Turn On BitLocker for Windows 10 Operating System Drive without TPM

Turn On BitLocker for Windows 10 Operating System Drive without TPM

You can choose how to unlock the operating system reader when you turn on your PC with a PIN (requires TPM), Password, or one Start key on a connected USB flash drive. In this article, we will show you how to enable or disable BitLocker to encrypt or decrypt the operating system drives without TPM in Windows 10.

Enable BitLocker for Windows 10 operating system drives without TPM

To allow BitLocker without TPM, it is necessary to unlock the operating system drive at startup with the help of a password or boot key on a USB flash drive . This option is used when you do not want to use or have a TPM chip on your PC.

1) Open the Local Group Policy Editor and navigate to this setting.

Computer Configuration> Administrative Templates> Windows Components> BitLocker Drive Encryption> Operating System Readers.

On the right pane of Operating system double-click Require additional authentication at startup policy to change it.

This policy setting allows you to control whether the BitLocker Drive Encryption Setup Wizard can configure an additional authentication method required each time the computer starts. This policy setting is applied when you enable BitLocker.

This policy only applies to computers running Windows Server 2008 or Windows Vista.

On a computer with a compatible Secure Platform Module (TPM), two authentication methods can be used at startup to further protect the encrypted data. When the computer starts, users can insert a USB key containing a boot key. You can also ask users to enter a personal identification number (PIN) of 4 to 20 digits.

A USB flash drive containing a boot key is required on computers without a compatible TPM. Without TPM, data encrypted by BitLocker is protected only by the key elements stored on this USB flash drive.

If you enable this policy setting, the wizard displays the page to allow the user to configure advanced startup options for BitLocker. You can also configure configuration options for computers with and without TPM.

If you disable or do not configure this policy setting, the BitLocker Setup Wizard displays the basic steps for users to enable BitLocker on computers with a TPM. In this basic wizard, no start key or additional start PIN can be configured.

Enable BitLocker for Windows 10 operating system drives without TPM

To select enabled at the top, check the Allow BitLocker without a compatible TPM (requires a password or a boot key on a USB flash drive) box under The options.

You can now exit the Group Policy Editor and continue to 2nd step below.

2) Launch the File Explorer, right-click the drive of the operating system that you want to encrypt, and then click Enable bitlocker.

Choose how (USB or Password) you want to unlock the operating system drive at startup.

You have two options:

  1. Insert a USB flash drive – This option allows you to unlock the operating system drive with a USB flash drive connected with the registered startup key.
  2. Enter a password – This option allows you to unlock the operating system drive with a password.

Now select how (Microsoft account, USB, fileand or impression) you want to back up your BitLocker recovery key for this drive, and then click Next.

the Microsoft account This option is only available when you are logged on to Windows 10 with a Microsoft account. The BitLocker recovery key will be saved on your computer. OneDrive account online.

Select the radio button for how much of your drive to encrypt (Encrypt the entire drive is recommended) and click Next.

Now select the radio button for which encryption mode (New encryption mode (128-bit XTS-AES) or Compatible mode (AES-CBC 128-bit)) to use, and click Next.

In the next window, shoot or check (advisable) the Run the BitLocker system check box for what you want, and click go on when you are ready to start encryption.

The operating system drive will now begin to encrypt.

When encryption is complete, click close.

Disable BitLocker OS for Windows 10 with / without TPM

Whether you have encrypted your Windows drives with a PIN (TPM) or password (without TPM), the decryption procedure is the same in both cases.

To disable BitLocker operating system drives for Windows 10

Open a command prompt with privilege, type the command below in the command prompt with privilege, and then press Enter.

manage-bde -off 

Replace in the above command with the actual drive letter of the encrypted drive you want to decrypt. For example:

manage-bde -off C:

Once done, you can check the BitLocker status for the drive at any time.

Thus, you can enable / disable the BitLocker for Windows 10 operating system drives with / without TPM.

Leave a Reply