GravityZone Full Disk Encryption: Enabling Intel PTT on Windows Machines without TPM
GravityZone Full Disk Encryption allows security administrators to apply policies that encrypts endpoints without asking for a password from users. This feature is available for Windows machines having a Trusted Platform Module (TPM) chip, version 2.0. However, encrypting volumes without requiring a password is also possible on machines with Intel Platform Trust Technology (Intel PTT).
Intel PTT is an alternative solution that offers the capabilities of discrete TPM 2.0, supporting BitLocker for hard drive encryption and all Microsoft requirements for firmware Trusted Platform Modules (fTPM) 2.0. Intel PTT is available only on certain Windows machines.
Enabling Intel PTT
To encrypt endpoints without asking for a password from users, you must apply a GravityZone encryption policy with the option If Trusted Platform Module (TPM) is active, do not ask for pre-boot password enabled.
By default, this functionality is compatible with machines having a TPM 2.0 chip and UEFI. Encrypting without password also works on machines with Intel PTT, but you must first enable it in BIOS. If you do not enable Intel PTT, the encryption process will continue to require a password.
This is what you must do when encryption without password does not work on certain Windows endpoints:
- Verify if the TPM is active on the machine by running the following command: tpm.msc. TPM may appear with ready status even though an actual TPM chip is not present on the machine.
- Access BIOS on that machine and go to the section where the Intel PTT setting is located.
- Depending on the BIOS manufacturer and version, you may need to either change the Intel PTT status to Enabled or to change the Security Chip setting from Discrete to Intel PTT.
- Save the changes and exit BIOS.
Once you have enabled the Intel PTT setting, the encryption process should start without requiring a password.
Different BIOS versions with the Intel PTT setting