Does bitlocker require TPM?

expand collapsive

Hi there! I am planning to encrypt a couple of Windows PCs using the BitLocker policy. But it seems we have a few devices that don’t have the TPM hardware. Would this be an issue? How would the BitLocker policy work on these devices? Would these devices be any less secure, or their encryption be any weaker?

All Replies

  • Thanks for reaching out to us!

    I will start with how TPM helps with BitLocker. TPM is a chip that is soldered into your motherboard, which provides a hardware-based authentication, i.e., if you have enabled BitLocker, you can switch on and login to your device (considering the fact you have pushed the right set of configurations) with a click of a button and a password you can actually remember. You don’t have to go through the whole torturous process of connecting a USB with a startup key or entering a 6–20-digit startup PIN. The encryption key is partly stored on the TPM instead of the drive.

    Bottom line: If you have got TPM, you don’t actually need to enter a Startup PIN or a Startup Key on device startup.

    Disclaimer: Make sure you push a BitLocker policy that doesn’t mandate a Startup PIN or a Startup Key.

    Now let’s come to the question at hand. You can configure a BitLocker policy for a device that doesn’t have TPM hardware. You won’t face any issues except having to manually enter a Startup PIN and connecting a USB with the Start-up Key stored in it.

    Head on to Polices > Windows > BitLocker and configure the policy as required by your enterprise. Choose Enable from the drop-down for Configure authentication when the computer starts up. Allow Enable BitLocker without a Trusted Platform Module (TPM). On doing so, Authenticate with TPM startup key and PIN would be required by default.

    Nora Lang

    Hexnode UEM

  • As far as security and TPM are concerned, if someone was to tamper with your PC or physically remove the drive from the computer and decrypt it, he could probably get your data with the help of the recovery key that is stored on the drive.

    If your device has a TPM your drives can’t be accessed without using the key stored on the TPM. The TPM won’t work if it’s moved to another PC’s motherboard, as well. TPM does make your device more secure considering these aspects. When TPM version 1.2 and above is used in conjunction with BitLocker, it can validate system files and boot activity.

    As for the encryption strength, you can mandate the encryption grade and standard (E.g., AES CBC 128, XTS-AES 256, etc.) right when you configure the BitLocker policy from Hexnode. TPM plays no role when it comes to encryption strength.

    Nora Lang
    Hexnode UEM