Using BitLocker on computers without TPM
Although the Trusted Platform Module (TPM) is present on an increasing number of devices
to aid with security, there are still devices in use today that do not
use TPM technology. Because Windows 8 can operate on hardware that
might have been provisioned for earlier versions of Windows,
organizations might not purchase new laptops or, if they do purchase
new laptops, they might be smaller, more portable units that do not
support TPM.
In these cases, it is still possible to use BitLocker encryption to
keep the information stored on mobile devices secure. The encryption
key information for a BitLocker-encrypted drive will be stored on
startup key storage.
Startup key storage is a storage device, usually a USB flash device, that stores the encryption key for the BitLocker
configuration on a device. When the computer starts, the process asks
for the USB key containing the BitLocker encryption key. After the key
is provided, the computer continues to start.
To enable BitLocker on a computer without TPM, complete the following steps:
-
Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).
-
Expand the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path.
-
Select Operating System Drives.
-
Press and hold or right-click Require Additional Authentication At Startup.
-
Select Enabled.
-
Select Allow BitLocker Without A Compatible TPM.
-
Tap or click OK to save the changes.
Important
DOCUMENT THE CHANGES
When modifying policies such as BitLocker, it is helpful to add a
comment about what has been done and the reason for the change. Since
the release of Windows 7, comments have been visible when searching for
policy objects. A short description can be helpful when looking for
objects that have been modified.
After the settings in local Group Policy have been adjusted to allow
the use of a startup key, computers without the option of TPM will be
able to encrypt drives. When the policy is configured, the default
options for the Group Policy Object (GPO) also enable the use of TPM, as shown in Figure 2. The settings do not disable it; they just allow the encryption key to be stored elsewhere.
Using BitLocker on removable media (BitLocker To Go)
Just as BitLocker for built-in drives enables data to be encrypted, BitLocker
To Go focuses on removable media and encrypting data stored there. When
BitLocker To Go is enabled, the entire volume is encrypted, and one key
is stored on the removable media. The other portion of the pair is a
password known to whomever encrypted the drive. When the drive is
inserted on a computer that supports BitLocker, a password prompt
appears to allow the drive to be unlocked.
Windows 8 includes the following policy settings for BitLocker for removable drives:
-
Control Use Of BitLocker On Removable Drives
-
Configure Use Of Smart Cards On Removable Data Drives
-
Deny Write Access To Removable Drives Not Protected By BitLocker
-
Configure Use Of Hardware-Based Encryption For Removable Media
-
Enforce Drive Encryption Type On Removable Data Drives
-
Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows
-
Configure Use Of Passwords For Removable Data Drives
-
Choose How BitLocker-Protected Removable Drives Can Be Recovered
To configure the policy objects for BitLocker on removable media, complete the following steps:
-
Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).
-
Expand the Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption\Removable Data Drives path.
-
Double-tap or double-click the policy object you want to work with.
-
Select Enabled.
-
Configure other options, if available, as needed for your organization.
-
Document the changes within the object’s comments dialog box.
-
Tap or click OK to save the changes.
Important
DO NOT ENCRYPT STARTUP KEY DEVICES BY USING BITLOCKER
Using BitLocker
to encrypt a removable drive used as a startup key for a computer that
does not support TPM is not supported. Because the computer requires
the key from the USB drive to start Windows, but the USB drive is
encrypted by BitLocker, which requires Windows to be accessed, the
device will be unable to start a computer.
