TheOptions within the TPM 2.0 Sec typically are just to have it enabled and the checkbox of TPM On selected, and make sure the arial button is placed into Enabled field and hitting apply and to make sure the computer object is in a Active Directory OU
I had the same issue with a single E7470 series laptop with TPM 2.0. I kept fiddling with the TPM configuration in windows and back and forth from BIOS. What I think I finally did was clear TPM in BIOS, turn it completely off, and turn it back on with checking the TPM PPI Provision Override setting (deprovision is unchecked). Then back in Windows and was able to turn on bitlocker.
You have to wipe the HDD. Was having this issue at my work and for some odd reason with the dell bios is that the recovery bios is on the HDD itself. wiping the Hard Drive let me downgrade the bios. as for windows 7 with the TPM. you need to down grade the tpm from 2.0 to 1.2
What you need to do is download the TPM 1.2 and make sure you have the TPM Cleared from within the BIOS or running the tpm.msc command to open the console from within Windows Itself and then launching the Utility and then you should be able to downgrade correctly.
So, you will need to pause your bitlocker during linux installation. Or, if you have time you can turn off bitlocker before linux installation and re-encrypt after its done. TPM checks for boot environment. Linux adds a new directory called e.g. Ubuntu in EFI partition which triggers TPM if bitlocker is on.
Answered your question via the other post Steph - Sophos can confirm but I was under the impression there is no POA for Windows 10? When you say "pop up asking for a password for POA" is it possible to have a screenshot of this?
But essentially before 8.1 When I installed a client then added our servers info to it and the user logged in again, it asked the user to create a password (PIN) that is the bitlocker password for when you turn on the laptop.
So the C Drive is encrypted but we were also before 8.1 getting the ability to do this on each PC, which for some reason we haven't now... But these have all been installed by my colleagues as i've not got any here that i can install it on. So i'm going to remote onto one of the ones they are installing to see what they are doing.
Since 8.1 (and decent versions of 7) Sophos works WITH Bitlocker too to manage it. POA as such then doesn't appear as the authentication is done differently. The PIN prompt you see is when the PC (laptop) has TPM (a buitin hardware security chip) and the "protector" is the PIN. You can have TPM without PIN too (and you may wanbt to use this if the laptop has a touch screen and doesn't support it at POST)
If your PC Doesn't have a compatible (or present) TPM chip then it'll set a password OR a USB startup key can also be used. I personally don't like this option as the USB can be lost/stolen/overwritten etc...
Your other hard drives (D Drive/E Drive etc...) should auto-unlock. That's to say if they ARE encrypted (with a policy) then the key will be stored in the user's profile/reg and when they access the drive in Explorer it will auto-unlock ( and not prompt for password each time)
It's not setting the password, before 8.1 it popped up on the desktop after you installed Safeguard saying can you please create a password for bitlocker. But, now it's not doing that. (Or is that because the new devices have a TPM Chip, and so it doesn't ask them as it doesn't think they've been tampered with ?
So the ones that are asking for it each time don't have a TMP chip hence asking. I just thought it was a good extra security thing... But I guess if they cannot login to our device then it's irrelevant and not really necessary and i just need to ensure the users passwords are secure, and it will pause longer between each attempt to login...
Do this on each client you're questioning. It SHOULD follow that they have the Sophos policy applied that means TPM And PIN in enabled on all those PC's that have TPM (it is common for laptops to have TPM disabled in BIOS/UEFI and the OS cannot see it, so Sophos/Windows can't use it or see it) and those PC's that do not have TPM have a password instead.
If you're ONLY using TPM with NO PIN then the PC is either ignoring that policy you have set or it's picking up another policy/setting elsewhere. Dependant on what GPO's you have set on your domain it could be your DA has disabled PIN at POST .
thanks for the advice, recently recieved fw 16 as my father passed and wanted me to have it.
he had it packaged with windows 11 not my personal choice as havnt used windows personally since win7/10. thought of dual booting but relised windows updates every now and then and remembered how windows works, always had trouble with my win10/ubuntu setup forced me to go straight ubuntu all together, had no trouble with that hence win10 didnt work/run great on that computer. so sticking to my guts ill wait till windows 11 becomes obsolete and runs too clunky on fw 16 before switching back to linux. as all windows computers go windows will become obsolete on this hardware one day.
For some reason, it's not working - How can I find out what's wrong? I created a GPO, linked it to an OU, joined the win7 machine onto domain, and moved the win7 machine into the OU. I would expect it (perhaps incorrect?) to simply start encrypting, and save the bitlocker recovery key into AD somewhere (not sure yet where to find that.) But it does nothing.
Set your group policy to automatically backup the recovery key to active directory, and to not encrypt the computer if the recovery key isn't stored in AD. Also, if the users will be encrypting their own machines, disable prompting for PINs and Passwords, unless you use them in your environment.
Create a plan for encrypting machines that are already in the environment, vs. newly built workstations. New workstations are easier typically, as bitlocker requires a system partition to exist on the workstation, for storing its bootloader. Depending on your imaging process this may or may not exist on your current workstations, and if not a separate step would have to be run to prepare the hard drive for bitlocker, but the command escapes me at the moment. The GUI will do it automatically and requires a reboot before continuing, I have to assume the command line is the same way. manage-bde can also be used to backup the recovery of machines that have already been encrypted, as in before your group policy was implemented, to active directory. Of course, you also have to take into account TPM chip enabling and activation when talking about an automated bitlocker deployment.
Backing up recovery keys to Active Directory is okay, but it's gone when the computer account is blown away. No big deal if the machine has been disposed of, but could be a major issue if this was just a laptop that was off the network for a while, and got subject to an AD cleanup script. Powershell can be used to retrieve backup keys from active directory, if this is something you want to think about.
You still want the group policy options for centrally managing the recovery keys in place. I ran scheduled taks like this before I had the recovery key policy in placeand locked myself out. Not fun. The group policy will make sure the scripted job meets the same rrequirements as starting via the GUI.
Without Microsoft corroboration, my testing showed that if one installs from USB onto a new unformatted drive, BitLocker is not enabled. Instead, if one sets up a system fresh from the factory, the OOBE Windows enables BitLocker encryption, unless one somehow gets into the motherboard BIOS and disables TPM2 (I think).
With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
I have always used Local accounts (except for the one I used for the Insider Program), both on my Win installations and ones I have set up for other Users. There were recovery questions on the Local accounts.
Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.
The device that is now registered is also shown in endpoint manager, as compliant, but has no bitlocker keys attached to it. (it is in the groups that would allow it to have the bitlocker policy applied)
In one situation about which I wrote an article, the owner of the dead computer was able to retrieve her BitLocker key using her phone. She sent me a photo of it, and I was then able to access the SSD on a replacement system.
You can repeat this all you want. I have installed Windows for over a decade since Secure Boot weas introduced, on clean, bare-metal installs, as upgrades and alongside previously installed OSes. Never had to disable Secure Boot to boot from a Windows install USB flash drive. Other USB boot drives did have issues, but never Windows Linux Mint or Ubuntu Linux. Or Ventoy, provided the once-only step of registering the TPM MOK key was done properly.
I have only had one device I have ever owned where the installation of Windows (10) was the OEM Home Edition. It did have Bitlocker automatically enabled as soon as I had the device set up. I laboriously and manually disabled Bitlocker, as I wanted to use a Local Account as my primary Admin Account.
BitLocker automatic device encryption uses BitLocker drive encryption technology to automatically encrypt internal drives after the user completes the Out Of Box Experience (OOBE) on Modern Standby or HSTI-compliant hardware.
BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.
3a8082e126