This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
What does the TPM do (what are its functions) when you encrypt the system drive with Bitlocker?
And what is the difference if I encrypt the system drive without the TPM?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
TPM is a chipset inside the motherboard of your system and when you have this hardware in your device when you attempt to encrypt hard disk, it will store the key inside the TPM. So next time when you boot into your system, it will read they key from the TPM and even if someone take away your hard disk , they won't be able to access the key because it is secure inside the TPM.
When you don't have TPM, whenever you want to boot your system, it will ask for the key or it should be authenticated through the server.
so windows stores the decryption key inside the TPM? Does that mean that by using tpm and bitlocker when you boot windows it won't ask for password but just decrypt the system since the key is stored in the tpm? sorry i'm confused....
the text is very technical i cannot understand it, if someone could simply explain the practical difference in using bitlocker with and without TPM would be enough!
TPM(Trusted Platform Module) is a chip on your computer’s motherboard.
The TPM provides an extra layer of security by storing passwords and keys in a secure form.
TPM with BitLocker provides more security.
You can enable BitLocker on an operating system drive without a TPM
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq#can-i-use-bitlocker-on-an-operating-system-drive-without-a-tpm
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
"The TPM provides an extra layer of security by storing passwords and keys in a secure form.
TPM with BitLocker provides more security."
so when you encrypt windows with bitlocker and tpm is on, windows will store the bitlocker password and decryption key inside the tpm? does that mean that when you boot windows the user doesn't have to input the bitlocker password to decrypt the system? it sounds confusing and certainly not safe :/
Hello,
Usually PIN is considered more secure than traditional password because it is backed by TPM, a system hardware and chip.
So if you enable BitLocker with TPM, you can use PIN to unlock your BitLocker drive, which provides more security.
BitLocker can be enabled without TPM as we all know, but in that case you won't be able to use PIN to unlock encrypted drive. You've to use password then.
Hope this answers your query!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
The worst thing about not having a TPM has not been mentioned yet: the encryption password can be attacked by brute force.
Since most people will not like to use passwords with 20 characters or more, there's a chance that brute-force will succeed in time.
With a TPM, brute forcing would mean to remove the disk from its computer housing and attempt to find the correct recovery key, which is a 48-digit number. Happy brute-forcing!
can you explain why without tpm the password can be bruteforced while with tpm not?
"why without tpm the password can be bruteforced while with tpm not?" - I have explained it in the comment. Please tell me what you don't understand and I will explain again.
The Recovery key is too long to bruteforce, while passwords (due to human nature) are usually chosen short (6-15 characters), which can be brute-forced relatively easily with todays computing powers (say within 1 year).