Enable BitLocker Drive Encryption without a TPM
Procedures to change your computer’s Group Policy settings so that you can enable BitLocker Drive Encryption without a TPM. This use a startup key to authenticate yourself and it is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.
Before you start:
- You must be logged on as an administrator.
- You must have a USB flash drive to save the recovery password.
- We recommend a second USB flash drive to store the startup key separate from the recovery password.
To turn on BitLocker Drive Encryption on a computer without a compatible TPM:
- Click Start, type gpedit.msc in the Start Search box, and then press ENTER.
- If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue.
- In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives.
- In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it.
- Select Enabled, check the Allow Bitlocker without a compatible TPM box, and click/tap on OK.
NOTE: Not Configured is the default setting. - Close the Group Policy Object Editor.
- To force Group Policy to apply immediately, you can type
gpupdate.exe /force
in the command prompt, and then press ENTER. Wait for the process to finish.
- Now you can enable BitLocker from Control Panel to encrypt your hard drive or your USB.