Microsoft

Configure BitLocker encryption on non-TPM Windows systems

Derek Schauland tells you how you can configure BitLocker volume encryption on Windows systems that do not have the Trusted Platform Module (TPM) chip present and enabled.

Microsoft's BitLocker feature provides full-volume encryption to help mitigate the threat of data theft from lost, stolen, or otherwise misappropriated laptops and computers. This feature is available in the Enterprise and Ultimate versions of both Windows Vista and Windows 7, but it requires a Trusted Platform Module (TPM) chip to be both present and enabled to encrypt hard disks.

But what do you do if your hardware doesn't include TPM? I came across this issue myself when I decided to take advantage of the BitLocker feature in Windows 7. When I first tried to turn the feature on, I was met with an error message that said a Trusted Platform Module was not present or was not enabled in the system BIOS. This took me straight to the system setup utility to enable the settings for TPM. I was a bit shocked to find that they were unavailable.

After a while of wondering why the manufacturer of my PC would not include TPM in a PC labeled as "Professional Series," I finally decided to dig in to the issue a little more and discovered that BitLocker can, indeed, be enabled on non-TPM systems.

Configuring Local Policy Settings for non-TPM system

All that is needed is a couple tweaks to Local Policy Settings, a flash drive, and a few hours to allow encryption to happen.

Like Group Policy in Active Directory, Local Policy allows a user to make system-wide or account-specific changes to settings on a local PC.

To get started, open the Windows 7 Start menu and enter Group Policy in the search box. From here, open the Local Group Policy Editor, as shown in Figure A.

Figure A

Click to enlarge.

Local Policy Settings in Windows 7

To locate the settings for Bit-Locker, navigate to Computer Configuration | Administrative Templates |Windows Components |Bit-Locker Drive Encryption | Operating System Drives.

After selecting Operating System Drives in the folder list, double-click on the policy setting labeled Require Additional Authentication at Startup. The properties window for this policy is shown in Figure B. Figure B

Click to enlarge.

Properties for the Require Additional Authentication at Startup policy

On the properties page, select the Enabled setting to turn the policy on and then check the box under Options labeled Allow BitLocker without a Compatible TPM. This requires a USB flash drive on which to store the BitLocker Key.

Once you have checked this box, several other drop-down options will become available, because they are all related to TPM modules; you can ignore them when configuring this setting.

After configuring the policy to allow non-TPM authentication, click OK to save and close the policy.

Note: When configuring policies in Windows 7 and Windows Server 2008, the dialog box provides space to make comments that are stored with that policy. I would recommend that you add the date and your name to the comments box just in case you need to track down the changes made.

Setting up BitLocker

The policy settings discussed above are part of the process to allow Bit-Locker to function on computers without TPM chips. Complete the following steps to turn on Bit-Locker:

1.      Open the Bit-Locker encryption settings manager by searching for Bit Locker or by visiting System and Security in the Control Panel.

2.      When the management tool opens, it will show you all the drives detected in your system.

3.      Click Turn On Bit Locker.

You will be asked to configure your BitLocker options based on the selections made when you configured the Local Policy. In this case, you will need to provide a USB device to store the BitLocker key. In Figure C, the BitLocker wizard asks for the USB drive where the authentication key will be saved. Insert the device and click Next to write the key.

Figure C

Saving the Startup key on the USB device

When you click Next, the BitLocker key will be added to the flash drive and the wizard will ask you to create a recovery key just in case the authentication key gets lost.

Note: It is not recommended to keep the recovery key for your encrypted drive on the encrypted drive because you will be unable to access it in the event you lose your authentication flash drive.

Once the keys are all set, Bit Locker will ask you to encrypt the operating system disk. Once the process starts, you can continue to use your computer as you normally would, but depending on the size of the drive, the encryption process can take quite a long time.

When I encrypted my laptop drive, the entire process took about eight hours for a drive 285 GB in size.

Once the process has completed, you will need to reboot your computer to begin using the encrypted drive; as soon as you restart, you will need your authentication key to access your system. This works similarly to a system with a TPM chip, except you will need to insert the USB flash drive to start the computer.

I have found this to be particularly useful for portable computers as they have the highest likelihood of being lost or stolen. With BitLocker in use, a well-protected key, and a decent backup of your data, you can be sure that your information is secure.

About Derek Schauland

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks

Free Newsletters, In your Inbox