Enabling BitLocker Drive Encryption Without a TPM in Windows 10

Home > Blogs > Windows 10 > Enabling BitLocker Drive Encryption Without a TPM in Windows 10

Enabling BitLocker Drive Encryption Without a TPM in Windows 10

Like This Blog 1 Mike Danseglio
Added by July 6, 2016

Windows 10 is quite an impressive operating system. It’s fast, it runs all of my old apps (even my retro games!), and it has tons of security improvements.

BitLocker Drive Encryption isn’t new to Windows 10. Encrypting files in Windows goes all the way back to the Encrypting File System (EFS) in Windows 2000. BitLocker was first shipped as part of the Operating System Who Must Not Be Named (the predecessor of Windows 7). BitLocker has always provided a great level of data confidentiality by encrypting an entire logical drive, not just files.

All modern encryption uses a key, and BitLocker is no different. The best practice is to store the BitLocker key in a Trusted Platform Module (TPM), which is a secure system component that protects cryptographic keys and prevents tampering and unauthorized access. When an attacker tries to steal or modify keys protected by a TPM, the TPM either destroys itself, wipes its own memory, or reduces functionality in a recovery mode. This is normally how BitLocker is deployed, with keys stored in the TPM.

If you are using a Professional or Enterprise version of Windows 10 you can enable BitLocker through BitLocker Drive Encryption applet in Control Panel.


You can see that my C: drive is not currently encrypted. I have the option of turning it on by clicking Turn on BitLocker.

My computer doesn’t have a TPM for BitLocker to use. The default system policy does not permit BitLocker keys on USB removable storage. So I get this error:


If you can’t see the image, the error is:

  • This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.

When a TPM is not available BitLocker can still work. Removable storage, typically a USB memory stick, must be provided for the key. BitLocker will create the key and store it on the USB stick. From that point on, the USB stick must be inserted whenever Windows 10 starts.

To enable these options, you must configure the policy. In a domain-joined computer, you will typically do that through Group Policy. In this article I’m illustrating how to do it on a standalone system.

To enable BitLocker on a system with a TPM by storing the key on a removable USB stick, follow these steps:

Press Windows + R to bring up the Run dialog, type gpedit.msc and press Enter. This launches the Local Group Policy Editor.

Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives


Double-click Require additional authentication at startup. This lets you set the configuration for using removable memory or TPM with BitLocker.


Click Enable to access the other options. Rather than paraphrasing, here’s the full description for these options:

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

If you want to use BitLocker on a computer without a TPM, select the “Allow BitLocker without a compatible TPM” check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard

That’s the hard part. Notice that the last note specifies that you’ll need to use manage-bde.exe at a command-prompt to turn on BitLocker. So that step is slightly harder than using the Control Panel wizard. But you should only need to do it once. I will cover using manage-bde.exe to enable BitLocker in a different article.


Mike Danseglio – CISSP, MCSE, and CEH

Mike Danseglio teaches IT Security Training, Windows, System Center and Windows Server 2012 classes at Interface Technical Training. His classes are available in Phoenix, AZ and online with RemoteLive™.

Videos You May Like

A Simple Introduction to Cisco CML2

0 3896 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Creating Dynamic DNS in Network Environments

0 643 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader teaches how to create Dynamic DNS zones in Network Environments. Video Transcription: Now that we’ve installed DNS, we’ve created our DNS zones, the next step is now, how do we produce those … Continue reading Creating Dynamic DNS in Network Environments

Cable Testers and How to Use them in Network Environments

0 727 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.