Skip to main content

Using Full Disk Encryption without password on Windows endpoints that do not have TPM

This section describes how to enable Intel Platform Trust Technology (Intel PTT) on Windows endpoints without TPM.

GravityZone Full Disk Encryption allows security administrators to apply policies that encrypt endpoints without asking for a password from users.

This feature is compatible with Windows endpoints equipped with a Trusted Platform Module (TPM) chip, specifically version 2.0. Encrypting volumes without requiring a password is also possible on endpoints with Intel Platform Trust Technology (Intel PTT).

Intel PTT is an alternative solution that offers the capabilities of discrete TPM 2.0, supporting BitLocker for hard drive encryption and all Microsoft requirements for firmware Trusted Platform Modules (fTPM) 2.0. Intel PTT is available only on certain Windows machines.

Enabling Intel PTT

To encrypt endpoints without asking for a password from users, you need to apply a GravityZone encryption policy with the option If Trusted Platform Module (TPM) is active, do not ask for pre-boot password enabled.

By default, this functionality is compatible with endpoints having a TPM 2.0 chip and UEFI. Encrypting without password also works on endpoints with Intel PTT, as long as it was first enabled in BIOS. If you do not enable Intel PTT, the encryption process will continue to require a password.

Follow these steps when encryption without password does not work on certain Windows endpoints:

  1. Verify if the TPM is active on the endpoint by running the following command: tpm.msc. TPM may appear with ready status even though an actual TPM chip is not present on the endpoint.

  2. Access BIOS on that endpoint and go to the section where the Intel PTT setting is located.

  3. Depending on the BIOS manufacturer and version, you may need to either change the Intel PTT status to Enabled or to change the Security Chip setting from Discrete to Intel PTT.

  4. Save the changes and exit BIOS.

Once you have enabled the Intel PTT setting, the encryption process will start without requiring a password.

In the images below you'll find examples of different BIOS versions with the Intel PTT setting