Skip to content

Enable BitLocker Drive Encryption without a TPM

Procedures to change your computer’s Group Policy settings so that you can enable BitLocker Drive Encryption without a TPM. This use a startup key to authenticate yourself and it is located on a USB flash drive inserted into the computer before the computer is turned on. In such a scenario, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). Your BIOS can be checked by the hardware test near the end of the BitLocker setup wizard.

Before you start:

  1. You must be logged on as an administrator.
  2. You must have a USB flash drive to save the recovery password.
  3. We recommend a second USB flash drive to store the startup key separate from the recovery password.

To turn on BitLocker Drive Encryption on a computer without a compatible TPM:

  1. Click Start, type gpedit.msc in the Start Search box, and then press ENTER.
  2. If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue.
  3. In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives.
  4. In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it.
  5. Select Enabled, check the Allow Bitlocker without a compatible TPM box, and click/tap on OK.
    NOTE: Not Configured is the default setting.
  6. Close the Group Policy Object Editor.
  7. To force Group Policy to apply immediately, you can type
    gpupdate.exe /force

    in the command prompt, and then press ENTER. Wait for the process to finish.

  8. Now you can enable BitLocker from Control Panel to encrypt your hard drive or your USB.

You may also like...