How to set BitLocker Drive Encryption for the operating system drives without Trusted Platform Module(TPM) using Group Policy (gpedit.msc)

By | November 8, 2017

BitLocker Drive encryption is a function to encrypt the hard disk drive of PC and the removable disk such as a USB flash drive, SD card etc. to prevent important data from being stolen.

BitLocker Drive Encryption can encrypt the operating system drive which Windows is installed, a Fixed drive, USB flash drive, or SD card, etc.

TPM : Trusted Platform Module

If you try to use BitLocker Drive Encryption on your operating system drive (usually, C: drive), you may receive the following error message. In the section of Operating system drive, click 1Turn on BitLocker.

Windows10 BitLocker Drive Encryption

▼ However, the following error message may be displayed here. This means that you can not use BitLocker because there is no TPM.

This device can’t use a Trusted Platform Module. You administarator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.

BitLocker Operating system Drive Encryption

Related Post

[Windows10] How to use BitLocker to encrypt Windows Operating System Drive(C:Drive) ~ BitLocker Drive Encryption

Using a USB flash drive

You can enable BitLocker for your Operating System drive without the TPM if the BIOS and UEFI firmware are capable of reading from a USB flash drive when Windows Starting. Because you can also use the BitLocker startup key on your PC from a USB flash drive.

Set up BitLocker using Group Policy (gpedit.msc)

How to set BitLocker Drive Encryption for the operating system drives without Trusted Platform Module(TPM) using Group Policy (gpedit.msc) 1

Hardware requirements for BitLocker Drive Encryption require a PC with a security chip called Trusted Platform Module(TPM).

To use hard drive encryption with BitLocker, you need this TPM, but not necessarily without the TPM, and there is a way to use the keys in the USB flash drive.

If you want to use BitLocker without a TPM, you can use Group Policy to set BitLocker on the operating system drive.

Opening Group Policy (gpedit.msc)

▼ As below, press Windows + R key to open Run, and enter 1gpedit.msc in the text box. Click 2OK button.

Windows10 BitLocker Drive Encryption

First, in the Windows search box next to the Start button, enter 1gpedit and click 2Edit group policy. In addition, the Group Policy Editor is built-in in Windows Pro edition. For Windows Home version, you must install gpedit.msc separately.

Related Post

[Windows10]How to install the Local Group Policy Editor(gpedit.msc) on Windows 10 Home edition

Windows10 BitLocker Drive Encryption

▼ In the Group Policy Editor (gpedit.msc) window, navigate to the following path in the navigation tree on the left.

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drive

Windows10 BitLocker Drive Encryption

▼ Next, double-click 1Require additional authentication at startup.

Windows10 BitLocker Drive Encryption

▼ At the Require additional Authentication at Startup window, first select Enable, and 2confirm that the following options are checked, and then click 3OK or Apply button.

Allow BitLocker without a compatible TPM(requires a password or a startup key on a USB flash drive)

Windows10 BitLocker Drive Encryption

Enabling BitLocker Encryption

▼ As a result, BitLocker Encryption is now available for Operating System drives without the TPM, as shown below.

Windows10 BitLocker Drive Encryption

Updating Local Group Policy

1gpupdate.exe /force command resets all processing optimizations in the client’s Group Policy engine settings and all settings.

Search command in “Windows Search” as shown below.

Windows10 BitLocker Drive Encryption

▼ Group Policy is updated when running the command.

Windows10 BitLocker Drive Encryption