I recently tried to encrypt a disk partition on my computer using BitLocker and received the following error: This device can't use a Trusted Platform Module. Your administrator must select the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes". This operation works well on my company computer. Why does this issue occur on my current computer, and how can I use BitLocker to encrypt partitions on this machine?
What is a TPM? The TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. This chip also provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption — at least in theory.
Why does BitLocker require a TPM? By default, when encrypting a Windows system partition, BitLocker requires a TPM chip on your motherboard. BitLocker uses the TPM to generate and store the encryption keys. This is why it can automatically unlock your PC's drive at startup, allowing you to sign in with just your Windows login password. Meanwhile, an attacker cannot simply remove the drive and attempt to access its files elsewhere. The process appears simple, but the TPM does the critical work behind the scenes.
When trying to encrypt the Windows system partition with BitLocker on a computer without a TPM chip, you may encounter the error: "This device can't use a Trusted Platform Module. Your administrator must select the 'Allow BitLocker without a compatible TPM' option..." Faced with this message, most users would simply cancel the operation and give up. But is there still a way to encrypt a BitLocker partition without a TPM chip? The answer is yes. Below, we show you two solutions for enabling BitLocker encryption without TPM on Windows 11/10/8/7.
Step 1. Press "Windows + R", type "gpedit.msc" into the Run dialog box, and then press "Enter" to open the Local Group Policy Editor.
Step 2. Navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Templates" > "Windows Components" > "BitLocker Drive Encryption" > "Operating System Drives" in the left pane.
Step 3. Double-click the "Require additional authentication at startup" option in the right pane.
Step 4. Select "Enabled" at the top of the window, and ensure the "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)" checkbox is enabled here.
Step 5. Click "OK" to save your changes. Your changes take effect immediately, so no reboot is required.
After performing the above operations, you can now use the Windows built-in BitLocker feature to encrypt the system partition without encountering the "This device can't use a Trusted Platform Module..." error message.
Step 1. Download and install Hasleo BitLocker Anywhere.
Step 2. Launch Hasleo BitLocker Anywhere, right-click the Windows drive letter (usually C:), then click "Turn On BitLocker".
Step 3. In this step, you are asked to choose how to unlock the Windows drive at startup. You can choose to enter a password or insert a USB flash drive each time you start your PC.
If you choose to enter a password at startup, you are required to specify a password for encrypting the drive, enter the password and click "Next". You should choose a password having a combination of upper and lower case letters, numbers, spaces, and special symbols.
If you choose to use a USB flash drive for startup, select a USB drive to save the startup key, then click "Next".
Step 4. After clicking "Next", you are asked how you want to backup the BitLocker recovery key. You can save the recovery key to a file or print a copy of it, then click "Next" to move on. Please note that anyone can use the recovery key to gain access to the drive, even if they do not have the startup key or password created in the previous step, so please do not disclose it to others.
Step 5. Now a pop-up will appear asking you if you want to reboot into pre-OS to encrypt the Windows partition. Click "Yes" to continue.
Step 6. Another pop-up will appear asking you if you want to build a WinPE image to continue. Click "Yes".
Step 7. Hasleo BitLocker Anywhere is building the WinPE environment. This may take several minutes, so please be patient.
Step 8. After successfully building the WinPE image, Hasleo BitLocker Anywhere will prompt you to reboot the computer. Click "Yes" to allow the software to restart your system.
Step 9. Hasleo BitLocker Anywhere will now reboot and enter the pre-OS environment to encrypt the selected drive using BitLocker drive encryption. The encryption process may take a long time depending on the drive size, so please be patient. If you prefer not to wait, the "Shut down the computer when the operation is completed" option is a good choice—simply select it.
Step 10. After the encryption is complete, click the "Finish" button to close the window.
Step 11. Now you must enter the BitLocker password or plug in the USB drive which contains the startup key before you can start the Windows.
