How to use BitLocker without a Trusted Platform Module (TPM)

BitLocker is a form of full-disk encryption for Windows that normally requires a Trusted Platform Module. The TPM is a hardware component on your motherboard that stores your encryption keys in a secure environment. It simplifies the whole login process by automatically unlocking your PC’s drive during boot, allowing you to sign in with your Windows password, while it manages the complicated encryption tasks behind the scenes. If anyone tampers with your PC or removes the drive, the data remains inaccessible without the encryption key stored in the TPM. However, not all PCs have a TPM. When attempting to enable BitLocker on such devices, you’ll encounter a prompt indicating that a system policy adjustment by your administrator is necessary. While some motherboards allow for the addition of a TPM chip, not all systems support this upgrade. In these cases, BitLocker can still be enabled by modifying system settings, providing a less secure but functional encryption alternative. This guide explains how to get around the TPM requirement and use BitLocker effectively on systems without this hardware.

Note: BitLocker is available only in Windows Professional, Enterprise, and Education editions. It’s also included with Windows 7 Ultimate but isn’t available on any Windows Home edition.

Steps in using BitLocker without a TPM

Step 1: Adjust group policy settings

You can overcome this limitation by editing a Group Policy setting. However, if your PC is joined to a business or school domain, the Group Policy is centrally managed by the network administrator, and you won’t have access to make the change by yourself. If your PC isn’t joined to a domain and you’re managing it independently, you can change the setting using the Local Group Policy Editor.

Open the Local Group Policy Editor:

• Press Windows + R
• Type “gpedit.msc” and press Enter

Navigate to the following location:

• Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Modify the policy:

• On the right side, find and double-click “Require additional authentication at startup”
• Choose “Enabled”
• Put a check in the checkbox “Allow BitLocker without a compatible TPM”

Save changes:

• Click OK to save and close the Group Policy Editor.
• No system reboot is required for this change to take effect.

Step 2: Enable and set up BitLocker

Access BitLocker settings:

• Go to Control Panel > System and Security > BitLocker Drive Encryption
• Click “Turn on BitLocker” for the desired drive

Select an unlock method:

• Choose between entering a password at each boot or using a USB flash drive for startup authentication.

Select an unlock method:

• Choose between entering a password at each boot or using a USB flash drive for startup authentication.

Complete the setup process:

• Save a recovery key for emergency use.
• Encrypt your drive.

Use the chosen unlock method:

• On each boot, provide the password or insert the USB flash drive to access your files. Without these, the drive remains encrypted, and Windows cannot boot.

Conclusion

While BitLocker typically requires a Trusted Platform Module (TPM) for optimal security, it is still possible to use this powerful encryption tool on systems without a TPM by adjusting Group Policy settings. By following the steps in this guide, you will know how to enable BitLocker, and how to use a password or a USB flash drive as an authentication method to access your data. Although this approach is less secure than using a TPM, it provides a functional encryption solution for PCs that lack the required hardware. Last but not least, protecting your sensitive data is crucial, even with these limitations, and remains a critical step toward securing your information from unauthorized access.

tzuhsuanchen2256

19 Jan 2025, 3 min read