Hi there! I am planning to encrypt a couple of Windows PCs using the BitLocker policy. But it seems we have a few devices that don’t have the TPM hardware. Would this be an issue? How would the BitLocker policy work on these devices? Would these devices be any less secure, or their encryption be any weaker?
Thanks for reaching out to us!
I will start with how TPM helps with BitLocker. TPM is a chip that is soldered into your motherboard, which provides a hardware-based authentication, i.e., if you have enabled BitLocker, you can switch on and login to your device (considering the fact you have pushed the right set of configurations) with a click of a button and a password you can actually remember. You don’t have to go through the whole torturous process of connecting a USB with a startup key or entering a 6–20-digit startup PIN. The encryption key is partly stored on the TPM instead of the drive.
Bottom line: If you have got TPM, you don’t actually need to enter a Startup PIN or a Startup Key on device startup.
Disclaimer: Make sure you push a BitLocker policy that doesn’t mandate a Startup PIN or a Startup Key.
Now let’s come to the question at hand. You can configure a BitLocker policy for a device that doesn’t have TPM hardware. You won’t face any issues except having to manually enter a Startup PIN and connecting a USB with the Start-up Key stored in it.
Head on to Polices > Windows > BitLocker and configure the policy as required by your enterprise. Choose Enable from the drop-down for Configure authentication when the computer starts up. Allow Enable BitLocker without a Trusted Platform Module (TPM). On doing so, Authenticate with TPM startup key and PIN would be required by default.
Nora Lang
Hexnode UEM
13 August 2021