Is it possible to use BitLocker without the installed TPM?

Question

Is it possible to use BitLocker without the installed TPM?

Felix Reichmann 121

Hi,
I have a system with a TPM. I want BitLocker to not use the TPM as a key protector, but only use a PIN.
Within the group policy "Require addtional authentication at startup" I set the setting "Configure TPM startup" to "Do not allow TPM".

During the BitLocker graphical setup process, it is also suggested that automatic unlocking is no longer possible.

But after the encryption process is completed, it can be seen, that the TPM is still used as a key protector.

What am I doing wrong?

Regards
Felix

Accepted answer

5 additional answers

Your answer

Answer 1

Felix Reichmann 121

In another thread I was referred to the documentation. After reading the linked article I think I can explain the issue:

According to the documents, PIN and Enhanced PIN can only be used together with the TPM. So if I want to use a PIN and my PC have a TPM installed it is NOT possible to use "PIN only".
(Reference: https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-authentication-methods)

The startup key instead can be used without an installed TPM.

Computers without a TPM or with a disabled TPM are an exception in a certain way. In this case, BitLocker can be allowed without compatible TPM by the known Group Policy.
Instead of the module, a startup key or a password of at least 8 characters is used. This string is no longer called "Enhanced PIN" but "password".

Does anyone know if there are technical reasons why "password only" is only allowed if no TPM is installed?
Why is "Startup Key only" allowed if a TPM is installed, but no "Enhanced PIN only"?

Many thanks for the information at this point also to @Anonymous

Anonymous

2020-08-07T08:28:51.267+00:00

Access to the TPM-stored secrets can be protected by a PIN or by an enhanced PIN, which looks like a password but is something different in functionality, since passwords for bitlocker may be brute-forced (no lockout ever!), while PINs cannot be brute-forced (TPM lockout after 32 guesses).
You have problems with TPMs - solve those. Let us help you to solve those. Don't go for passwords - insecure!
Felix Reichmann 121 Reputation points

2020-08-11T12:21:48.03+00:00

Thank your for your reply. I understand that a TPM in combination with a PIN or an enhanced PIN is the most secure option. I agree with you that from a security point of view that a password as only key protector is less secure.
There can be various reasons why a TPM is installed but cannot be used.
A goal behind my question was also to generally understand what options are offered in this case.

Answer 2

Anonymous

Hi
I’m glad you figured it out and thank you for sharing your thoughts.

Q: Does anyone know if there are technical reasons why "password only" is only allowed if no TPM is installed?
A: BitLocker use the TPM to prevent PIN brute-force attacks, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
Reference: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals#rationale-behind-the-defaults

Q: Why is "Startup Key only" allowed if a TPM is installed, but no "Enhanced PIN only"?
A: In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
Reference: https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures#pre-boot-authentication

I hope this information above can help you.

Felix Reichmann 121 Reputation points

2020-08-11T12:13:12.4+00:00

So if I understand this correctly, there is no technical reason, why a password cannot be used as the only key protector. But if a TPM is detected, Microsoft decides that a password without TPM as key protector is not secure enough, right?

@Anonymous But why is a startup key considered to be more secure than a password? With both methods we only have one authentication factor.
Anonymous

2020-08-12T07:12:57.037+00:00

Hi,
In this thread, we are mainly discussing about the issue indicated by the first post, please try to mark the replies which help you. It will encourage the person who help you. Then for your new question it would be best if you try to open up a new thread for it. In this way, it will make answer searching in the forum easier and be beneficial to other community members as well.

Thanks for your understanding and cooperation.

Answer 3

poliveirasilva-MSFT 86 Microsoft Employee

Why you do not want to use TPM if it is available to use?

Felix Reichmann 121 Reputation points

2020-08-02T19:18:14.61+00:00

The TPM caused some problems on the system.
Jeffrey Katz 1 Reputation point

2022-05-25T01:28:39.877+00:00

Seriously? Pretty simple. You have a hotswap OS drive that you want to use on another computer. Or there's some hardware change in your computer that the TPM sees as 'wrong'. I see a lot of reasons not to use the TPM.

Answer 4

Kapil Arya 8,451 MVP Volunteer Moderator

Hello,

In the Group Policy setting window, make sure you set Configure TPM Startup PIN and next options as well, to not use TPM.

I believe the TPM is being used because of those options.

Regards.

Answer 5

Anonymous

Hi
You could refer to KapilArya’s answer, try re-setting these options and perform BitLocker encryption again.

If you have any updates during this process, please feel free to let me know

Best Regards

Share via

Is it possible to use BitLocker without the installed TPM?

5 additional answers

Your answer