Windows BitLocker not offering unlock-by-password option
I have a problem in a single computer trying to do a process I've successfully done on another computers.
What I have successfully achieved on another computers:
- Have a non TPM compatible module featuring computer with Windows 10 Pro installed.
- Try to enable BitLocker on C:
- Windows complains about not having a compatible TPM module.
- Disable that requirement from Group Policy, reboot and retry.
- Through the BitLocker wizard, Windows asks you for the unlocking method, then I choose the one I prefer - password, which doesn't mean PIN nor USB drive -, then enter my custom password, then the wizard oblies me to save a recovery file somewhere, and it finally commits the options.
- The cyphering process goes on.
- At next boot, I must enter a password.
What is happening to me on a laptop with Windows 10:
- Try to enable BitLocker on C:
- Windows complains about not having a compatible TPM module.
- Disable that requirement from Group Policy, reboot and retry.
- Through the BitLocker wizard, Windows doesn't ask me for any unlocking method, it just goes to the screen where I must save a recovery file somewhere, and then it offers to commit the options.
I have no choice to choose password unlocking nor to enter any custom password, so I am not commiting the wizard. What can I do so Windows shows me the password input option? Am I doing anything wrong or different?
Lots of thanks in advance.
NOTE: please, the reason why I am preferring password unlocking is out of topic.
Solution 1:
We'll actually look at a couple settings, make sure you have the following set, to completely disable TPM management and key use, and resort to password.
- Open
gpedit.msc
. - Navigate to Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives.
- Set the following policy options:
- Require additional authentication at startup:
- Enabled.
- Allow BitLocker without a compatible TPM: Checked
- Configure TPM startup: Do not allow TPM
- Configure TPM startup PIN: Require startup PIN with TPM
- Configure TPM startup key: Do not allow startup key with TPM
- Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
- Allow enhanced PINs for startup: Enabled
- Configure use of passwords for operating system drives:
- Enabled
- Configure password complexity for operating system drives: Allow password complexity
- Require additional authentication at startup:
And for non-system drives, be sure to have the following checkbox set:
- Navigate to Fixed Data Drives.
- Configure use of passwords for fixed data drives
- Enabled
- Require password for fixed data drive: Checked
I think that about covers it. It should now give you the option for password input. It also should work with strong passwords, and at startup. Hope this helps!
Solution 2:
This article describes how to enable password encryption for BitLocker https://appuals.com/how-to-encrypt-system-partition-by-using-bitlocker-without-tpm/
tl;dr: Edit group policy Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drive/Require additional authentication at startup
, click Enabled
, click Allow Bitlocker without compatible TPM chip
checkbox in this group policy setting, and save.
However, if your computer has a TPM module, you'll notice that you can only choose PIN, USB Drive, or no additional authentication. The "PIN" option here means using TPM+PIN, it's not the same as just using password without TPM.
To actually enable password option like you had in non-TPM computers, you need to disable TPM in bios setting. How do to that or if you can do that depends on which motherboard / laptop you have.
Quoting from the description in group policy Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drive/Require additional authentication at startup
:
If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up.
...
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
From my understanding, you can't use password if Windows detects your computer has TPM, it forces you to use a method that involves TPM in this case, so you have to disable TPM module in order to use password encryption.
I have tested on a MSI P65 laptop which has a TPM Module, after disabling TPM Module in BIOS setting and enabling the group policy option, I can choose password as encryption method when setting up BitLocker.
Note: you might also want to disable hardware encryption (for both Operating System Drive
and Fixed Data Drives
: https://www.howtogeek.com/fyi/you-cant-trust-bitlocker-to-encrypt-your-ssd-on-windows-10/amp/