Setup Bitlocker without TPM

(Last Updated On: 2019-11-05)

One of the big things I have been working on is working towards getting more PoPI Complaint. Although there is not a specific set way of doing this the main thing I read up and spoke to different more Knowledge people regarding this is that reasonable steps need to be taken to prevent data being stolen. As well as if data is stolen that again reasonable steps need to be in place to make sure the data is Unusable.

So how do you make data unusable if your devices get stolen? The Simple answer is encryption. But it is very much possible when you bought your Laptop this was not on your list of questions and now you have laptops without the required Hardware (TPM) to implement Bitlocker Encryption.

Well, don’t stress there is a say to still encrypt your Windows Machine without the TPM Module.

Group Policy Editor

For this to work you will need to be an administrator on your machine. These policies can be pushed down from the Group Policy Manager on a Domain setup but the below is done on a Non-Domain Joined Machine.

Start clicking on the start button and typing gpedit.msc. This should bring up a Microsoft Common Console Document. If not open a run Command and simply type gpedit.msc and ok to open MMC.

gpedit.msc

Once the MMC is opened you will see a Similar screen as per below screen capture. Browse to:
Computer Configuration > Administrative Templates > Windows Component > Bitlocker Drive Encryption > Operating System Drives

The Setting you are looking for is:
Require additional Authentication at Startup

Local Group Policy Editor

Edit the setting by choosing Enabled and make sure you tick the:
Allow Bitlocker without a compatible TPM
(Require a Password or a Startup Key on a USB Flash drive)

require additional authentication at startup

Click ok and close all windows. You are now ready to enable Bitlocker.

Setup Bitlocker

Open the Control Panel and search for the option Manage Bitlocker.

Manager bitlocker

On the Drive, you want to enable click Turn on Bitlocker.

Turn on Bitlocker

It will go past the point where it says you don’t have TPM installed and instead give you an option to use a USB Flash Drive or a Password.

I do Caution if you are a person that losses Flash Drives, don’t use this option. As this is a virtual environment I am working on I opted for Enter a Password

How to unlock drive

The password needs to be somewhat complex. Try using Good Practice Techniques.
Don’t use a password you used before.
Don’t use a password that is personally identifiable
If you have a Password Manager that can generate Passwords use it.
Don’t write the password on a Note (Ever)

Once you have entered a password click Next.

Create a Password

This is probably the most important after choosing a password. Save the Recovery Keys. This needs to be a secure location. NOT WITH THE DEVICE.
If you ever forget your Password or Lose your Flash Drive this is the only way to retrieve the data on the Hard Drive.

For the smart people out there saving their Data to the Cloud, I get it you have your Data. This is for Unlocking the Hard Drive.

If you’re managing a Domain you can setup the Policies to backup the Recovery Keys while setting up the Encryption.

Save Recovery keys

Once you saved your Recovery Keys you can then choose how to encrypt.
I suggest choosing the Entire Drive.

How much Encryption

Lastly, choose which encryption type you want to run. Basically, if the drive is not installed in the Device choose Compatible otherwise choose New encryption Mode

Encryption Type

Once Done finish the Encryption Setup by Clicking Continue to process.

Execute Encryption

It Worked

The Device will need to rebooted to start the Encryption. On the Reboot, it will request the password you set for the Encryption.

Restart
Bitlocker

If you typed everything correctly once you are back in windows you will see the progress of the drive encryption.

Encrypting

While Encrypting you will have a slight performance issue but most people barely notice this.

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *