Bitlocker, Windows 10, Windows 11

Enable BitLocker without TPM on Windows 10 & 11

Leave a comment

Enable BitLocker without TPM on Windows 10 & 11

BitLocker is Microsoft’s built‑in drive encryption tool. By default it prefers a Trusted Platform Module (TPM), but you can enable BitLocker on PCs without TPM by adjusting a policy and using a password or USB startup key.

Step‑by‑step guide (OS Drive)

  1. Open Group Policy Editor
    Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to BitLocker settings
    Go to:
    Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
  3. Enable non‑TPM option
    Open Require additional authentication at startup → set to Enabled → tick Allow BitLocker without a compatible TPMApplyOK.
  4. Restart your PC
    This ensures the policy takes effect.
  5. Turn on BitLocker
    Control Panel → BitLocker Drive Encryption → select your system drive → Turn on BitLocker.
    Choose Password or USB startup key as your unlock method and follow the prompts.

Encrypting Other Partitions (Data Drives)

BitLocker policies are divided into three categories: Operating System Drives, Fixed Data Drives, and Removable Data Drives. The TPM requirement applies mainly to OS drives. For other partitions, you can enable BitLocker directly.

  1. Fixed Data Drives (D:, E:, etc.)
    – Open Control Panel → BitLocker Drive Encryption.
    – Select the partition → Turn on BitLocker.
    – Choose a password or smart card unlock method.
    – Optional: Configure policies under Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Fixed Data Drives.
  2. Removable Drives (USB, external HDD)
    – BitLocker To Go handles these.
    – Turn on BitLocker from Control Panel.
    – Set a password to unlock on any PC.
    – Optional policies under BitLocker Drive Encryption → Removable Data Drives.

PowerShell quick start (optional)

# Enable policy for OS drives without TPM
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f

# Turn on BitLocker on C: with password
Manage-bde -on C: -Password

# Encrypt a data drive (example D:)
Manage-bde -on D: -Password

# View status
Manage-bde -status

Best practices

  • Backup first: Always back up important files before encrypting.
  • Save your recovery key: Store it in multiple safe locations (USB, password manager, and a printed copy).
  • Performance: Initial encryption can take hours depending on drive size; you can keep working while it runs.
  • Password strength: Use a long passphrase if not using TPM.

Comfort insight: Think of OS drives as the main shrine gate needing special ritual keys, while data drives are side gates that can be locked with simpler keys. Configure each gate according to its role for maximum serenity and security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha