Windows 10: Having an issue with a customer trying to enable Bitlocker with MECM on a device with a TPM...

Having an issue with a customer trying to enable Bitlocker with Microsoft Endpoint Configurartion Manager on a device with a TPM disabled, they are limited due to these are Chinese devices, with a TPM, but due to some legal restriction, they have to have the TPM disabled, and still need to enable bitlocker, and attempting to use the bitlocker management setting to allow bitlocker without a compatible TPM. This seems to only work for devices that truly have no TPM, but does not seem to work for a device with the TPM disabled. Can you confirm if is this expected behavior or not. Thanks!

:)

 

Error: This device cannot use a Trusted Platform Module, when enabling Bitlocker

Hi,



Thank you for writing to Microsoft Community Forums.



I understand that you receive an error when enabling Bitlocker on your computer.



Ideally, Bitlocker requires a compatible TPM (Trusted Platform Module) on the computer to store the encryption keys. The TPM helps in unlocking the drive when the computer boots so that you can sign in to the computer just using the Windows login password.



However, if you are doing this on your personal computer, we can try to use Bitlocker without a TPM by changing certain Group Policy settings.



Refer the steps mentioned below:

1. Press Windows Logo key + R, to open
   Run dialog box.
   
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
   
3. Now, on the right pane, double click on Require additional authentication at startup.
   
4. Select Enabled and ensure that the checkbox for
   Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
   is selected.
   
5. Click on OK to save the settings.
   
6. Restart the computer and try enabling Bitlocker.
   

If the issue persists, we do have a dedicated forum for issues concerning to Bitlocker and Group Policy, let me point you in the right direction, where you may get further assistance, if the issue persists. I would suggest you to post your query in
TechNet forums, where we have support
professionals to address your query.



Regards,

Nikhar Khare

Microsoft Community - Moderator

 

Bitlocker without TPM

Hi there,

I'm trying to use Bitlocker without TPM

My version is Windows 10 Home, and I try to follow -

To turn on BitLocker Drive Encryption on a computer without a compatible TPM

1. Click Start, type gpedit.mscin the Start Search box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. In the Local Group Policy Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then clickBitLocker Drive Encryption.
4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.
5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK.

You have changed the policy setting so that you can use a startup key instead of a TPM.

1. Close the Local Group Policy Editor.
2. To force Group Policy to apply immediately, you can click Start, typegpupdate.exe /forcein the Start Search box, and then press ENTER.
3. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
5. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will only appear with the operating system volume.
6. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start
   the computer.
7. Insert your USB flash drive in the computer, if it is not already there.
8. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save.
9. On the Save the recovery password page, you will see the following options:

· Save the password on a USB drive. Saves the password to a USB flash drive.

· Save the password in a folder. Saves the password to a folder on a network drive or other location.

· Print the password. Prints the password

While I have a problem on step 4.

Double-click the setting Control Panel Setup: Enable Advanced Startup Options.

I can find "BitLocker Drive Encryption" on my group policy editor, while I cannot find
Control Panel Setup: Enable Advanced Startup Options anywhere.

Thank you for your help.

Best Regards,

Yan

 

BitLocker refuses to enable

Windows 10 Pro on Dell Optiplex 5040

Domain-joined

No TPM

I have tried repeatedly to enable BitLocker on this machine and all attempts have failed. The majority of suggestions point me to gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating
System Drives > Require additional authentication at startup (and be sure "Allow BitLocker without a compatible TPM" option is checked). The option is checked and the GPO enabled, however, I still receive the error "This
device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes."

We don't have any other computers with this issue, though, to be fair, this is one of the only computers without TPM. What else can be done?