Full-disk encryption is the single most cost-effective control for protecting data on lost or stolen hardware.
How to Encrypt Your Hard Drive Without a TPM Chip
Audience: IT staff and end users running Windows 10 or Windows 11 (Pro / Enterprise / Education) on hardware that does not have a TPM 2.0 chip, or where the TPM has been disabled in firmware.
Author: Northern Data Solutions, Office of the CTO
Topic: BitLocker activation without TPM. Step-by-step with annotated UI illustrations.
Executive Summary
Every laptop, desktop, and server that holds business data is one careless moment away from a regulatory incident. A device left in a coffee shop, a hotel, an airport, or the back of a rideshare becomes a public-record breach the moment an unauthorized person can read its contents. Full-disk encryption stops that conversation before it starts: even if the drive is removed and connected to another computer, the data is mathematically inaccessible without the recovery key.
Microsoft’s built-in BitLocker is the standard answer on Windows. By default, BitLocker requires a Trusted Platform Module (TPM) chip to bind the encryption keys to the hardware. Older hardware, virtual machines, custom-built workstations, and some specialty industrial systems do not have a TPM — or have one that is disabled. This article walks through the supported, vendor-recommended way to enable BitLocker on those systems without a TPM, using a startup password instead.
The procedure takes about ten minutes per machine. The cybersecurity uplift is dramatic: you move from “the device is exposed if lost” to “the device is a useless brick to anyone but you.”
“Encryption is the single highest-leverage control most organizations leave half-finished. Twenty minutes per laptop turns a potential breach notification into a non-event.”
Why This Matters for Cybersecurity and Data Protection
Drive encryption is not a nice-to-have. It is a baseline expectation built into virtually every regulatory framework your business is measured against, every cyber liability questionnaire, and every modern customer due-diligence checklist.
Why Drive Encryption Matters | What Happens Without It |
|---|---|
Loss-and-theft incidents become non-reportable | An unencrypted lost laptop is, by default, a notifiable data breach under HIPAA, GDPR, CCPA, and most state privacy statutes — with statutory notification windows, regulator letters, and customer disclosures. An encrypted drive is generally treated as a non-breach “safe harbor” in those same frameworks. |
Cyber liability requires it | Every major U.S. carrier asks the encryption question on the application. “No” can mean declination, sub-limited coverage, or premium increases of 2–4x. |
Compliance frameworks require it | CMMC SC.L2-3.13.16, NIST 800-171 3.13.16, HIPAA 164.312(a)(2)(iv) and 164.312(e)(2)(ii), PCI DSS 4.0.1 Requirement 3, NYDFS Part 500 500.15, FTC Safeguards 16 CFR 314.4(c)(3), GDPR Article 32, and SOX ITGCs all require encryption of data at rest. CMMC L2 explicitly requires it for CUI. |
Insider risk is mitigated | A drive removed from a powered-down machine cannot be mounted on another computer to bypass file permissions. |
End-of-life disposal becomes safer | An encrypted drive’s data is rendered cryptographically unrecoverable simply by destroying or rotating the recovery key — no shredding required. |
Before You Begin — Pre-Requisites
Windows edition: BitLocker requires Windows 10 or Windows 11 Pro, Enterprise, or Education.
Administrator account: All steps below require local administrator privileges.
A recovery key destination: Decide in advance where you will store the 48-digit recovery key — a Microsoft account, a printed copy in a safe, a USB key, or your IT department’s key escrow.
A startup password or USB key: Without a TPM, BitLocker requires a pre-boot authenticator. A startup password is most common.
Backup the data first. Take a clean backup before initiating.
Battery / UPS: Encryption can take from minutes to several hours depending on drive size. Plug the laptop in.
Phase 1 — Allow BitLocker Without a TPM (Group Policy)
By default, BitLocker refuses to enable on a system without a TPM. Microsoft includes a supported policy switch that allows BitLocker to use a startup password (or USB startup key) in place of the TPM.
Step 1 — Open the Local Group Policy Editor
Press Windows Key + R to open the Run dialog. Type gpedit.msc and press OK.
Figure 1. The Run dialog: Windows Key + R, then type gpedit.msc.
Step 2 — Navigate to the BitLocker Operating System Drives Policy
Inside the Local Group Policy Editor, drill down through the left pane to:
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
The policy you want is Require additional authentication at startup.
Step 3 — Enable the Policy and Allow BitLocker Without a Compatible TPM
Double-click the policy. In the dialog that opens:
Set the radio button to Enabled.
In the Options pane, ensure the box “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” is checked.
Click Apply, then OK.
Figure 2. (1) Set the policy to Enabled. (2) Check Allow BitLocker without a compatible TPM. Click Apply, then OK.
Step 4 — Refresh the Policy
Open Windows PowerShell as Administrator (right-click Start → Windows PowerShell (Admin) or Terminal (Admin)) and run:
PS C:\> gpupdate /forceYou should see Computer Policy update has completed successfully. The local machine now permits BitLocker activation without a TPM.
Phase 2 — Turn On BitLocker With a Startup Password
Step 5 — Open BitLocker Drive Encryption
Open Control Panel (search for it from the Start menu, or run control from the Run dialog). Set View by to Large icons, and click BitLocker Drive Encryption. Then click Turn on BitLocker next to the C: drive.
Step 6 — Choose How to Unlock the Drive at Startup
BitLocker now offers two unlock methods (because there is no TPM): a password or a USB flash drive. The password option is most common; pick a strong password (12+ characters, mixed types). Type it twice and click Next.
Figure 3. Pick Enter a password. Use a long, varied password — you will type it every time the machine boots.
Step 7 — Save Your Recovery Key
BitLocker generates a 48-digit numeric recovery key. This key is the only way to recover your data if you forget the password. Save it to at least two of the four offered destinations:
Save to your Microsoft account / Microsoft Entra ID — recommended for business use.
Save to a USB flash drive — keep that USB stored separately from the laptop.
Save to a file — save to a network share, never to the same C: drive being encrypted.
Print the recovery key — lock the print-out in a safe.
Step 8 — Choose How Much of the Drive to Encrypt
Two options:
Encrypt used disk space only — faster; appropriate for new PCs that have not yet held sensitive data.
Encrypt entire drive — slower; required for any drive that has previously contained sensitive data.
For any in-service business machine, choose Encrypt entire drive.
Step 9 — Choose Encryption Mode
Pick New encryption mode (XTS-AES) for fixed drives that will stay in this PC. Pick Compatible mode only if the drive will be moved to an older Windows version.
Step 10 — Run BitLocker System Check and Restart
Check the box labeled Run BitLocker system check and click Continue. The PC will request a restart. The system check verifies that your password unlocks the drive correctly before encryption begins — so a typo cannot lock you out.
Step 11 — The Pre-Boot Password Prompt
After restart, before Windows loads, you will see a blue BitLocker screen asking for the startup password. Type the password and press Enter.
Figure 4. The pre-boot BitLocker prompt. Every boot of this machine now requires your startup password.
Step 12 — Encryption Runs in the Background
Once you log in to Windows, encryption begins. You can keep working — encryption runs at low priority. Right-click the BitLocker icon in the system tray, or open BitLocker Drive Encryption from Control Panel, to see live progress.
Phase 3 — Verification
Once encryption finishes, verify the result two ways:
BitLocker Drive Encryption control panel should show: C: BitLocker on (green padlock).
From elevated PowerShell, run:
PS C:\> manage-bde -status C:Look for Conversion Status: Fully Encrypted and Encryption Method: XTS-AES 128.
Recovery Key Best Practices
Do | Don’t |
|---|---|
Escrow the key to Microsoft Entra ID, on-premises Active Directory, or your IT key vault automatically (via policy). | Don’t store the only copy on the encrypted drive itself. |
Keep at least one offline copy (printed, locked safe, or USB stored separately). | Don’t email the key to yourself in plain text. |
Document which user / asset each key belongs to so it can be retrieved on demand. | Don’t leave a printed key inside the laptop bag. |
Rotate the key when an employee with access leaves, or after any suspected exposure. | Don’t share the key over insecure channels (chat, SMS, public ticket fields). |
Compliance Framework Mapping
Framework | Control |
|---|---|
CMMC 2.0 / NIST 800-171 | SC.L2-3.13.16 Protect the confidentiality of CUI at rest. AES encryption is the explicit recommendation. |
HIPAA Security Rule | 164.312(a)(2)(iv) and 164.312(e)(2)(ii) Encryption and Decryption. Encryption establishes a safe-harbor against breach notification. |
PCI DSS 4.0.1 | Requirement 3 Protect stored cardholder data. AES-256 (XTS-AES) is among the explicitly supported strong cryptography algorithms. |
NYDFS Part 500 | 500.15 Encryption of Nonpublic Information at rest. |
FTC Safeguards Rule | 16 CFR 314.4(c)(3) Encryption of customer information at rest and in transit. |
GDPR Article 32 | Security of processing — encryption is one of the four explicitly named technical measures. |
State data-breach laws | Most U.S. state breach-notification statutes provide a safe-harbor where the lost data was encrypted at rest. |
SOC 2 / ISO 27001:2022 | CC6 / Annex A.8 cryptographic-controls evidence. |
Where This Fits in Cyberwatch Advanced
BitLocker is a foundational hygiene control. Cyberwatch Advanced builds on top of it with the surrounding program every business needs:
CyberSecureID — identity and adaptive MFA so the user logging in is provably the right person.
CyberElevate — removal of standing local admin so a stolen Windows password cannot be turned into ransomware deployment.
CyberVault Enclave — the hyper-secure storage tier for FCI/CUI/ITAR/PHI/PCI workloads where BitLocker alone is not sufficient.
Compliance-as-a-Service (CaaS) — the platform that captures encryption attestations, recovery-key custody policies, and per-asset evidence.
Cyberwatch quarterly assessment — verifies, every ninety days, that every machine on the network is actually encrypted.
Virtual CSO (VCSO) — the executive owner who reports encryption coverage as a board-level metric.
Troubleshooting
Symptom | Resolution |
|---|---|
“This device can’t use a Trusted Platform Module” error when starting BitLocker | The Group Policy step did not take effect. Re-confirm the policy is set to Enabled, the “Allow BitLocker without a compatible TPM” box is checked, and run |
BitLocker option missing from Control Panel | The Windows edition is Home. BitLocker is only available on Pro / Enterprise / Education. |
System will not boot after encryption | Use the recovery key. At the BitLocker pre-boot screen, press Esc, then enter the 48-digit recovery key. |
Forgot the startup password | Use the recovery key as above; then immediately change the password in Control Panel → BitLocker → Change password. |
Encryption is taking many hours | Normal for large drives or older systems. Leave the machine plugged in. |
Conclusion
Twenty minutes of administrator time per machine eliminates the largest, lowest-effort exposure most organizations carry on their balance sheet: a lost or stolen device.
For an organization-wide rollout, key escrow policy, asset-by-asset attestation, recovery-key custody, and quarterly verification, contact your Northern Data Solutions account executive about the Cyberwatch Advanced program.
Let’s secure your future. Schedule a 26-minute executive briefing with Northern Data Solutions.
Get Your Free Assessment Now · Schedule a Call · Connect With Us