Windows 10: Bitlocker/TPM/Group Policy Settings

Discus and support Bitlocker/TPM/Group Policy Settings in AntiVirus, Firewalls and System Security to solve the problem; I am looking at how to configure the combination of the three technologies mentioned above to achieve the following goals. Encrypt OS Drive with bit... Discussion in 'AntiVirus, Firewalls and System Security' started by Dj Dimick, Feb 11, 2021.

  1. Dj Dimick Win User

    Bitlocker/TPM/Group Policy Settings


    I am looking at how to configure the combination of the three technologies mentioned above to achieve the following goals.

    1. Encrypt OS Drive with bit locker using PIN's as well as a Recovery Key as a backup this has been done.
    2. When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
    3. I also do not want them to be able to skip the drive and get into other options that would make things complicated.


    We are currently using Sophos to manage most of out Bitlockered devices, but this is becoming a major problem most of the time. We are working toward migrating to managing the Bitlocker information ourselves in Active Directory.


    Any help would be be much appreciated.

    :)
     
    Dj Dimick, Feb 11, 2021
    #1
  2. Yan.S Win User

    Bitlocker without TPM

    Hi there,

    I'm trying to use Bitlocker without TPM

    My version is Windows 10 Home, and I try to follow -

    To turn on BitLocker Drive Encryption on a computer without a compatible TPM



    1. Click Start, type gpedit.mscin the Start Search box, and then press ENTER.
    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    3. In the Local Group Policy Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then clickBitLocker Drive Encryption.
    4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.
    5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK.
    You have changed the policy setting so that you can use a startup key instead of a TPM.

    1. Close the Local Group Policy Editor.
    2. To force Group Policy to apply immediately, you can click Start, typegpupdate.exe /forcein the Start Search box, and then press ENTER.
    3. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
    4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    5. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will only appear with the operating system volume.
    6. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start
      the computer.
    7. Insert your USB flash drive in the computer, if it is not already there.
    8. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save.
    9. On the Save the recovery password page, you will see the following options:
    · Save the password on a USB drive. Saves the password to a USB flash drive.

    · Save the password in a folder. Saves the password to a folder on a network drive or other location.

    · Print the password. Prints the password

    While I have a problem on step 4.

    Double-click the setting Control Panel Setup: Enable Advanced Startup Options.

    I can find "BitLocker Drive Encryption" on my group policy editor, while I cannot find
    Control Panel Setup: Enable Advanced Startup Options anywhere.

    Thank you for your help.

    Best Regards,

    Yan
     
    Yan.S, Feb 11, 2021
    #2
  3. 3lectr0 Win User
    BitLocker TPM Group Policy difference between Allow and Require

    Hello,

    could somebody please explain the differences between "Allow" and "Require" for
    EACH of these BitLocker Group Policy options:

    1. Configure TPM startup: "Allow TPM" vs "Require TPM"
    2. Configure TPM startup PIN: "Allow startup PIN with TPM" vs "Require startup PIN with TPM"
    3. Configure TPM startup key: "Allow startup key with TPM" vs "Require startup key with TPM"
    4. Configure TPM startup key and PIN: "Allow startup key and PIN with TPM" vs "Require startup key and PIN with TPM"


    Bitlocker/TPM/Group Policy Settings a228a135-ad14-4044-b0ba-8a9623828c1c?upload=true.png


    Help is very appreciated!
     
    3lectr0, Feb 11, 2021
    #3
  4. warren982 Win User

    Bitlocker/TPM/Group Policy Settings

    How to set up BitLocker on a pc without TPM

    I found the following instructions and they work:

    "Thank you for being a part of Windows 10 Technical Preview testing.

    You can use Bit locker in Windows 10 without TPM. I would suggest you to try the following steps.

    How to Configure Computer to Enable BitLocker without Compatible TPM:

    Administrators must follow the steps below to configure their Windows 8 computers to allow enabling Bit Locker Drive Encryption without compatible TPM:

    a. Log on to Windows 10 computer with the account that has administrative privileges.

    b. Assuming that the computer has been configured to display classic start menu, click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.

    c. On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

    d. From the right pane double-click “Require additional authentication” at startup.

    e. On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.

    f. Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in."

    I never could have set up Bitlocker without this.
     
    warren982, Feb 11, 2021
    #4
Thema:

Bitlocker/TPM/Group Policy Settings

Loading...
  1. Bitlocker/TPM/Group Policy Settings - Similar Threads - Bitlocker TPM Group

  2. Bitlocker Group Policy settings

    in AntiVirus, Firewalls and System Security
    Bitlocker Group Policy settings: Dear reader,I have a question about the bitlocker group policy settings. More specifically about the configuration of the pre-boot recovery message and URL. In the image below it's in Dutch you see the standard bitlocker recovery message. We know it is possible to include an...
  3. Help Changing Group Policy settings

    in Windows 10 Ask Insider
    Help Changing Group Policy settings: [ATTACH] Can someone please explain how to change my settings so none of my 'settings is managed by my organisation'? I would be very greatfull https://preview.redd.it/zoqpquteae161.png?width=399&format=png&auto=webp&s=2a0be310619ca33dcfd381aa87cccb8f6174073d...
  4. Looking for group policy setting

    in AntiVirus, Firewalls and System Security
    Looking for group policy setting: that locks all connection ports when in lock screen. I actually set it today, but now forgot where it's at and I wanted to add it to my notes for future reference. I am not sure if it was from a tutorial on this site or elsewhere. I searched my history but came up empty. Is...
  5. Enable Bitlocker through Group Policy

    in Windows 10 Customization
    Enable Bitlocker through Group Policy: Command to enable BitLocker on the C drive, store the recovery key to Active directory and generate a random recovery password. Is it possible to enable Bitlocker from a GPO to all Computers joined to a Domain, if not is there a utility that would help to automate the...
  6. tpm key with pin group policy settings

    in Windows 10 Customization
    tpm key with pin group policy settings: hi i selected option in the group policy for tpm key and pin by mistake. and it locked out my computer and now i cant boot it, it says bootlocker recovery but the gives me an error. pls help...
  7. BitLocker TPM Group Policy difference between Allow and Require

    in AntiVirus, Firewalls and System Security
    BitLocker TPM Group Policy difference between Allow and Require: Hello, could somebody please explain the differences between "Allow" and "Require" for EACH of these BitLocker Group Policy options: Configure TPM startup: "Allow TPM" vs "Require TPM" Configure TPM startup PIN: "Allow startup PIN with TPM" vs "Require startup PIN with...
  8. Set group policy programatically

    in Windows 10 Customization
    Set group policy programatically: How to set group policy programatically https://answers.microsoft.com/en-us/windows/forum/all/set-group-policy-programatically/08fa07c5-cc34-457d-9220-f094b09089f3
  9. Group Policy Settings Windows 10

    in Windows 10 Customization
    Group Policy Settings Windows 10: How does one reset all group plicies to default settings in windows 10. I have no executable named "gpedit". Thanks Peeps..... https://answers.microsoft.com/en-us/windows/forum/all/group-policy-settings-windows-10/d99877a9-7349-49ec-91a5-aaf9edac8be4
  10. Group Policy Settings

    in Windows 10 Customization
    Group Policy Settings: I just installed an update, lost my Stickies - destroying my world, & my default app settings are changing on their own. I contacted Microsoft after exhausting all available info online, had a remote session, 2 chats, and it is still broken. Does anyone know the steps to...