How to enable BitLocker on non-TPM Macs

It's easy to add Microsoft's drive encrypting BitLocker protection to your non-TPM enabled Mac computers hosting Windows via Boot Camp or third-party VM.

Image: Sarayut Tanerus, Getty Images/iStockphoto

One scenario we see time and again is a lost device with all of the drive's contents made available because it was not protected with any form of encryption. Making this issue more disheartening is that every major OS has built-in support for drive encryption. Sadly, many users simply do not enable it.

There are some rare occasions when it is not possible to enable drive encryption due to some hardware-related obscurity, which prevents it from working as designed. Such is the case of many (but not all) Mac computers that do not have a built-in TPM device to perform the calculations for the drive encryption. macOS gets around this issue with Apple's native FileVault app, but what do you do if you wish to encrypt a Boot Camp partition or Windows VM hosted by third-party software like Parallels? Forgo the added security?SEE: Choosing your Windows 7 exit strategy: Four options (Tech Pro Research)You can have your cake and eat it too, albeit with a modification to the local computer policy. By default, Windows looks for the presence of a TPM chip before fully enabling BitLocker, which is a whole-disk encryption program that encrypts data on a Windows PC or USB flash drive to prevent unauthorized access from anyone that does not have the decryption key or user's account credentials. If no TPM is found, the process fails. As a workaround, the local policy must be modified to allow the system to consider other scenarios where BitLocker will function properly.

Before we get into the details, there are a few requirements that must be adhered to:

  • Apple computer running macOS 10.10 (or newer)
  • Boot Camp partition or VM with Windows 7 (or newer)
  • Administrative rights on the Windows partition

Enabling BitLocker

  1. Log in to the Windows partition with an admin account.
  2. Launch the local policy (gpedit.msc), and under Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating System Drives, locate the setting titled "Require additional authentication at startup."
  3. Edit the setting by selecting the radio button next to Enabled. Also, check the box next to "Allow BitLocker without a compatible TPM" (Figure A).

Figure A: Launch the local policy (gpedit.msc), and locate the setting titled "Require additional authentication at startup."

4. Additionally, make the following changes as indicated below:

  • Configure TPM startup: Do not allow TPM
  • Configure TPM startup PIN: Require startup PIN with TPM
  • Configure TPM startup key: Do not allow startup key with TPM
  • Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM

Note: While these entries are only supposed to apply to devices with a recognized TPM, depending on the version of Windows, it can cause issues that would cause enabling BitLocker to fail (Figure B).


Figure B

5. Click the OK button and reboot Windows. After reboot, log in again with the admin account and enable BitLocker in the Control Panel as you normally would. Follow the prompts to create a password that will be used each time the computer is restarted to decrypt the drive prior to fully loading Windows.

Also see