Use BitLocker Without a Trusted Platform Module (TPM)
How to Use BitLocker Without a TPM
If you’re just doing this on your own PC, and it isn’t joined to a domain, you can use the Local Group Policy Editor to change the setting for your own PC.
To open the Local Group Policy Editor:
press Windows+R on your keyboard, type “gpedit.msc” into the Run dialog box, and press Enter.
- Navigate to Local Computer Policy
- Computer Configuration
- Administrative Templates
- Windows Components
- BitLocker Drive Encryption
- Operating System Drives in the left pane.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the left pane.
Double-click the “Require additional authentication at startup” option in the right pane.
Select “Enabled” at the top of the window; and ensure the “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” checkbox is enabled here.
Click “OK” to save your changes. You can now close the Group Policy Editor window. Your change takes effect immediately—you don’t even need to reboot.
How to Set Up BitLocker
- You can now enable, configure, and use BitLocker normally.
- Head to Control Panel
- System and Security
- BitLocker Drive Encryption and click “Turn on BitLocker” to enable it for a drive.
You’ll first be asked how you want to unlock your drive when your PC boots up. If your PC had a TPM, you could have the computer automatically unlock the drive or use a short PIN that requires the TPM present.
Because you don’t have a TPM, you must choose to either enter a password each time your PC boots, or provide a USB flash drive. If you provide a USB flash drive here, you’ll need that flash drive connected to your PC each time you boot up your PC to access the files.
Continue through the BitLocker setup process to enable BitLocker drive encryption, save a recovery key, and encrypt your drive. The rest of the process is the same as the normal BitLocker setup process.
When your PC boots, you’ll have to either enter the password or insert the USB flash drive you provided. If you can’t provide the password or USB drive, BitLocker won’t be able to decrypt your drive and you won’t be able to boot into your Windows system and access your files.