This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard Bitlocker password only

Hi,

I'm currently deploying Safeguard in our company and i'm having trouble with activating the Bitlocker in machines with a TPM chip.

Since all our PC's (500+) are deployed with secure boot disabled (but TPM on) safeguard/bitlocker uses the TPM+PIN method to start full disk encryption, but this throws errors after reboot (bitlocker key cannot be obtained from tpm) because the underlying TPM requirements are not met.

This causes the computer (with a TPM chip) to skip Bitlocker POA and throw the error, and keeps asking the user to choose a new bitlocker password (with numbers only) after every user login/reboot. Please note that a numbers only password does not work either.

Because TPM is on, there is no fallback to password.

So my question is: Can i force password usage (so skip TPM/PIN and default to password) with safeguard/GPO or other settings. Some googling and trying to change some GPO settings /policy settings did not help so far., so i'm reaching out for some help on this :).

The only other option would be to disable TPM manually on all PC's but this is not a desired solution.

 

Any help on this is greatly appreciated.



This thread was automatically locked due to age.
  • Hi Jef - I would suspect this is more to do with UEFI and not secure boot. 

    The GPO you'd want to set I guess would be Allow enhanced PINs for startup. To quote MS this would...

    "This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.

    Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
    If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
    Note:   Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
    If you disable or do not configure this policy setting, enhanced PINs will not be used."
     
    If TPM is present Windows will want this over the "software" solution to BitLocker (ie - just the password)
     
    I think you should try one of your devices with UEFI enabled rather than legacy/CSM and see if you then have better control over the TPM. 
     
    It should work as you desire - TPM with PIN (that's enhanced) to be a password.
     
     
  • Hi Micheal,

     

    Thanks for your suggestions. However, this is not the solution i'm looking for. Your suggestion still makes use of TPM and PIN. I need a solution with SKIPS TPM/PIN and falls back to password(or PIN only), since we cannot use TPM.

    Full TPM requires UEFI and secure boot on, as stated in https://support.microsoft.com/en-us/help/3123365/tpm-is-ready-for-use-with-reduced-functionality-message-when-the-bios

    Since secure boot is off on our hardware, the underlying requirements for full TPM support are not met. Also allot of our older hardware runs in legacy mod. So what you are suggesting would require reinstall of all of our computers, wich is not feasable for multiple reasons.

    So this situation results in Safeguard detecting TPM (wich runs in reduced functionality), wich then throws error mentioned in my original post, resulting in a looping password promt from the SafeGuard bitlocker screen.

  • I think you're answering your own question here - You don't want to use TPM so then you're best to disable it properly. If you're not prepared to do that then the computer can't fallback. It will only fall back if TPM is hidden/disabled and therefore the OS is unaware of it. In the "absence" of TPM it'll then fallback to password/software and not hardware.

    I would test one machine with UEFI (I have machines here with UEFI and secure boot disabled) and see if that resolves your issue.

    However - I think that in your case perhaps you're best to disable TPM completely - set the fallback policy as password and it should work. Obviously not as secure as using TPM but if you don't or can't change BIOS settings and don't want a rebuild either it may ne the only option?

  • I found a bios reconfigure tool so i can use that to disable TPM remotely through SCCM or startup scripts without having to physically adjust it on every PC's BIOS. I still need to test this but if it works this should allow for a smooth deployment.

  • Hoof....Sounds like a project and a half for 500 devices!

    Are they all Win10 Pro/Edu etc.. Jef ?

  • It would make this project allot easier, but sadly not... :)

    About 11% is still on Windows 7, About 80% is Windows 10 Pro, the rest is divided between Windows 8(.1),  MAC OS, Linux and 3 PC's still on Win XP. And hardware wise i'm working with about 20 different models plus some virtualized PC's, including Surfaces and tablets wich give me a headache as well because they have no POA keyboard and fall back to TPM encryption only without PIN/pass.

    Besides the issues with TPM, we(me and Sophos support) also found a bug were a custom install path in deployment scripts is not correctly stored in the registry, wich caused the SGportable.exe not to be copied to portable media. This should be solved by the next patch though, and i 'fixed' it for our environment with redeploying to standard install path. And some BSOD's on install as well...

    Currently still in test phase, all though production deployment should start soon if nothing serious pops up in last test stages in regards with bitlocker. We will deploy in phases to be able to test as much scenarios as possible, and not to shock ppl with all the encryption at the same time. Starting with bitlocker, then portable media encryption, and then network encryption, then cloud encryption.

    So yeah, the project is quite a challenge and will remain that way for quite some time i recon. :) Thank you GDPR ;)

  • Well,

     

    I have some good news and bad news to report.

     

    The bad news is the BIOS reconfigure tool did not work for out hardware models with TPM.

    The good news is that i found a way to make bitlocker/safeguard fall back to password only even with TPM switched on in the bios. As a pleasant side affect it allso solved the problem with the tablet/surface devices. It skips encryption for touch devices (when the GPO setting 'Enable use of BitLocker authentication requiring preboot keyboard input on slates' is not enabled)

    To achieve this i changed the following GPO settings:

    Under 'System -> Windows Components -> Bitlocker Encryption' enable 'Allow BitLocker without a compatible TPM'

    The ALSO change ALL of the sub settings to:

    • Configure TPM startup

      • Do not allow TPM
    • Configure TPM startup PIN

      • Do not allow startup PIN with TPM
    • Configure TPM startup key

      • Do not allow startup key with TPM
    • Configure TPM startup key and PIN

      • Do not allow TPM startup key with PIN

    After the client installation the user will then be prompted to select a password instead of a PIN for bitlocker encryption.