I recently tried to enable BitLocker on an old Windows 10 PC at home and received an error message that I found to be very cryptic to anyone who is not a computer geek. Here is the message:
This device cannot use the TPM. Your administrator must select the “Allow BitLocker without compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.
What!? Most people will probably just cancel the operation and forget about everything with this message. Unfortunately, Microsoft never makes error messages clear or easy to understand. Let’s figure it out.
1. Trusted Platform Module (TPM). Basically, this is a microcircuit that is used in new processors and has additional security features. When BitLocker uses the TPM, it stores the encryption key on the chip itself. If you don’t have a TPM capable chip, you can still use BitLocker, but you will have to store the encryption key on a USB drive.
2. Administrator policy. So what is all it takes to choose an X and Y policy for OS volumes? Basically, you need to change the Group Policy setting so that BitLocker can work without requiring TPM.
The fix is ??pretty easy, just follow the instructions and don’t make any other changes.
– /
Step 1. Open the Group Policy Editor by pressing Windows Key + R or by clicking Start in Windows 10 and typing Run. In the Run dialog box, type gpedit.msc and press Enter.
Now open the following section in Group Policy:
Computer Configuration – Administrative Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives
On the right you will see the option “Require additional authentication at startup”. Go ahead and double click on this option.
By default it is set to Not Configured, so you will need to check the Enabled radio button. Automatically it should check the Allow BitLocker without a compatible TPM box, but if not, be sure to check it.
Click OK and then close Group Policy. Now go back to the BitLocker screen and click the Turn on BitLocker link.
You should now see the BitLocker setup screen instead of an error message. When you click Next, BitLocker hard drive setup begins.
Again, using BitLocker without a TPM is not a major security flaw, just the encryption key must be stored on the USB stick, not on the chip itself. If you’re still having problems enabling BitLocker on Windows 8 or Windows 10, please leave a comment and let us know. Enjoy!
–