Categories
Design

How to use bitlocker without a trusted platform module (tpm)

Let me state my understanding of self-encrypting drives and how they work.

If you have an SED and BIOS that supports hard drive passwords your drive will be protected. Is this the best practice for implementing an SED?

In the hardware encryption discussion, trusted platform modules are discussed. Is their presence a requirement for SED?

If I have no idea what I’m talking about can someone please explain the purpose of TPM and if it is required for SED.

How to use bitlocker without a trusted platform module (tpm)

  • Think you’re an IT whiz? Try and ace our quiz!
  • Windows Server 2016 and SOC 2 compliance
  • Giving away a CompTIA exam voucher!
  • IT Best Practices – when your company expands from domestic to glob.

The help desk software for IT. Free.

Track users’ IT needs, easily, and with only the features you need.

8 Replies

Typically a tpm is not required but can be used if available.

Sorry had to paste the link in a text box as android chrome wont just let me paste it.

Brand Representative for Micron

The SED doesn’t need a TPM, particularly your Crucial SED, and most hardware encryption management software packages don’t require one, either. In BitLocker, though, I believe if you don’t have a TPM, you may be required to use a USB thumbdrive as a key, so you’d need to have the thumbdrive installed whenever you open the encrypted volume.

To lock the drive in BIOS, you will need a BIOS that supports the TRUSTED SEND and TRUSTED RECEIVE commands in order to use your Opal SED, but you’d have to have a really old BIOS that doesn’t. There aren’t very many recent notebooks which don’t have a TPM, for that matter!

Keep in mind that for an SED, the encryption engine is always on, so really all the BIOS has to do is support access control to the encrypted volume.

How to use bitlocker without a trusted platform module (tpm)

I have a client that want a new computer. They are in the financial industry and require encrypted hard drives. I don’t want them to have to pay for software encryption. Do you think SED is my best solution to their situation?

Thanks for the replies!

I have a client that want a new computer. They are in the financial industry and require encrypted hard drives. I don’t want them to have to pay for software encryption. Do you think SED is my best solution to their situation?

Thanks for the replies!

What version of Windows?

Bitlocker comes with Windows 8.1 pro. No need to buy anything.

Brand Representative for Micron

I agree with Justin! Win8.1 and Win10 Pro BitLocker is a good way to go.

But I do have to say, in data security as with anything else. you get what you pay for! Why skimp on security, of all things? Surely, there are other areas you can save some money on so you can spend a hundred bucks for a full-featured security package.

[EDIT: a hundred bucks for a single-seat license. clearly SMB and enterprise class packages would be more]

Brand Representative for Micron

In Finance and Banking, there are very specific laws regarding data protection, and you really should research those. I think that BitLocker should meet these requirements, but you should verify that!

If you are looking at a “fleet” of notebooks in an enterprise, then you may need to add the MBAM layer. Microsoft BitLocker Admin and Monitoring. And, at that point, I believe it starts to not be free anymore!

Thank you, Justin and Jon, for your replies. After doing some research, I have come up with new questions.

The requirement it pre-boot authentication.

1. BitLocker and NON-SED. I would not like to go this route mainly because of the performance hit from software base encryption. The client wants the computer to be as fast as possible.

2.Bitlocker and SED. Can BitLocker be used with strictly key management? So on boot a pre-boot authentication is required. Can BitLocker be used to authenticate that?

3. SED and ATA password. This would be my preference. I can’t seem to find the answer to this question anywhere on the internet. I know it probably is simple, but I would like to see it in writing from people who have experience with it. If I implement the SED into a computer. apply an ATA password (hard-disk password), and then take out that hard drive and put it in another computer can it be read? if ATA passwords are enabled could it be logged into if you know the password? Is the drive fully protected if implemented in this way or is my understanding wrong?

Thanks again for replies!

I am sure learning a lot!

Brand Representative for Micron

1. Yeah, we’ve measured a 15% to 20% performance hit when running BitLocker software encryption on our SSDs. Still faster than HDD, but not awesome. Frankly, last time we looked at this was in Windows 7, so an update of the data is probably in order

2. Yes, in Windows 8.1 and 10 (Pro and Enterprise editions). The login process in BitLocker looks the same to the user, regardless of whether you’re encrypting via hardware or software. BitLocker asks for your PIN prior to booting the OS. What this does is ensure that no OS application can attempt to hack your PIN.

3. If you are protecting only one computer, the ATA Security features in your BIOS are perfectly adequate (in fact, unless you’re in an enterprise managing lots of notebooks, I think the BIOS solution is cleaner and easier).

Regardless of the choice you make for encryption security, you will be able to access this drive on another computer if you have the correct PIN/password. When it gets down to brass tacks, your security is only as strong as your password. If your password is “password” all the encryption in the world won’t help you. I might recommend taking advantage of a fingerprint reader or a Smart card for authentication. I haven’t tried Windows “Hello”, yet, but I hear it’s pretty cool (not sure if it can be used for pre-boot authentication).

Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.

How to use bitlocker without a trusted platform module (tpm)

BitLocker’s full-disk encryption normally requires a computer with a Trusted Platform Module (TPM). Try to enable BitLocker on a PC without a TPM, and you’ll be told your administrator must set a system policy option.

BitLocker is available only on Professional, Enterprise, and Education editions of Windows. It’s also included with Windows 7 Ultimate, but isn’t available on any Home editions of Windows.

Why Does BitLocker Require a TPM?

BitLocker normally requires a Trusted Platform Module, or TPM, on your computer’s motherboard. This chip generates and stores the actual encryption keys. It can automatically unlock your PC’s drive when it boots so you can sign in just by typing your Windows login password. It’s simple, but the TPM is doing the hard work under the hood.

If someone tampers with the PC or removes the drive from the computer and attempts to decrypt it, it can’t be accessed without the key stored in the TPM. The TPM won’t work if it’s moved to another PC’s motherboard, either.

You can buy and add a TPM chip to some motherboards, but if your motherboard (or laptop) doesn’t support doing so, you may want to use BitLocker without a TPM. It’s less secure, but better than nothing.

How to Use BitLocker Without a TPM

You can bypass this limitation through a Group Policy change. If your PC is joined to a business or school domain, you can’t change the Group Policy setting yourself. Group policy is configured centrally by your network administrator.

If you’re just doing this on your own PC and it isn’t joined to a domain, you can use the Local Group Policy Editor to change the setting for your own PC.

To open the Local Group Policy Editor, press Windows+R on your keyboard, type “gpedit.msc” into the Run dialog box, and press Enter.

How to use bitlocker without a trusted platform module (tpm)

Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the left pane.

How to use bitlocker without a trusted platform module (tpm)

Double-click the “Require additional authentication at startup” option in the right pane.

How to use bitlocker without a trusted platform module (tpm)

Select “Enabled” at the top of the window, and ensure the “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” checkbox is enabled here.

How to use bitlocker without a trusted platform module (tpm)

Click “OK” to save your changes. You can now close the Group Policy Editor window. Your change takes effect immediately—you don’t even need to reboot.

How to Set Up BitLocker

You can now enable, configure, and use BitLocker normally. Head to Control Panel > System and Security > BitLocker Drive Encryption and click “Turn on BitLocker” to enable it for a drive.

How to use bitlocker without a trusted platform module (tpm)

You’ll first be asked how you want to unlock your drive when your PC boots up. If your PC had a TPM, you could have the computer automatically unlock the drive or use a short PIN that requires the TPM present.

Because you don’t have a TPM, you must choose to either enter a password each time your PC boots, or provide a USB flash drive. If you provide a USB flash drive here, you’ll need that flash drive connected to your PC each time you boot up your PC to access the files.

How to use bitlocker without a trusted platform module (tpm)

Continue through the BitLocker setup process to enable BitLocker drive encryption, save a recovery key, and encrypt your drive. The rest of the process is the same as the normal BitLocker setup process.

When your PC boots, you’ll have to either enter the password or insert the USB flash drive you provided. If you can’t provide the password or USB drive, BitLocker won’t be able to decrypt your drive and you won’t be able to boot into your Windows system and access your files.

Sometimes, after you use BitLocker to encrypt drives, you might also want to set a PIN for Windows 10 BitLocker to prevent BitLocker from Pre-boot attacks.

Contents:

Enable a Pre-Boot BitLocker Pin Overview

To let BitLocker prompt for password at boot, you need pre-boot password for this full disk encryption. Though the system drive is encrypted by this encryption tool and you have also added a PIN for BitLocker Windows 10, it just pops up at startup with Bitlocker a password instead of a PIN.

When Password VS PIN, most users would like to enable the Pre-boot BitLocker PIN on Windows 10 rather than a password. If you wish to boot with BitLocker Drive Encryption passwords, it is also available to disable Pre-boot authentication to make it possible BitLocker not asking for PIN.

This article focuses on explaining to you how to allow enhanced PIN for startup with BitLocker, which is to say, telling you the way of enabling a Pre-boot BitLocker PIN on Windows 10.

How to Enable a Pre-Boot BitLocker PIN on Windows?

Before you get started to set up a pre-boot BitLocker PIN in Windows 10, make sure you have turned on BitLocker encryption. Or for some people who have no Trusted Platform Module chip on Windows 10, you can try to enable BitLocker without TPM.

Then you are capable of using group policy editor to enable BitLocker authentication in Windows 10.

1. Hit Windows +R to activate the Run box.

2. Type in gpedit.msc in the box and click OK to navigate to Group Policy.

3. In Local Group Policy, follow the path:

Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

How to use bitlocker without a trusted platform module (tpm)

4. Under Operating System Drives, locate and right click Require additional authentication at startup to Edit it in the right sub-window.

How to use bitlocker without a trusted platform module (tpm)

5. Set the option Require additional authentic at startup as Enabled, and then Choose to Configure TPM startup PIN and select Require startup PIN with TPM.

How to use bitlocker without a trusted platform module (tpm)

Finally, click Apply and OK to take effect.

At this time, you will have successfully enabled the Pre-boot BitLocker PIN for Windows 10. Maybe you feel like to add a PIN for BitLocker, go further.

How to Add a Pre-boot BitLocker PIN to Windows 10?

It is rather simple to make a PIN for BitLocker at startup on the occasion where you have chosen to make BitLocker prompt for password at boot.

1. Type in Command Prompt in the Start search box and then right click the best result to Run as administrator.

2. Copy manage-bde –protectors –add c: -TPMAndPIN in the command prompt and then press Enter to run it.

How to use bitlocker without a trusted platform module (tpm)

Here if your encrypted drive is not Local disk C:, you can change C: in this command to any other drives.

Then you will be prompted to enter a PIN for Windows 10 BitLocker and confirm it again.

3. Check if the Key Protectors are added by entering the command: manage –bde -status

Once you have added the pre-boot BitLocker PIN on Windows 10, the next time you log on to your PC, you need BitLocker authentication with PIN.

How to Change BitLocker PIN Windows 10?

Sometimes, if you want to change the enhanced PIN in BitLocker, just complete the command manage-dbe Changepin -c: in Command prompt.

How to use bitlocker without a trusted platform module (tpm)

When you input the changed PIN in the command prompt and confirmed it, it means you are required to type in this new pre-boot PIN for BitLocker Drive Encryption to login in.

In a word, concentrating on enabling pre-boot PIN in BitLocker, this post also shows you how to add and change BitLocker Pin on Windows 10. If you want to disable a pre-boot BitLocker PIN after some time, just do the opposite.

Contents:

Use BitLocker without a Trusted Platform Module Overview:

Usually, Trusted Platform Module (TPM) is required to use BitLocker on Windows 10. And you might know which version of Windows have BitLocker — a full disk encryption, such as Windows Vista, Windows 7 Ultimate and Enterprise, Windows 8/ 10 Pro, Enterprise, but there is no Bitlocker Windows 10 Home. So it shouldn’t concern you that how to allow BitLocker with TPM on Windows Home versions.

As for why you need a Trusted Platform Module 2.0 or 1.2 to use BitLocker Windows 10, the reason lies in that this TPM chip can produce and store encryption keys, thus making BitLocker fully encrypt sensitive data for you. So you may as well learn more about TPM so as to utilize the BitLocker on Windows 10 more smoothly.

What is Trusted Platform Module?

What does a TPM do? You may wonder why to lock a folder in Windows 10 using BitLocker needs this software. TPM (Trusted Platform Module) is a chip specialized in authenticating the encrypted data and granting you access to the folders or drives that proved trusted, thus making your PC possess some advanced security functions.

Normally, as TPM contains and stores the encryption keys for the BitLocker on Windows 10, without it, though BitLocker can encrypt the drive or data, it cannot provide the locking keys from TPM. That is why most users would better turn on BitLocker to encrypt drives and portable storage with TPM.

Though only the computers with TPM are able to afford the safety when anyone else hopes to access Windows 10, TPM is not a must for BitLocker. You can allow BitLocker without a compatible TPM.

How to Use BitLocker without TPM?

More often than not, when you enable the BitLocker Drive Encryption to encrypt a drive on Windows 10, it displays a BitLocker problem as the screenshot below saying This device can’t use a Trusted Platform Modules. There is no computer with TPM 2.0 chip for BitLocker.

How to use bitlocker without a trusted platform module (tpm)

What can you do to allow Windows 10 BitLocker without a compatible TPM? Like ASUS TPM chip or Intel TPM 2.0 module or Gigabyte TPM module.

In fact, no matter you are using old hard disk or the new one, it is possible that the Trusted Platform Module Windows 10 does not exist, the computer manufacturers just have not made it for you. But it is available to allow BitLocker in Windows 10 without TPM. Even without Trusted Platform Module Windows 7 or Windows 10, you can also easily enable BitLocker Drive Encryption in Group Policy.

At first, you need to make sure you have administrative privileges.

1. Press Windows + R to open the Run box.

2. In the box, enter gpedit.msc and then click OK.

3. In Local Group Policy, go as the path on the left pane.
Computer Configuration/Administrative Templates/ Windows Components/ BitLocker Drive Encryption/ Operating System Drives

How to use bitlocker without a trusted platform module (tpm)

4. Under Operating System Drives, on the right pane, locate and right click Require additional authentication at startup to Edit it.

How to use bitlocker without a trusted platform module (tpm)

5. In Require additional authentication at startup window, tick the box of Enabled and then Allow BitLocker without a compatible TPM.

How to use bitlocker without a trusted platform module (tpm)

After that, hit Apply and OK.

6. Close the Local Group Policy.

Now you are able to set up BitLocker Drive Encryption without Trusted Platform Module, instead, a password or startup key on a USB flash drive is capable of encrypting your drive with BitLocker even with Windows 10 TPM.

Hope the way above can help you use the BitLocker when there is no TPM chip on your laptop or desktop. In this way, you are qualified now to turn on Windows 10 BitLocker with or without TPM.

BitLocker is a feature introduced free Microsoft products operating systems Windows Vista, Windows 7 Ultimate si Windows 7 EntertakingTo protect the data on Hard Drive. With BitLocker we can crypt (hdd drive encryp) Both the system partition and data tracks of the hard disk, but to do this we need Trusted Platform Module (TPM). Not all computers / laptops have this TPM intergrated, and when you want to activate BitLocker on a partition, we posted:

A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker.

How can we use BitLocker if you have Trusted Platform Module (TPM).

1. Open the Local Group Policy Editor. (run – gpedit.msc or type “gpedit.msc” in Search programs and files (Start Menu))

2. In the Local Group Policy go to computer Configuration > administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Drives and right-click & Edit (or double-click) on Require additional authentication at startup.

3. Check “Enable” in front of Require additional authentication at startup and make sure the box is checked and the Allow BitLocker without a compatible TPM.

4. Apply & OK & Restart computer.

We’ll also explain what the heck it means

I recently tried to enable BitLocker on an old Windows 10 PC at home and got an error message that I found would be extremely cryptic to anyone who isn’t a computer geek. Here was the message:

This device can’t use a Trusted Platform Module. Your administrator must select the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.

Say what!? Most people will probably just cancel the operation and forget about the whole thing with a message like that. Unfortunately, Microsoft never makes error messages clear and simple to understand. Let’s break it down.

How to use bitlocker without a trusted platform module (tpm)

1. Trusted Platform Module (TPM) – This is basically a chip in newer processors that has extra security features. When BitLocker uses TPM, it stores the encryption key on the chip itself. If you don’t have a CPU that supports TPM, then you can still use BitLocker, but you’ll have to store the encryption key on a USB stick.

2. Administrator Policy – So what’s all the stuff about selecting X and Y policy for OS volumes? Basically, it’s a group policy setting that has to be changed that will allow BitLocker to work without the TPM requirement.

The fix is pretty straight-forward, just follow the instructions and don’t make any other changes.

Allow BitLocker Without Compatible TPM

Step 1– Open the group policy editor by pressing the Windows Key + R or by clicking on Start in Windows 10 and typing in Run. In the Run dialog box, go ahead and type in gpedit.msc and press Enter.

How to use bitlocker without a trusted platform module (tpm)

Now expand to the following section under group policy:

On the right-hand side, you will see an option called Require additional authentication at startup. Go ahead and double-click on that option.

How to use bitlocker without a trusted platform module (tpm)

By default, it is set to Not Configured, so you’ll have to click on the Enabled radio button. Automatically, it should check the Allow BitLocker without a compatible TPM box, but if not, make sure to check it.

How to use bitlocker without a trusted platform module (tpm)

Click OK and then close out group policy. Now go back to the BitLocker screen and click the Turn on BitLocker link.

How to use bitlocker without a trusted platform module (tpm)

Now instead of getting an error message, you should see the BitLocker setup screen. When you click Next, it’ll start setting up your hard drive for BitLocker.

How to use bitlocker without a trusted platform module (tpm)

Again, there is no real security disadvantage to using BitLocker without a TPM, it’s just that the encryption key has to be stored on a USB drive instead of being stored on the chip itself. If you’re still having issues enabling BitLocker on Windows 8 or Windows 10, post a comment and let us know. Enjoy!

Founder of Help Desk Geek and managing editor. He began blogging in 2007 and quit his job in 2010 to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications. Read Aseem’s Full Bio

Last Updated : July 7, 2019

Category : Windows 10 , Security

In this post, I’ll walk you through the steps to enable BitLocker encryption on Windows 10 without TPM. BitLocker is an encryption feature available in Windows 10 Professional and Enterprise editions. However it requires a Trusted Platform Module (TPM) on the system.

In addition to that, BitLocker provides the best security when used with TPM. But we know that not all systems include TPM chip and in this post we will see how to bypass it so you can use BitLocker.

In short we will enable a policy named Require additional authentication at startup. Under this policy, we enable the setting Allow BitLocker without a compatible TPM. If you enable this policy, your require either a password or a USB drive is for start-up.

Table of Contents

BitLocker Encryption – Important Points

  1. As mentioned earlier, BitLocker Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise editions.
  2. It is always recommended to have TPM chip and enable BitLocker driver encryption.
  3. Most of all ensure the computer’s BIOS is updated to latest version.
  4. BitLocker drive encryption requires time to complete the encryption. There is no specific time duration for encryption to complete. It really depends on the amount of data and size of the drive.
  5. When you enable BitLocker encryption on Windows 10, keep your computer connected to an uninterrupted power supply throughout the entire process.

BitLocker Encryption Without TPM

So what happens when you enable BitLocker encryption on Windows 10 machine when there is no TPM chip. It shows the following message.

This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require addition authentication at start-up” policy for OS volumes.

How to use bitlocker without a trusted platform module (tpm)

Enable BitLocker Encryption on Windows 10 without TPM

Here are the steps required to enable BitLocker encryption on Windows 10 machine.

Configure Require Additional Authentication at Startup

  • On Windows 10 computer, click Run and enter gpedit.msc.
  • This brings up Local Group Policy Editor.
  • Under Computer Configuration, expand Windows Components and then BitLocker Drive Encryption.
  • Click Operating System Drives and on the right pane you find many settings. Double-click Require additional authentication at startup.

How to use bitlocker without a trusted platform module (tpm)

By default Require addition authentication at startup policy is not configured. To enable this policy, click Enable. The rest of the options are enabled automatically and keep them to default. Click OK and close the group policy editor.

How to use bitlocker without a trusted platform module (tpm)

Enable BitLocker Drive Encryption

We will now go ahead and enable BitLocker drive encryption on windows 10 machine. Go to control panel and click BitLocker Drive Encryption.

How to use bitlocker without a trusted platform module (tpm)

This will bring up BitLocker Drive Encryption setup. The are two steps which are part of BitLocker encryption.

How to use bitlocker without a trusted platform module (tpm)

First step, Preparing your drive for BitLocker. Notice that it advises your to backup critical files and data before you proceed. Click Next.

How to use bitlocker without a trusted platform module (tpm)

Click Next.

How to use bitlocker without a trusted platform module (tpm)

In this step you have to either insert a USB flash drive or choose a password. I will go with Enter a password option.

How to use bitlocker without a trusted platform module (tpm)

To unlock the encrypted drive, enter a strong password. Click Next.

How to use bitlocker without a trusted platform module (tpm)

Backup Recovery Key

In the next you will be asked about how do you want to backup your recovery key. You get three options here.

  • Save to a USB flash drive
  • Save to a file
  • Print the recovery key

All the above options are self-explanatory. Choose any one of the option that suits you and click Next.

How to use bitlocker without a trusted platform module (tpm)

You now see the option to choose how much of your drive to encrypt. Sensible option in my opinion and if you want to complete the encryption quickly, go with first option.

  • Encrypt used disk space only
  • Encrypt entire drive

Click Next.

How to use bitlocker without a trusted platform module (tpm)

Select New encryption mode and click Next. I chose this option because I am running the latest version of Windows 10. Click Next.

How to use bitlocker without a trusted platform module (tpm)

Click Continue. After you press Continue, you have to restart your computer.

How to use bitlocker without a trusted platform module (tpm)

On reboot, BitLocker will now ask to enter the password to unlock the drive. Enter the password and hit Enter. In case you press Esc key, the system will reboot and BitLocker driver encryption will not be enabled. You have to sign in and enable BitLocker again.

How to use bitlocker without a trusted platform module (tpm)

BitLocker Drive Encryption

To monitor the BitLocker drive encryption, go to control panel. Click BitLocker Drive Encryption. You will see BitLocker is encrypting your hard drive.

How to use bitlocker without a trusted platform module (tpm)

Once the BitLocker drive encryption is complete, you will see the BitLocker On.

How to use bitlocker without a trusted platform module (tpm)

Furthermore you can also see that lock icon on C: drive if you open explorer > This PC.

Guides, tutorials, reviews and news for System Administrators.

Deploy BitLocker without a Trusted Platform Module (TPM)

It is certainly ideal to configure BitLocker with TPM if possible, it may be the case that you do not have TPM available but still want to take advantage of BitLocker’s full disk encryption. While this is not possible by default, it is possible after the modification of some group policy settings, which we’ll cover here in order to allow you to deploy BitLocker without a trusted platform module.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Install BitLocker Feature

Before we begin, you will need to install the BitLocker feature in order to proceed. The quickest way to do this is by running the below PowerShell cmdlet which will install the BitLocker feature, note that this will reboot your system to complete the process as per the -Restart parameter on the end.

Configure Group Policy

Enabling use of BitLocker without a TPM can be set through the following group policy:

Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup

How to use bitlocker without a trusted platform module (tpm)

Once this policy is set to enabled, we can select “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).

How to use bitlocker without a trusted platform module (tpm)

Once the policy changes have rolled out to the computers the policy is linked to, BitLocker can be configured. If this policy is not set and you have no TPM and attempt to enable BitLocker following the steps below, you will receive the below error message telling you to perform the above process first.

How to use bitlocker without a trusted platform module (tpm)

Deploy BitLocker without a Trusted Platform Module

Now that the policy has been set to allow us to enable and use BitLocker without TPM we can proceed.

    On the Windows computer that you wish to enable BitLocker, open “This PC” and simply right click the drive that you wish to encrypt and click Turn on BitLocker. In this example we’re using the operating systems primary boot drive.

How to use bitlocker without a trusted platform module (tpm)
The BitLocker Drive Encryption wizard will now open. Select if you’re using a USB flash drive or password. At least one of these options must be used, as we are not using a TPM.

How to use bitlocker without a trusted platform module (tpm)
In this example we will use the password method, be sure to set a strong password.

How to use bitlocker without a trusted platform module (tpm)
Next you need to save the recovery key. This can either be done by saving it to a USB flash drive (not the same one that you would use for the startup key), to a file (this cannot be on the same drive that is about to be encrypted), or you can optionally print it. Keep the recovery key safe, if you forget or lose the BitLocker password the recovery key is the only way that you’ll be able to read the encrypted data. Without either you will lose all access, recovery is impossible.

How to use bitlocker without a trusted platform module (tpm)
Now you can select how much of the drive you want to encrypt. You can either encrypt only the space that is actually used, or encrypt the full disk straight up. Personally I always choose to just do the whole thing from the get go.

How to use bitlocker without a trusted platform module (tpm)
Choose the encryption mode to use, basically if you’re going to be accessing the disk with versions of Windows older than 10 you will need to select the compatible mode.

How to use bitlocker without a trusted platform module (tpm)
Finally select continue in order to encrypt the drive. Leave the run BitLocker system check box selected to ensure that there will be no problems prior to encrypting the drive. If problems are detected, encryption will not begin.

How to use bitlocker without a trusted platform module (tpm)

You will now be prompted to perform the reboot to start the BitLocker system check.

How to use bitlocker without a trusted platform module (tpm)
Assuming everything runs smoothly, you will be prompted for the BitLocker password on system boot.

How to use bitlocker without a trusted platform module (tpm)
After you log back in you’ll be able to view the status of the BitLocker encryption assuming the check was successful. This can be done by running ‘manage-bde -status’ in PowerShell. The “Key Protectors” list password only as this is what we are using. If TPM was in use, it would be listed here too.

How to use bitlocker without a trusted platform module (tpm)

That’s it, the disk will continue encrypting in the background, BitLocker has successfully been setup without a TPM.

Summary

After configuring the appropriate group policy setting we were able to deploy BitLocker without a trusted platform module available.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Report abuse

I found the following instructions and they work:

“Thank you for being a part of Windows 10 Technical Preview testing.

You can use Bit locker in Windows 10 without TPM. I would suggest you to try the following steps.

How to Configure Computer to Enable BitLocker without Compatible TPM:

Administrators must follow the steps below to configure their Windows 8 computers to allow enabling Bit Locker Drive Encryption without compatible TPM:

a. Log on to Windows 10 computer with the account that has administrative privileges.

b. Assuming that the computer has been configured to display classic start menu, click Start and at the bottom of the menu in search box type GPEDIT.MSC command and press enter key.

c. On the opened Local Group Policy Editor snap-in from the left pane expand Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption and from the expanded list click to select Operating System Devices.

d. From the right pane double-click “Require additional authentication” at startup.

e. On the opened box click to select Enabled radio button and ensure that under Options section Allow Bit Locker without a compatible TPM checkbox is checked.

f. Once done, click Ok button to allow the changes to take effect and close Local Group Policy Editor snap-in.”

I never could have set up Bitlocker without this.