I recently tried to encrypt a disk partition on my computer using BitLocker, and I got this error prompt 'This device can't use a Trusted Platform Module. Your administrator must select the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes.'. This operation works well on the company's computer, what's the matter? How can I use BitLocker to encrypt partitions on this computer?
What is a TPM? The TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. This chip also provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption — at least in theory.
Why does BitLocker require a TPM? By default, when encrypting a Windows system partition, BitLocker requires a TPM chip on your motherboard. BitLocker uses the TPM chip to generate and store the actual encryption keys. This is way it can automatically unlock your PC’s drive when it boots so you can sign in just by typing your Windows login password, and an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere. It’s simple, but the TPM is doing the hard work under the hood.
When we try to encrypt Windows system partition using BitLocker, if there is no TPM chip on the computer, we will get the error message 'This device can't use a Trusted Platform Module. Your administrator must select the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes.'. In such case, most people will probably just cancel the operation and forget about the whole thing with a message like that.Are there still other ways to encrypt partition with BitLocker even if there is no TPM chip on our computer? The answer is yes, here we will show you two solutions for how to enable BitLocker encryption without TPM in Windows 11/10/8/7.
Step 1. Press Windows+R, type 'gpedit.msc' into the Run dialog box, and then press Enter to open the 'Local Group Policy Editor'.
Step 2. Navigate to 'Local Computer Policy' > 'Computer Configuration' > 'Administrative Templates' > 'Windows Components' > 'BitLocker Drive Encryption' > 'Operating System Drives' in the left pane.
Step 3. Double-click the 'Require additional authentication at startup' option in the right pane.
Step 4. Select 'Enabled' at the top of the window, and ensure the 'Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)' checkbox is enabled here.
Step 5. Click 'OK' to save your changes. Your change takes effect immediately, so you don’t need to reboot your computer.
After performing the above operations, you can now use the Windows built-in BitLocker feature to encrypt the Windows system partition without get the 'This device can't use a Trusted Platform Module ...' error message.
Step 1. Download and install Hasleo BitLocker Anywhere.
Step 2. Launch Hasleo BitLocker Anywhere, right-click the Windows drive letter (usually C:), then click "Turn On BitLocker".
Step 3. In this step, you are asked to choose how to unlock the Windows drive at startup. You can choose to enter a password or insert a USB flash drive each time you start your PC.
If you choose to enter a password at startup, you are required to specify a password for encrypting the drive, enter the password and click "Next". You should choose a password having a combination of upper and lower case letters, numbers, spaces, and special symbols.
If you choose to insert a USB flash drive at startup, you are required to specify a USB drive to save the startup key, select a USB drive and click "Next".
Step 4. After clicking "Next", you are asked how you want to backup the BitLocker recovery key. You can save the recovery key to a file or print a copy of it, then click "Next" to move on. Please note that anyone can use the recovery key to gain access to the drive, even if they do not have the startup key or password created in the previous step, so please do not disclose it to others.
Step 5. Now a pop-up will appear asking you if you want to reboot into Pre-OS to encrypt the Windows partition. Click "Yes" to continue.
Step 6. Another pop-up will appear asking you if you want to build a WinPE image to continue. Click "Yes".
Step 7. Hasleo BitLocker Anywhere starts building WinPE. This may take several minutes, so please be patient to wait.
Step 8. After successfully builded the WinPE image, Hasleo BitLocker Anywhere will prompt you to reboot the computer, click "Yes" button to allow Hasleo BitLocker Anywhere to reboot your computer.
Step 9. Hasleo BitLocker Anywhere will now reboot and enter Pre-OS to encrypt the contents of the selected drive using BitLocker drive encryption. The encryption process could take a long time to finish depending on the size of the drive, so please be patient to wait. If you don't want to wait until the encryption operation is finished, "Shut down the computer when the operation is completed" option is a good idea. Just check it.
Step 10. After the encryption is complete, click the "Finish" button to close the window.
Step 11. Now you have to enter the BitLocker password or plug in the USB drive which contains the startup key before you can start the Windows.
