Windows 10: BitLocker without TPM but using a flash drive - doesn't need flash to boot.

I'm trying to understand how full-disk bitlocker works as I intend deploying it on a number of PCs, not all of which have a TPM. I enabled bitlocker on a windows 10 laptop which does have a TPM but I elected not to use it. Instead, I saved the key to a USB flash drive. My expectation was that if I attempted to reboot the laptop without the flash drive, it would fail but in fact, it boots as normal. I've tried several times, even removing the battery. So does bitlocker give any protection if there is no TPM?

:)

 

Bitlocker: using with TPM and without TPM via USB flash drive authentication

Hi everybody.

I need to use Bitlocker on several Windows 10 computers, all without TPM but one.

On this one when I try to save the key to my Microsoft account I'm returned an error.

I can save the key to file instead.

How to fix this?

Regarding computers without TPM I would understand how Bitlocker works using USB flash drive authentication and if, in case of hardware fault, data on hard drive can bbw recovered moving hard drive and USB flash drive to other computer.

Thanks and best regards.

 

Bitlocker without TPM

Hi there,

I'm trying to use Bitlocker without TPM

My version is Windows 10 Home, and I try to follow -

To turn on BitLocker Drive Encryption on a computer without a compatible TPM

1. Click Start, type gpedit.mscin the Start Search box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. In the Local Group Policy Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then clickBitLocker Drive Encryption.
4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.
5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK.

You have changed the policy setting so that you can use a startup key instead of a TPM.

1. Close the Local Group Policy Editor.
2. To force Group Policy to apply immediately, you can click Start, typegpupdate.exe /forcein the Start Search box, and then press ENTER.
3. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
5. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will only appear with the operating system volume.
6. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start
   the computer.
7. Insert your USB flash drive in the computer, if it is not already there.
8. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save.
9. On the Save the recovery password page, you will see the following options:

· Save the password on a USB drive. Saves the password to a USB flash drive.

· Save the password in a folder. Saves the password to a folder on a network drive or other location.

· Print the password. Prints the password

While I have a problem on step 4.

Double-click the setting Control Panel Setup: Enable Advanced Startup Options.

I can find "BitLocker Drive Encryption" on my group policy editor, while I cannot find
Control Panel Setup: Enable Advanced Startup Options anywhere.

Thank you for your help.

Best Regards,

Yan

 

Windows 10 Bitlocker - install TPM

My Win 10 Pro system drive is already Bitlocker encrypted without a TPM chip on my motherboard.

If I now install a TPM on the motherboard, will Bitlocker make use of it? How do I enable it?

(I want to boot-up without the USB flash drive containing the Start up key.)

Thanks, --Dave