Home > Wiki Tips

BitLocker and TPM: How Does TPM Work with BitLocker?

Published/Updated on Thursday, September 12, 2024

M3 Software author Wilsey Young

Written by

Wilsey Young

English

Summary: This post discusses the interaction of BitLocker and TPM and explains how TPM works with BitLocker. After reading this post, you can learn how to check whether your PC supports TPM and how to use BitLocker without TPM.

bitlocker and tpm

BitLocker is a special encryption feature included with certain versions of Windows. It can protect your precious data by encrypting the entire drive or specific volume with advanced encryption standards.

While the TPM (Trusted Platform Module) chip serves as a crucial element of BitLocker's security mechanism, so TPM chip and BitLocker encryption feature complement each other to add an extra layer of protection to secure the drive data.

In this post, let's explore the connection between BitLocker and TPM and how TPM works with BitLocker. You can also learn how to check whether your PC has TPM and how to use BitLocker without TPM on Windows.

What is TPM?

A Trusted Platform Module (TPM) chip is a hardware component embedded in many modern computers. TPM chip enables your computer to offer reliable hardware-based encryption features like BitLocker. It securely stores cryptographic keys, such as passwords, PINs, or BitLocker recovery keys, used for authentication and data access to encrypted devices.

The TPM chip can also add a solid security layer to your computer system thanks to its ability to perform cryptographic operations. By managing and safeguarding encryption keys in a protected manner, the TPM chip works perfectly with BitLocker to prevent unauthorized users from accessing the encrypted data even if the device is lost, stolen, or improperly decommissioned.

You can share this post with your friends!

 

How does TPM work with BitLocker?

BitLocker integrates with the TPM chip to enhance the security of encrypted drives. When you turn on BitLocker to encrypt a drive or specific volume, it uses the TPM chip to generate and store the encryption keys and encryption-related information.

During startup, the TPM chip will verify before releasing the encryption key to let the operating system boot up. If there's something wrong with the system, or hardware, and more is detected, you will encounter the recovery key blue screen as follows: 
recovery key blue screen

Therefore, you'll be required to enter the BitLocker recovery key if the TPM chip detects the following situations.

  • The password or PIN is incorrectly input several times.
  • TPM detects significant hardware changes.
  • TPM detects BIOS or UEFI changes.
  • TPM detects large Windows updates.
  • TPM detects disk errors or corruptions.
  • TPM detects possible unauthorized access.

This helps ensure that the system has not been tampered with, confirming that no unauthorized changes have been made and no unauthorized access is allowed. What to do when BitLocker keeps asking for the recovery key? You can read the following post to get the solutions: BitLocker Keeps Asking for Recovery Key: Causes & Solutions!

How to check whether your PC has TPM?

To check if your PC has a TPM chip, follow these steps:

  1. Press the "Windows+R" keys on your keyboard to open the Run dialog box.
  2. Type “tpm.msc” in the box and hit the "Enter" key to open the "Trusted Platform Module (TPM) Management on Local Computer" window. 
    tpm msc in Run dialog box
  3. You will see TPM details here if your PC has one, including its version. 
    Trusted Platform Module Management on Local Computer
  4. When it says "Compatible TPM cannot be found," it means your PC does not have the chip. 
    Trusted Platform Module Management on Local Computer

Can I use BitLocker without TPM?

Yes, you can use BitLocker without a TPM chip. BitLocker can function without the TPM chip by using a password or USB key as an authentication method. You can follow the steps below to enable BitLocker without TPM:

  1. Press the "Windows+R" keys to open the Run dialog box.
  2. Type "gpedit.msc" in the box and hit the "Enter" key to open Local Group Policy Editor. 
    gpedit msc in Run dialog box
  3. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  4. Double-click the "Require additional authentication at startup" option. 
    BitLocker local group policy operating system drives
  5. Switch from "Not Configured" to "Enabled."
  6. Check the box for "Allow BitLocker without a compatible TPM."
  7. Click "Apply" and "OK."
    BitLocker local group policy require additional authentication
  8. After changing the BitLocker Group Policy settings, you can enable BitLocker without a TPM.

You can click the buttons below to share this post!