This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello.
I have a Win 11 system with Bitlocker enabled on the OS drive with the key stored in TPM. I would like to stop using TPM to store the key and store it on the drive - having it encrypted with a PIN/password only. I'm aware of the risks (brute force attacks), but this is really not the vector I'm protecting against. I want to keep TPM enabled in UEFI. I'm dual booting and I want to use the chip with the other OS. Of course, dual booting often breaks the verification process and I'm asked to enter the recovery key, which is quite tedious.
I already tried to check the "Allow Bitlocker without a compatible TPM ..." option in "Require additional authentication at startup", enabled "Allow enhanced PINs for startup" and set a PIN in the Bitlocker management. On boot, I'm asked for the PIN, but the TPM is used afterwards to fetch the key! I know it because I'm asked for the recovery after entering the pin as the TPM does not provide system with the key - TPM verification failed because of dual boot.
Thank you for your help.
*** Moved from Windows / Windows 11 / Security and privacy ***
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello,
This policy can allow BitLocker without TPM.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup.
Enable this option: Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
Best regards,
Molly
Hello,
Thank you for posting in Microsoft Community forum.
Based on the description, I understand your question is related to disable TPM.
Open group policy, navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Double-click on Require additional authentication at startup.
Select Enabled and check the option Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
Click OK to apply the changes.
Go back to Control Panel > System and Security > BitLocker Drive Encryption.
Click on “Turn on BitLocker” next to the OS drive.
When prompted, choose to use a password or PIN for startup.
Follow the prompts to set up BitLocker with your chosen authentication method.
Restart your computer to ensure that BitLocker prompts you for the PIN/password at startup and does not rely on the TPM for key retrieval.
Have a nice day.
Best Regards,
Molly
Hi,
I actually did that but in a different order. I set the "Allow BitLocker without a compatible TPM" with Bitlocker already activated.
Are you saying I have to disable bitlocker, set the option and re-enable it?
thanks
Hello,
Yes, you can try backup and reenable it, check if the new policy works.
Best regards,
Molly
I have tried suspending Bitlocker, that didn't help. By disabling you really mean decrypting the whole drive? That seems like a brutal solution to me.
