Wednesday, July 18, 2012

Enable BitLocker without TPM in Windows 7 and Windows 8

I like BitLocker Drive Encryption in Windows since it is relatively easy to set up. However, I ran into a snag the other night when trying to set up BitLocker on one of my customer’s computers. The problem? No TPM chipset is on the motherboard. According to Microsoft’s own documentation, no TPM is required. Instead, just use a USB flash drive to store the encryption key. But the standard documentation fails to inform you that you need to enable a very specific setting in the local policy editor. For that, you need to look at the advanced documentation. So, here are the detailed steps for enabling BitLocker with a USB drive instead of onboard TPM chipset.

What you need:

  • A Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Pro computer.
  • A USB flash drive

Now that you have what you need to get started, here is the process for enabling BitLocker without TPM:

  1. Open the Local Group Policy Editor from the Run box (Press Windows+R) by and execute "gpedit.msc".
    image
  2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives. Double-click "Require additional authentication at startup".
    image
  3. Enable the option and click Apply, but do not close the window. In the Options area, check the box next to "Allow Bitlocker without a compatible TPM".
    image
    Click Apply, click OK, and close the Local Group Policy Editor window.

Plug in a USB flash drive to the computer and allow Windows to assign it a drive letter, then open the Control Panel and launch the BitLocker Drive Encryption applet. You will now be able to proceed with the BitLocker setup for the C: drive. Just make sure to save the encryption key to the USB flash drive.

From now on, in order to use the PC, you need to have the USB flash drive plugged into the computer to boot it into Windows. Once Windows has booted up, you can remove the flash drive from the PC and store it in a safe place. That’s it!

Additional Resources:
Microsoft TechNet: Windows BitLocker Drive Encryption Step-By-Step Guide
Microsoft Answers Forum: Is the following encryption normal?
Microsoft Support Forum: Enable BitLocker without TPM
Windows.com: Hardware Requirements for BitLocker Drive Encryption

- Joe