Configure Microsoft Windows 8 to Allow BitLocker Encryption without TPM

What Is Trusted Platform Module or TPM?

TPM is the hardware chip that is integrated in some motherboards and stores a part of key pair that is used to decrypt the volumes of hard disk drives that have been encrypted with BitLocker. Not all motherboards ship along with TPM and the ones that have the chip are not necessarily configured to use them. This means that even if the motherboards have TPM chips integrated in them sometimes they are by default disabled and administrators must enable them manually from the BIOS settings. However there are some motherboards in which TPM is already enabled in the BIOS and such computers can be used to enable BitLocker to encrypt the drives available in the hard disk drive.

Benefits of Trusted Platform Module or TPM

As mentioned above TPM is a hardware chip integrated in the motherboard and allows administrators to encrypt entire drive of the computers using BitLocker, it stores a part of key pair that Windows 8 operating system uses to decrypt the volumes of the hard disk drives while booting up the system. When administrators encrypt system drives using BitLocker a key pair is generated. One part of the key is automatically saved in TPM whereas the other part of the key pair is given to the administrator. When administrators start up the systems, computers ask for the keys from the administrators and once keys are provided, Windows 8 matches the combination with the part it has stored in TPM. If the key combination matches the system drive is decrypted, hence successfully booting up the operating system. On the contrary if the key combinations mismatch, the operating systems fail to decrypt the contents of system drives and therefore computers fail to boot.

Microsoft understands that not all computers have TPM integrated in them and therefore it has designed Windows 8 operating system in a way that it can be configured to use BitLocker without the presence of TPM. However, to do so administrators must modify the default configuration of Windows 8 computer through group policies and allow it to enable BitLocker Drive Encryption without TPM.

When administrators configure Windows 8 computer to allow BitLocker Drive Encryption without TPM the operating system requires a USB flash drive to be inserted while using BitLocker. The reason behind this is that when TPM is absent in the motherboard the part of key pair that is to be stored in the TPM is then stored in the USB flash drive. When administrators start Windows 8 computers in these cases, they must insert USB flash drives into the USB ports and then when operating system asks they must also provide the other part of the key pair in order to match the entire key combination so that Windows 8 can decrypt the system drive and allow the operating system to boot. Windows 8 also allows administrators to use BitLocker Drive Encryption without USB flash drive as well.

How to Configure Computer to Enable BitLocker without Compatible TPM?

Administrators must follow the steps below to configure their Windows 8 computers to allow enableing BitLocker Drive Encryption without compatible TPM:

1. Log on to Windows 8 computer with the account that has administrative privileges.
2. Assuming that the computer has been configured to display classic start menu, click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.
3. On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption and from the expanded list click to select Operating System Devices.

   

4. From the right pane double-click Require additional authentication at startup.
5. On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.
6. Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in.

More Information

Click here to know more about BitLocker

email

print