Windows 10: Windows 10 BitLocker w/ TPM-Only authentication

I recently installed Windows 10 on a new computer I built. I then decided to encrypt my drives, so I installed a TPM on my motherboard. It is enabled in BIOS and properly recognized in Windows' Device Manager. However, when I tried to encrypt my OS drive, things didn't go so simple as hoped.


At first, when I clicked to turn on BitLocker on the drive, it gave me an error saying 'The startup options on this PC are not configured correctly'. After an online search, I was able to get past this by changing the 'Computer Administration\Administrative Template\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup' settings in gpedit. I just had to enable the policy and uncheck the 'Allow BitLocker without a compatible TPM' and the BitLocker setup wizard allowed me to continue. The first thing it asked me for was to insert a removable USB flash drive to save a startup key to. After doing so, I completed the wizard and restarted the computer.


After the restart I got a message regarding something about automatically unlocking (I cannot recall the exact message), but another online search found that this could be remedied by changing some settings in my BIOS to enable booting from USB. After doing so, I went through the BitLocker wizard again and this time I was able to encrypt my OS drive.


The issue, is that it required me to have the USB drive with the key in it during boot. What I want, however, is a TPM-only authentication. I just cannot figure out how to do this. I went through various setting changes while the drive was encrypted, but to no avail, so I decrypted the drive to see if I missed something in the setup wizard. I had a couple more runs trying different settings in the gpedit, but nothing yielded the result I'm looking for. When I change 'Configure TPM startup' to 'Require TPM' in the aforementioned 'Require additional authentication on startup' policy, the BitLocker wizard prompts me the message that 'The Group Policy settings for BitLocker startup options are in conflict and cannot be applied.'

The TPM Management Tool gives me the status that 'The TPM is ready for use, with reduced functionality. Information Flags: 0x80000'.


What am I doing wrong? How can I get my OS drive encrypted with TPM-only authorization?


Thanks in advance.


Additional system details:

Windows 10 Pro Build 1803

OS Drive file system: NTFS

:)

 

Bitlocker without TPM available with Windows 10 upgrade?

All pc's at my small business are currently using Windows 8.1 Pro. We are using Bitlocker without TPM. Will Bitlocker w/o TPM be available with the Windows 10 upgrade?

 

Bitlocker TPM only authentication question

I have Windows 10 pro systems and I am testing out bitlocker with TPM only, no pin. Is the drive encrypted still before I put in my Windows password? I ask this because I wonder if the drive is still susceptible to any password reset tricks, such as
changing the accessibility program to command prompt, which can give them access to change the password? What if this OS encrypted drive was setup as a slave on this machine from which it was encrypted, would the tpm authenticate it and allow it to be read?
Curious.

 

Bitlocker in Windows 10 without TPM

Thanks. I tried this and only got so far.

Administrative Templates>Windows Components.

After that, there is no option for "Bit Locker Drive Encryption" So I can't follow the steps from there.

I am trying to install Bitlocker on a Windows 10 pro laptop. The error message I get is: "This device can't use a Trusted Platform Moduel. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Required additional authentication
at startup" policy for OS volumes.

Under TMP Authorization it says "Compatible Trusted Moduel cannot be found on this computer. Verify that this computer has a 1.2 TPM or later and it is turned on in the BIOS"

Please help. Bitlocker is the only reason I paid to upgrade to win 10 pro.