Contrary to the popular belief, you can use Windows’ built-in Bitlocker to encrypt your hard disk content, even if you don’t have a TPM chip in your computer. You can easily encrypt your data disks; you just have to enter a password, and you have the option to save your recovery key to file, a USB drive or even to the cloud. However when you try to encrypt your OS volume with Bitlocker, you will see the following error message:
This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.
It is quite a good error message, because it not only states what the problem is, but also helps you to recover from it. If it would say exactly where you can find that setting, it would be perfect!
If you search for the word “policy”, you will find Local Security Policy, but it is not what you really want. What you need is the Group Policy Object Editor, even if your computer is not domain joined.
Start a Microsoft Management Console (mmc), and add the Group Policy Object Editor snap-in (click for the full image):
Then within then Local Computer Policy –> Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives branch you can find the setting the error message referred to:
Open the setting, then first select Enabled, and then click the Allow Bitlocker without a compatible TPM checkbox below:
After you have closed all windows, you have to refresh your security policy, which you can do without restarting your computer by running gpupdate from the command prompt:
Now you can encrypt your OS volume just as you did with your data disks.