Windows 7 – Enable BitLocker on a Drive Without TPM

By default Windows 7 will only enable BitLocker if you have  TPM device built into your computer and it is enabled from the BIOS.

What is a TPM and what does it do?

TPM stands for Trusted Platform Module and it is a microchip which is built into your computers motherboard. The TPM device works with your operating system to provide advanced security features, for example it’s used to safely store the BitLocker encryption key.

 

If you try enabling BitLocker without a TPM device (or if the TPM device is not enabled in the BIOS) you will receive the following message that says “A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker”

Fortunately for those systems with a TPM you can still enable BitLocker by using a USB key to store the encryption key. However if the key is lost you will not be able to access the Windows 7 installation or the data saved on the hard drive.

 

 

The following steps will enable allow a USB key to be used to store the encryption key:

 

    1. Open the Start menu, enter ‘gpedit.msc’ in the search box and press ‘Enter’ on the keyboard
    2. Navigate to ‘Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives’
    3. Double click on ‘Require additional authentication at startup’
    4. Select ‘Enabled’ and tick the option which says ‘Allow BitLocker without a compatible TPM’
    5. Click ‘OK’ to save the changes and close the local group policy window

    1. Find a suitable USB key to use to store the encryption key and plug it into the computer.
    2. Open the ‘Computer’ window, right click on the drive you want to encrypt (C Drive) and select ‘Turn on BitLocker’

    1. When ready click ‘Next’, ‘Next’ and then ‘Restart Now’
    2. After the computer is restarted the BitLocker Drive Encryption wizard will resume. Click ‘Next’

    1. Select ‘Require a Startup key at every startup’

    1. Select the USB drive from the list and then click ‘Save’
    2. Either select ‘Save the recovery key to a file’ or ‘Print the recovery key’and place the key in a safe location. (The recovery key is used as a backup in case the Startup key fails or the USB drive is lost.)
    3. Select the USB drive from the list and then click ‘Save’
    4. Click ‘Next’ then ‘Continue’
    5. Click ‘Restart now’ to start the encryption process
    6. After restarting Windows will start encrypting the hard drive in the background. You can use the computer whilst it works.