Windows 10: Bitlocker with TPM

Hi , I,m not sure if this is the right place to post this .

Anyway , My query is about encryption on win10 pro .

Previously I had a laptop with no TPM so I had to us the group policy editor to allow encryption to work , fine ,all was working and I had to type a password to unlock bilocker when my laptop came out of hibernation or rebooted .

I now have a laptop with a TPM which seems much easier and apparently more secure but here,s what,s bothering me : I do not need to type a password on start up or coming out of hibernation to unlock the drive so just say someone stole my laptop . they would be able to get into the OS and files even though its encrypted . I do have a PIN to sign in to windows but just say I only wanted to use a local account with no PIN or password how useful is having my laptop encrypted .
What then is the main reason for using encryption ?

Sorry if I've confused anyone or my explanation isn't so clear .

:)

 

BitLocker On TPM ver 2.0

Hey all.

I hope that i'm asking this at the right area of this Forum.

I have a DELL Latitude 5480 with Win10 pro on it.

After enabling BitLocker, BitLocker asking for a recovery key on every reboot.

I've found that BitLocker cannot work properly with TPM ver 2.0, (Dell Latitude 5480 comes with TPM version 2.0).

After downgrading TPM, from ver 2.0 to ver 1.2, BitLocker works smoothly.

Any solution for BitLocker on TPM ver2.0?

Thank in advance.

 

Bitlocker with TPM installed

Hi! I was able to encrypt my system drive with bitlocker with TPM.

Now I'm trying to use bitlocker to my other data drives but bitlocker can't use TPM.

Any help?

 

With your need for encryption why on earth would you even consider leaving open your local account without a pin or password?
It defeats the object of securing your computer.....locking the front door but leaving the back door open.

 

That's the answer I deserved with a post like that . I always use a password or pin to log in to windows . I just liked it better when I had to also use a password to unlock the drive . I have nothing even so sensitive to warrant encryption I use it because I can.

 

It takes a special kind of person to reply as you have, and a wise one at that....regards .

 

TAMO,
you are NOT wrong in what you want to do. TPM is SUPPOSED to protect this stuff. BUT, I have a samsung tabPro S (windows), and have even written to samsung PRESIDENT in s. Korea, and no reply. They institute this stuff, and then never have details about it.

You ARE correct that RELYING solely on the TPM is problematic. BUT, you CoULD edit the group policy for Bitlocker and allow a PIN; you then get protection of "TPM plus PIN", which requires that PIN for ANY windows boot-up, including hibernation (I have my notebooks set up for TPM plus PIN). You THEN could leave the actual windows user as not requiring a password (first, test to verify)

HOWEVER (and again, I may post a more detailed thread on this question), your machine may have an actual BIOS ADMINISTRATOR PASSWORD. From my understandings from SOME threads (although still not clear), this BIOS ADMINISTRATOR PASSWORD is controlled by TPM also.

In my scenario (I am not totally comfortable with it yet), I start the tablet (the samsung), and ON-screen keyboard comes up, and I can enter the BIOS ADMINISTRATOR PASSWORD. If this is NOT entered corectly, it shuts down. IF it IS entered corectly, then Boot-up continues, Bitlocker unlocks (its key is stored with the TPM), and it boots up to my Username/p[assword for windows.
I DID WANT to have "bitlocker PLUS PIN", but the problem with the samsung is that the On-screen keyboard does NOT work for Bitlocker, it only works for the BIOS ADMINISTRATOR PASSWORD. REPEATED requests to samsung have been fruitless for an answer about the on-screen keyboard.

In the above scenario, if someone STOLE the computer, lets assume they can't break the BIOS ADMINISTRATOR PASSWORD. if they got to the BIOS, and somehow CLEARED the TPM, then the Bitlocker key gets wiped out, and bitlocker owuld need entry of the 46-character actual recovery key.

Anyway, for your situation, explore the BIOS ADMINISTRATOR PASSWORD, and the GPEDIT.msc (group policy) to allow Bitlocker to have a PIN.

hope this helps