without a TPM module

Leave a comment

Hi,

by default Bitlocker could only activated when a TPM chip is physically present.

If you want to use Bitlocker without a TPM module you must change your (local) policy. Open the Group Policy Object Editor (gpedit.msc), navigate to


-Computer Configration
   -Administrative Templates
     -Windows Components
       -BitLocker Drive Encryption

and enable “Require additional authentication at startup”  and “Allow Bitlocker without a compatible TPM”

Bitlocker Disable TPM
Bitlocker Disable TPM

Ensure you have a USB Flash Drive and you have a BIOS which support Legacy USB Massstorage devices. After encrpytion the USB Flash drive is requiered each time you startup Windows. The Bitlocker startupkey will be stored there. The StartupKey is mandatory for TPM less systems.

To encrypt Drive C: enter the option -sk should to the drive letter your USB flash device. SAVE THE RECOVERY PASSWORD!!!


C:\>manage-bde -on C: -rp -sk F:\
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]
Key Protectors Added:

    Saved to directory D:\

    External Key:
      ID: {A47479D5-6CB6-4417-AC40-7CE7F4B83D96}
      External Key File Name:
        A47479D5-6CB6-4417-AC40-7CE7F4B83D96.BEK

    Numerical Password:
      ID: {D58458E8-8881-41B3-B8D4-658A9F8DD6B8}
      Password:
        147653-426206-701393-184690-431750-716353-012771-023639

ACTIONS REQUIRED:

    1. Save this numerical recovery password in a secure location away from
    your computer:

    147653-426206-701393-184690-431750-716353-012771-023639

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Insert a USB flash drive with an external key file into the computer.

    3. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

Reboot your System and check if hardware test passed successfully.


C:\Users\user>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

    Size:                 40,00 GB
    BitLocker Version:    Windows 7
    Conversion Status:    Encryption in Progress
    Percentage Encrypted: 17%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Key Protectors:
        External Key
        Numerical Password

Michael

Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.