You can enable BitLocker without a compatible TPM (Trusted Platform Module) by making a simple change within the Group Policy Editor.
By default, BitLocker store its encryption keys within the TPM, but not all computer will have one. Or maybe it just isn’t enabled.
Another reason to use BitLocker without a TPM is to require additional authentication at start up. That’s to say, you’ll need to enter a password before BitLocker will unlock the drive.
How To Enable BitLocker Without A TPM.
To use BitLocker without a TPM, or to simply require some form of additional authentication (such as a password), you’ll need to make a change in the Group Policy Editor. That’s easy to and I’ll guide you through it.
Open the Run command by pressing the Windows key and the letter R on your keyboard.
In the box, type “gpedit.msc” and click the OK button.
The Group Policy Editor.
Inside the Group Policy Editor you need to navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
To do that, click the small arrowhead beside Computer Configuration.
Then click the arrowhead beside Administrative Templates and so on until you reach the Operating System Drives folder.
BitLocker Require Additional Authentication At Startup.
Select the folder Operating System Drives.
In the right hand panel, double left click on “Require additional authentication at startup”.
Change BitLocker Settings.
On the “Require additional authentication at startup”, select Enabled.
Next, select “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive”.
Click Apply and then click OK.
Once that’s done you can close the Group Policy Editor.
Turn On BitLocker.
Now that you’ve enabled BitLocker to run without a compatible TPM, you’ll need to turn it on again.
Open the BitLocker Drive Encryption screen.
Then click “Turn BitLocker on”.
Choose How To Unlock Your Drive At Start Up.
Under normal circumstances, BitLocker would simply use the encryption keys stored within the computer TPM to unlock your drive. It’s all automatic and doesn’t require any interaction from you.
But now we’ve changed how BitLocker will work. So now you have a choice of just how to unlock your drive.
- Enter a PIN (Recommended) – This method is the password. You’ll need to enter the PIN everytime your PC boots up.
- Insert a USB flash drive – BitLocker can store its encryption keys on a flash drive. The drive will need to be present every time the computer boots up.
- Let BitLocker unlock my drive automatically – This option will only appear if you do indeed have a compatible TPM available.
A Note About Using A USB Flash Drive To Unlock Your PC.
I don’t like this option. USB flash drives are notorious for failing. If it goes wrong and becomes unreadable, or if you accidentally overwrite the encryption keys, well you don’t need me to spell it out for you.
Setting The PIN (Password).
After clicking “Enter a PIN”, you’ll need to do just that.
You can only use numbers 0 – 9. And you’ll have to have between 6 and 20.
Good Practice With PINs And Passwords.
Before you enter any PIN or password into anything, always write it down first. Jot it down on a piece of paper, or quickly type it into Notepad etc. But write it down first.
Then copy what you’ve written into the boxes provided. What you do with the written copy or Notepad copy is up to you, but don’t make a silly mistake here.
Save The Recovery key.
The recovery key is what you’ll need to unlock your drive if you lose or forget either the PIN you just set or the USB flash drive, if you used that option.
You can save the recovery key into your Microsoft account, or to a USB flash drive, or best of all, print it if you’ve got a printer.
Personally I use all 3 methods. You can only choose one right here and now, but you can return later and use one of the other methods.
BitLocker Will Encrypt All Your Files.
You have to keep in mind that everything on your computer hard drive (all your documents, pictures etc) will be encrypted. You really don’t want to get locked out.
BitLocker Without A TPM.
The rest of the setup process for BitLocker is fairly straightforward. Click How To Use Microsoft BitLocker. for a complete walkthrough.
After it’s completed, when you restart your computer, you’ll see this screen if you’ve set up a PIN to unlock the drive.
If you setup a USB flash drive, then your PC will boot straight up when the flash drive is plugged in.
Summary.
On home computers, I think that BitLocker without a TPM is better. I really don’t see the benefit of having a PC start up without any input from me. Where I’m encrypting drives, I want to enter a PIN or maybe a password.
One last word about those recovery keys. Please make sure that you have them. Keep them safe.
