In this blog, I will show you how to Turn on BitLocker Encryption without TPM. BitLocker Encryption requires compatible TPM, but in case your system doesn’t have compatible TPM, then we can configure this through Local Policy or Group Policy. Trusted Platform Module (TPM) will not be available for virtual systems such as Hyper-V client.
Importance of TPM for BitLocker Encryption
Under normal circumstances, BitLocker Encryption stores the key information in TPM. Supported TPM version is 1.2 or higher, TPM version 2.0 version requires UEFI (Unified extensible firmware interface) which doesn’t support legacy and CSM (Compatibility Support Module). TPM stores the key information in encrypted format which is part of the system hardware, hence it helps providing integrity verification to BitLocker.
BitLocker Encryption without TPM
If you don’t have Compatible TPM, we can still go with encryption process but we will loose the benefits such as integrity verification offered by BitLocker with a TPM.
You can verify the TPM status by running the following command tpm.msc. This will launch Trusted Platform Module (TPM) Management. You will see the following error:
Compatible TPM cannot be found.
Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has a 1.2 TPM or later and it is turned on in the BIOS.
Error while trying to enable BitLocker without policy
If you haven’t set the policy on a system without TPM, you will see following error while trying to Turn on BitLocker:
"this device can't use a trusted platform module". Your Administrator must set the “Allow BitLocker without a compatible TPM"
Enable Policy for BitLocker
Enabling policy can either be done through Local Group Policy Editor (gpedit.msc) if setting up locally or Group Policy Management (gpmc.msc) if setting up for Domain. Setting remains the same in both cases.
Press Windows + R, type gpedit.msc (for local policy) or gpmc.msc (for group policy).
Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Under Right Pane, double click Require additional authentication at startup.
Under settings page of the policy, Enable the policy by click on Enabled Radio Button.
Check the box “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)”.
Click on OK.
Open Policy setting “Choose how BitLocker-protected operating system drives can be recovered” – This setting is optional, however it could be a good setting if you wanted to save the BitLocker recovery information in AD DS.
Enable the option, uncheck Allow data recovery agent and check Save BitLocker recovery information to AD DS for operating system drives.
Check the Box for Do not enable BitLocker until recovery information is stored to AD DS for operating system drives. This option will make sure to save the recovery key first before initiating encryption process, hence it requires connectivity to Domain controller to save the info.
Click OK to exit.
Open cmd prompt, run gpupdate /force to apply new policies. It is recommended to restart the system to apply new policy correctly.
Turn on BitLocker on C drive
Open explorer, right click c drive and select Turn on BitLocker.
This will launch BitLocker Drive Encryption wizard with page Choose how to unlock your drive at startup. Provide the password and click Next.
Next page will ask How do you want to back up your recovery key.
You can various option such as Save to your cloud domain account, Save to a USB flash drive, Save to a file, Print the recovery key. We will go with last option as we will save this as PDF file.
Once done, you will see Ýour recovery key was printer. Click Next.
In Next page, select Encrypt used disk space only (faster and best for new PCs and drives) as it will only encrypt the disk which is used, rather than complete disk which could be time consuming. However the 2nd option is more secure as it will protect whole disk.
Next page will show you Choose which encryption mode to use, go with New encryption mode (best for fixed drives on this device). Click Next.
Under page Are you ready to encrypt this drive, select Run BitLocker system check. Click Continue to start encryption process.
You will get message that The computer must be restarted. Restart now.
Computer will start, this time asking the password to unlock your drive.
Verify encryption on drive
Launch BitLocker Drive Encryption through start menu on your windows 10 system which will show Windows (C:) BitLocker on with lock sign.
You may also verify the status through cmd prompt, launch it with elevated rights and run following command:
You will get complete result of BitLocker encryption with Protection Status, Key Protectors etc.