How to enable BitLocker encryption without a TPM chip in Windows
BitLocker is a tool included in Windows 7 (Enterprise and Ultimate ), Windows 8.1 (Pro and Enterprise) and Windows 10 (Pro and Enterprise) that can be used to encrypt data on any drive. However, in order to encrypt your system drive, you must have a TPM chip in your computer. If you don't, it is still possible to use BitLocker but you need to set Windows so that it allows the use of BitLocker without this chip. In this article I will first explain the use of a TPM chip (what it is and why it is used) and how to set Windows so that it does not to require this chip in order to encrypt your system drive with BitLocker. There's plenty of ground to cover, so let's get started:
NOTE: The instructions in this guide apply to Windows 7 Enterprise, Windows 7 Ultimate, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows 10 Pro and Windows 10 Enterprise.
What is a TPM (Trusted Platform Module) chip?
A TPM chip is a device used to generate secure & unique cryptographic keys and store them in an encrypted fashion, so that this data can be used to authenticate hardware devices. The cryptographic keys are encrypted and can be decrypted only by the TPM chip which created and encrypted them.
Encryption software like BitLocker in Windows 7, Windows 8.1 and Windows 10 use the TPM chip to protect the keys used to encrypt your computer's data. Then, it is used to authenticate your encrypted computer and give you access to all the encrypted data when the device trying to access it is identified as trusted. Since the key stored in each TPM chip is unique to that device, encryption software can quickly verify that the system seeking access to the encrypted data is the expected system and not a different one.
Lots of different encryption software uses or supports the use of a TPM chip. Computers with TPM chips are produced by all major vendors (from Acer to Samsung to Dell and HP) but they are included mostly in computers designed for business use and sold to businesses. TPM chips tend not to be included in computers sold to home users.
If you want to learn more about these chips, we recommend that you read the following articles: Windows Trusted Platform Module Management Step-by-Step Guide and Trusted Platform Module.
Are you trying to use BitLocker without a TPM chip? Windows has a problem with that!
If you are trying to use BitLocker to encrypt your system drive and you don't have a TPM chip in your computer, you will receive an error message. In Windows 7 the message states: "A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker."
In Windows 8.1, the message is even more clear: "This device can't use a Trusted Platform Module. Your administrator must set the 'Allow BitLocker without a compatible TPM' option in the 'Require additional authentication at startup' policy for OS volumes."
We like the error message in Windows 8.1 a lot better because it also points you in the right direction and shows you how to fix this problem.
In Windows 10, the message is identical to the one displayed by Windows 8.1: "This device can't use a Trusted Platform Module. Your administrator must set the 'Allow BitLocker without a compatible TPM' option in the 'Require additional authentication at startup' policy for OS volumes."
Read the next page of this tutorial to learn how to use the Local Group Policy Editor for setting the policy which allows you to use BitLocker encryption without a TPM chip.
How to open the Local Group Policy Editor
As stated at the beginning of this article, you can use full system drive encryption with BitLocker, even if you do not have a TPM chip in your computer. However, in order for this to work, you need to edit a policy in Windows, with the help of the Local Group Policy Editor tool.
To start this tool in Windows 7, search for the word "group" or the words "group policy" in the Start Menu search box. Then, click the "Edit group policy" search result.
In Windows 8.1, go to the Start screen and search for the words "group policy " . Then, click or tap the "Edit group policy" search result.
In Windows 10, go to the search box on the taskbar and type "group " or "group policy " . Then, click or tap the "Edit group policy" search result.
Alternatively, you can use the Run window to run this command: gpedit.msc.
How to modify the BitLocker Drive Encryption policy
This is what the Local Group Policy Editor looks like:
On the left-hand panel, go to the Computer Configuration section and open the following folders: "Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives".
You open them by double-clicking or double tapping on them.
Now look at the right hand panel and search for a setting named: "Require additional authentication at startup". Double click/tap on it to open this setting.
A window with the properties of this policy is shown. Change the value of this policy to Enabled. Then, check the option which says "Allow BitLocker without a compatible TPM" and press OK.
When done, close the Local Group Policy Editor window . You can now use BitLocker to encrypt your system drive without having a TPM chip in your computer.
Later on, if you will want to set things back to the way they were, follow the same procedure and set "Require additional authentication at startup" to Not Configured. Don't forget to click or tap OK to apply the change.
As you can see from this tutorial, it is not very hard to set BitLocker and Windows to allow you to encrypt the system drive without a TPM chip. However, it involves a few steps and the use of a rather unfamiliar tool, that might scare users at first. If you follow the steps we described, you should have no trouble at all.