How to enable BitLocker encryption without a TPM chip in Windows
BitLocker is a tool included in Windows 10 (Pro and Enterprise), Windows 7 (Enterprise and Ultimate), and Windows 8.1 (Pro and Enterprise) that can be used to encrypt data on any drive. By default, you must have a TPM chip in your computer to encrypt your system drive. If you do not have one, it is still possible to use BitLocker, but you need to set Windows so that it allows the use of BitLocker without this chip. In this article, we first explain the use of a TPM chip (what it is and why it is used) and how to set Windows so that it does not require this chip to encrypt your system drive with BitLocker. There is plenty of ground to cover, so let's get started:
NOTE: This guide covers Windows 10, Windows 7, and Windows 8.1 that are not Home or Starter editions because BitLocker is not available in them. If you do not know your Windows version, read this tutorial: What version of Windows do I have installed?.
What is a TPM (Trusted Platform Module) chip?
A TPM chip is a device used to generate secure and unique cryptographic keys and store them in an encrypted fashion so that they can be used to authenticate hardware devices. The cryptographic keys are encrypted and can be decrypted only by the TPM chip which created and encrypted them.
Encryption software like BitLocker in Windows uses the TPM chip to protect the keys used to encrypt your computer's data. Then, it is used to authenticate your encrypted computer and give you access to all the encrypted data when the device trying to access it is identified as trusted. Since the key stored in each TPM chip is unique to that device, encryption software can quickly verify that the system seeking access to the encrypted data is the expected system and not a different one.
Many different encryption apps use or support TPM chips. Computers with TPM chips are produced by all major vendors (from Acer to ASUS, Samsung, Lenovo, Dell, and HP), but they are included mostly in computers designed for business use and sold to companies. TPM chips are not usually included in computers sold to home users.
If you want to learn more about these chips, read the following articles: Windows Trusted Platform Module Management Step-by-Step Guide and Trusted Platform Module.
NOTE: This article focuses on using BitLocker for system partitions. If you want to use BitLocker on removable data drives (USB flash drives), read:
- How to encrypt flash drives
- How to unlock encrypted flash drives
- How to manage your BitLocker encrypted flash drive
- How to rescue your data from a BitLocker encrypted flash drive
- How to turn off BitLocker for flash drives
Windows displays an error message when you try to use BitLocker without a TPM chip
If you are trying to use BitLocker to encrypt your system drive and you do not have a TPM chip in your computer, you receive an error message. Read this article for the full procedure on encrypting a system partition with BitLocker in Windows.
In Windows, the message is quite clear: "This device can't use a Trusted Platform Module. Your administrator must set the 'Allow BitLocker without a compatible TPM' option in the 'Require additional authentication at startup' policy for OS volumes."
The error message points you in the right direction and shows you how to fix this problem. Let's see how to use the Local Group Policy Editor to set the policy which allows you to use BitLocker encryption without a TPM chip.
1. Open the Local Group Policy Editor
You can use full system drive encryption with BitLocker, even if you do not have a TPM chip in your computer. However, for this to work, you need to edit a policy in Windows, with the help of the Local Group Policy Editor tool.
Search in Windows for "group policy" and click or tap "Edit group policy."
For all the methods to run Local Group Policy Editor read 11 ways to open the Local Group Policy Editor in Windows.
2. Change the BitLocker Drive Encryption policy
After you open the Local Group Policy Editor, go to the Computer Configuration section on the left-hand panel and open the following folders: "Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives."
You open them by double-clicking or double tapping on them. Look at the right-hand panel and search for a setting named: "Require additional authentication at startup." Double click/tap on it to open the setting.
A window with the properties of this policy is shown. Change the value of this policy to Enabled. Then, check the option which says "Allow BitLocker without a compatible TPM" and press OK.
When done, close the Local Group Policy Editor window. You can now use BitLocker to encrypt your system drive without having a TPM chip in your computer. You no longer get the message "This device can't use a Trusted Platform Module."
Later on, if you want to set things back to the way they were, follow the same procedure and set "Require additional authentication at startup" to Not Configured. Do not forget to click or tap OK to apply the change.
Did you manage to allow BitLocker without a compatible TPM?
As you can see from this tutorial, it is not hard to set BitLocker and Windows to allow you to encrypt the system drive even without a TPM chip. It involves a few steps and the use of an unfamiliar tool, that might scare users at first. If you follow the steps we described, you should have no trouble at all. Leave us a comment below with your experience to allow BitLocker without a compatible TPM.