How to enable BitLocker without TPM

How to enable BitLocker without TPM

BitLocker is a built-in disk encryption feature in Windows 7, 8, and Windows 10, starting with Professional versions, that allows you to securely encrypt data on both HDD and SSD: system and non-system drives and removable.

However, when enabling BitLocker encryption for the system hard disk partition, most users encounter the message “This device cannot use a Trusted Platform Module (TPM). The administrator must set the option to Allow use of BitLocker without a supported TPM. Here is a quick tutorial on how to do it and how to encrypt the system disk using BitLocker without TPM. See also: How to put a password on a flash drive using BitLocker.

Quick note: The TPM is a special cryptographic hardware module used for encryption tasks, it can be integrated into or connected to the motherboard. Final report: If your computer or laptop is equipped with a TPM module and you see the above message, it may mean that for some reason the TPM is disabled in BIOS or not initialized in Windows (press Win + R and type tpm.msc to control the module ).

Allow BitLocker without supported TPM in the latest version of Windows 10

In the latest version of Windows 10 (1903 May 2019 Update), the location of the policy responsible for allowing BitLocker to encrypt a system disk partition without a TPM module has changed slightly (for previous versions, the location is described in the next section).

To enable BitlLocker encryption without TPM in the new version of the operating system, follow these steps:

  1. Press Win + R on your keyboard, type gpedit.msc and press Enter.
  2. The local group policy editor opens. Go to: Computer Configuration - Administrative Templates - Windows Components - BitLocker Disk Encryption - Operating System Disks.
  3. In the right pane of the Local Group Policy Editor, locate the option "This policy setting allows you to configure to require additional authentication at startup" and double-click it. Notice that there are two configurations with this name in the list, we want the one without the Windows Server name.
  4. In the window that appears, select "Enabled" and make sure "Allow BitLocker without supported TPM" is enabled. Apply the settings made.

This completes the process and you can now enable BitLocker encryption for your Windows 10 system disk partition.

You can also enable the same permission using the registry editor: to do this, in HKEY_LOCAL_MACHINENSOFTWARENPoliciesNMicrosoftFVE create a DWORD parameter called EnableBDEWithNoTPM and set it to 1.

Allow use of BitLocker without supported TPM in Windows 10, 8, and Windows 7

To be able to encrypt the system disk with BitLocker without the TPM, you only have to change a single setting in the Windows local group policy editor.

  1. Press Win + R and type gpedit.msc to run the local group policy editor.
  2. Open the section (folders on the left): Computer Configuration - Administrative Templates - Windows Components - This policy setting allows you to select BitLocker disk encryption - Operating system disks.
  3. On the right side, double click on «This policy setting allows you to configure the requirement for additional authentication at startup.
  4. In the window that opens, set "Enabled" and also make sure that the "Allow BitLocker without a supported trusted platform module" option is checked. (see screenshot).
  5. Apply the changes made.

After that, you can use disk encryption without any error message: just select the system disk in Explorer, right-click and select the context menu item "Enable BitLocker", and then follow the encryption wizard. You can also do it in the "Control Panel" - "BitLocker Disk Encryption".

You can set a password to access the encrypted disk or create a USB device (pendrive) to use as a key.

Note: When encrypting the disk in Windows 10 and 8, you will be asked to save the decryption data to your Microsoft account as well. If you have it properly configured, I recommend that you do it: in my own experience with BitLocker, the code to restore disk access from the account in case of problems may be the only way not to lose your data.