How to enable encryption with Microsoft BitLocker on Non TPM computers


Microsoft’s BitLocker feature provides full-volume encryption to help mitigate data loss from lost, stolen, or otherwise misappropriated laptops and computers.  This feature is available in the Pro and Enterprise versions on Windows 8 and the Enterprise and Ultimate editions on Windows 7.  BitLocker ,by default, requires a Trusted Platform Module (TPM) chip to be both present and enabled in the Bios to encrypt hard drives.  Hard drive encryption be accomplished without TPM present.  Here are the steps to perform this properly, images are from a Windows 8 Pro machine.  I am not going to cover encrypting computers that have TPM chips in them.  This is due to the fact that other than the first few steps regarding Group Policy, the process for BitLocker setup is identical.


What can be encrypted?  Internal hard drives, SSD drives, External hard drives, USB memory sticks (USB memory sticks are ideal for encryption due to the fact that they are so easily lost)


What are the things you will need to get started?


  • Unique Password (ideally each system will have a unique password)
  • Admin Access to the Computer
  • Printer or USB device, these are used to print out or store the encryption key used for recovery.


Please be aware!  After drives are encrypted do not lose the password or recovery key.  Doing so will render the system inoperable, all data will be lost.  This is what you want if the laptop is ever stolen or lost.  Consider regular backups of user data when enabling encryption.


Configuring Local Policy Settings for a non-TPM system

Windows GP Editor
Windows Group Policy Editor


From the Metro UI or the search box, type GPEDIT.MSC and press enter


Open Computer Configuration => Administrative Templates => Windows Components => BitLocker Drive Encryption => Operating System Drives.

TPM add additional Authentication at startup
TPM add additional Authentication at startup


From the right pane double-click "Require additional authentication at startup"


Click the Enable radio button.


Leave the default configuration in the Options window.


Click Apply then OK.  Now close out the Group Policy Editor.


Setting Up BitLocker


Open the Control Panel, select BitLocker Drive Encryption


Bitlocker Control Panel
Bitlocker Control Panel


Click Turn on BitLocker


BitLocker Drive Encryption


BitLocker Drive Encryption Click Enter Password


Bitlocker Password


Put in a "good" password.  This is a password you will be prompted for each time that you boot the device.  It needs to have a good enough complexity to prevent someone from guessing it.  Make sure that if you are enabling BitLocker on multiple computers that each computer has a different password.  Click Next


Bitlocker recovery key


Print the recovery key, store in a safe place with a label for what computer it goes with (this is critical if you have more than one computer).  You can also save the keys, don't put them on the computer, don't put them in an easily accessible location on your network.


Bitlocker encrypt


Select the first option for new computers, the second option is best for a computer that has been in use.  Click Next


Bitlocker ready


Keep the check for the "Run BitLocker system check", this is the safest way to proceed.  click continue.   The system will perform a number of checks, then reboot.


Bitlocker working


This will be the screen that you see during boot up.  Congratulations, you are finished and everything worked as planned.


The option to have a password enabled device works very well:  I have tested it on USB Memory, External Hard Drives, Internal Hard Drives and on SSD.


Note:  I have not tested using a USB key to startup the computer.

2 Comments on “How to enable encryption with Microsoft BitLocker on Non TPM computers

  1. “Consider regular backups of user data when enabling encryption” is a bit of an understatement. User data should generally be backed up, encrypted or not.

Leave a Reply