Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM


BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM

How to Turn On or Off BitLocker without a TPM for Windows 7 Drive
Published by Brink
02 Mar 2009
Published by

How to Turn On or Off BitLocker without a TPM for Windows 7 Drive



information   Information
This will show you how to turn BitLocker Drive Encryption on or off for your Windows 7 or other operating system drive or partition when your computer does not have a Trusted Platform Module (TPM). When BitLocker Drive Encryption is turned on, you will be required to plug in the USB flash drive that contains the startup key before starting the computer to unlock the Windows 7 or other operating system drive or partition at startup.
Note   Note
When you add new files to the Windows 7 or other operating system drive or partition that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files that are copied to another drive, partition, or computer are decrypted.
warning   Warning
REQUIREMENTS:
  • BitLocker is only available in the Windows 7 Ultimate and Enterprise editions.
  • A USB flash drive. BitLocker will store its key on the flash drive to use to unlock the Windows 7 drive at startup.
  • Have at least two partitions. One partition must include the drive Windows 7 is installed on and must be at least 400 MB. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. If you have the 100 MB System Reserved partition that Windows 7 creates during installation on a blank drive or partition, then BitLocker will store the key on it instead. If your computer does not have two partitions, BitLocker will create them for you. Both partitions must be formatted with the NTFS file system.
  • A BIOS that supports USB devices during computer startup.




PREPARATION:

To Allow BitLocker without a TPM
Note   Note
You have the option to use the Local Group Policy Editor or a .reg file download to allow BitLocker to be able to encrypt the Windows 7 or other operating system drive or partition without a TPM and with a USB flash drive instead.
METHOD ONE:
Using Local Group Policy Editor
1. Open the Local Group Policy Editor.

2. In the left pane, click on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-group_policy.jpg
3. In the right pane, right click on Require additional authentification at startup and click on Edit. (See screenshot above)

4. To Allow BitLocker without TPM
A) Select (dot) Enabled. (See screenshot below step 6)

B) Under the Options section, check the Allow Bitlocker without a compatible TPM box. (See screenshot below step 6)

C) Go to step 6.
5. To Undo Allow BitLocker without TPM
NOTE: This is optional. Unless you now have a TPM that you would like to use instead, it will not hurt anything to leave this set as in step 4 above.
A) You will need to do OPTION TWO below first to turn off BitLocker.

B) Select (dot) either Not Configured or Disabled. (See screenshot below step 6)
6. Click on OK. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-properties.jpg
7. Close the Local Group Policy Editor window.

8. Open the Start menu, and type gpupdate.exe /force into the search line and press Enter. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-start_menu_search.jpg
9. You will see this command prompt pop-up briefly, then go away when completey successfully. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-command.jpg
10. If you did step 4, then go to OPTION ONE to turn on BitLocker. If you did step 5, then you are done.


METHOD TWO:
Using a REG File Download
1. To Allow BitLocker without TPM
A) Click on the Download button below to download the file below.
Enable_No_TPM.zip
download
B) Go to step 3.
2. To Undo Allow BitLocker without TPM
NOTE: This is optional. Unless you now have a TPM that you would like to use instead, it will not hurt anything to leave this set as in step 1 above.
A) You will need to do OPTION TWO below first to turn off BitLocker.

B) Click on the Download button below to download the file below.
Default_Require_TPM.zip
download
3. Save the .zip file to your desktop.

4. Open the downloaded .zip file and extract the .reg file to the desktop.

5. Right click on extracted the .reg file and click on Merge.

6. Click on Run, Yes, Yes, and OK when prompted to approve the merge.

7. Restart the computer to apply.

8. When done, you can delete the downloaded .reg and .zip files if you like.

9. If you did step 1, then go to OPTION ONE to turn on BitLocker. If you did step 2, then you are done.



BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM OPTION ONE BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM
Turn On BitLocker to Encrypt Windows 7 Drive
1. Decide if you want 128-bit or 256-bit encryption.
NOTE: By default, Windows 7 will use AES encryption with 128-bit encryption keys and Diffuser unless changed already by you previously.

2. Plug in the USB flash drive that you want to use to have the startup and recovery key saved to.
NOTE: You will still be able to use the USB flash drive as normal. Just do not remove the BitLocker startup key file (step 7) that is used to unlock your Windows 7 at startup.

3. Open the Start menu and click on the Computer button, then right click on the Windows 7 or other operating system drive or partition letter and click on Turn on BitLocker. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-computer.jpg

A) Go to step 5.
OR

4. Open the Control Panel (icons view), and click on the BitLocker Drive Encryption icon.
A) Click on Turn On BitLocker for the Windows 7 or other operating system drive or partition letter. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step1.jpg
5. Select the Require a Startup key at every startup option. (See screenshot below)
NOTE: The Use BitLocker without additional key and Require PIN at every startup options are not available unless you have a TPM.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step2.jpg
6. Select the USB flash drive from step 2, and click on the Save button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step3.jpg
7. Select the Save the recovery key to a USB flash drive option. (See screenshot below)
NOTE: It is highly recommended that you do the other two options as well and save this key file somewhere safe. You will need the recovery key number to gain access to the encrypted Windows 7 or other operating system drive if you should lose or damage the USB flash drive with the startup key, or if BitLocker locks the drive.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step4.jpg

A) Select the USB flash drive from step 2, and click on the Save button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step5.jpg
B) When finished, click on the Next button. (See screenshot below step 7)
8. Check the Run BitLocker system check box, then click on the Continue button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step6.jpg
9. Click on the Restart Now button. (See screenshot below)
WARNING: This will restart your computer immediately. Close and save anything that you are working on first.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step7.jpg
10. When the computer restarts, BitLocker will start encrypting the Windows 7 drive. Click on the BitLocker icon in the taskbar notification area (far right) to see the encryption status. (See screenshot below)
NOTE: This may take a while to finish.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step8.jpg
11. When BitLocker is finished, click on the Close button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step9.jpg
12. You will now have a Manage BitLocker option in the Control Panel and Computer for the encrypted drive. (See screenshots below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step10a.jpg

BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step10b.jpg

13. If you click on Manage BitLocker, these will be the options that you will have below. (See screenshot below)

warning   Warning
It is highly recommended that you do one or both options below. You will need the recovery key number to gain access to the encrypted Windows 7 or other operating system drive if you should lose or damage the USB flash drive with the startup key, or if BitLocker locks the drive.

BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step11.jpg
14. You're done. The Windows 7 or other operating system drive or partition is now encrypted with BitLocker Drive Encryption. You will now be required to plug in the USB flash drive that contains the startup key in order to unlock and startup Windows 7 or the other operating system.






BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM OPTION TWO BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM
Turn Off BitLocker to Decrypt Windows 7 Drive

NOTE: If you do not care about losing all data on the drive/partition, then formating or using the clean command will allso turn off BitLocker for the drive/partition.
1. Open the Control Panel (icons view), and click on the BitLocker Drive Encryption icon.

2. Click on Turn Off BitLocker for the Windows 7 or other operating system drive or partition letter that you want to turn off BitLocker with. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-off_step1.jpg
3. Click on the Decrypt Drive button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-off_step2.jpg
4. BitLocker will now start decrypting the drive. Click on the BitLocker icon in the taskbar notification area (far right) to see the encryption status. (See screenshot below)
NOTE: This may take a while to finish.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-off_step3.jpg
5. When finished, click on the Close button. (See screenshot below)
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-off_step4.jpg
6. The Control Panel and Computer will now have the Turn On BitLocker option again.
BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-step1.jpg

BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM-computer.jpg

7. If you would like to restore the default Group Policy setting to have BitLocker use a TPM instead of a USB flash drive, then do METHOD ONE (step 5) or METHOD TWO (step 2) in the PREPARATION section at the top of the tutorial.

8. You're done. The Windows 7 drive or other operating system drive or partition is now decrypted.
That's it,
Shawn






24 Sep 2009   #1
mahjohn

Windows 7
 
 

Question:
This guide is for bitlocker with USB key, anyone have a guide or information on using bitlocker with either a PIN, or without a PIN or USB key? I see step 5 has these options in the screen cap.


My System SpecsSystem Spec
24 Sep 2009   #2
Brink
Microsoft MVP

64-bit Windows 10 build 10122
 
 

Hello Mahjohn, and welcome to Seven Forums.

If your motherboard supports and has a TPM built-in or connected to it, then you can skip the PREPARATION section of this tutorial to enable Bitlocker with a TPM on a drive using the rest of the steps in the tutorial and selecting the PIN option (or other option) instead.

If not, then you will have to use the method in the tutorial without a TPM using a USB key.

Hope this helps,
Shawn
My System SpecsSystem Spec
24 Nov 2009   #3
beauparc

Windows 7 64 bit
 
 

Hi Shawn

The way I understood it was that Bit Locker is only available on the Enterprise and Ultimate versions of Win7.

Does the .reg file in your usual excellent tutorial enable it in other versions too?
My System SpecsSystem Spec
.


24 Nov 2009   #4
Brink
Microsoft MVP

64-bit Windows 10 build 10122
 
 

Hello Steve,

Sorry, but no. It's still only available in those editions.
My System SpecsSystem Spec
25 Nov 2009   #5
carioca

Win 7 Ultimate 64-bit, Win7 N 32-bit, WHS
 
 

I am very impressed with the tutorials in this forum, and check out the titles regularly to see if anything fits my needs. The TPM idea was new to me - although I have been security conscious for many years. I have a secure chip card reader (Reiner SCT) for use with XP for all my banking and the like, but haven't tried it with W7. I suppose it would need new software...

Cheers,

LMH
My System SpecsSystem Spec
25 Nov 2009   #6
beauparc

Windows 7 64 bit
 
 

Thanks Shawn.
My System SpecsSystem Spec
26 Nov 2009   #7
Brink
Microsoft MVP

64-bit Windows 10 build 10122
 
 

You're welcome LMH and Beauparc. Thank you.
My System SpecsSystem Spec
16 Jan 2010   #8
mrdcjohn

win 07 ultimate 32bit
 
 
help with preparing drive for bitlocker

I have win 7 ultimate and have had no trouble turning on bitlocker on two of the three computers at home. one lap and two desktops. for some reason the message is cannot find the target drive and set up will have to be done manually. I have enabled it like the tutorial so greatly described . Does anyone know what i am missing? or direct me to the process for preparing the drive?
Regards,
My System SpecsSystem Spec
16 Jan 2010   #9
Brink
Microsoft MVP

64-bit Windows 10 build 10122
 
 

Hello John,

Does Windows 7 recognize and find and use the drive normally without BitLocker?

At what point in the tutorial does this happen?
My System SpecsSystem Spec
Comment

 BitLocker Drive Encryption - Windows 7 Drive - Turn On or Off with no TPM




Tutorial Tools





Similar help and support threads
Windows 7 Tutorial Category
BitLocker Drive Encryption - Unlock a Locked OS Drive
How to Unlock a Windows 7 Computer Locked by BitLocker Drive Encryption This will show you how to unlock a computer that the drive Windows 7 is installed on was locked by BitLocker Drive Encryption, and now cannot be accessed. If the drive that Windows is installed on (the operating...
Tutorials
BitLocker Drive Encryption - Unlock a Locked Data or Removable Drive
How to Unlock a Data or Removable Drive Locked by BitLocker Drive Encryption This will show you how to unlock a internal data drive or a removable drive (ex: USB flash drive or external) that was locked by BitLocker Drive Encryption in Windows 7, and now cannot be accessed. These drives...
Tutorials
BitLocker Drive Encryption - BitLocker To Go - Turn On or Off
How to Turn Windows 7 BitLocker To Go On or Off for Removable Drives BitLocker To Go is used to encrypt and password protect any removable external hard drives and USB flash drives. The drives must be formatted using either the exFAT, FAT16, FAT32, or NTFS file system and must be at least...
Tutorials
BitLocker Drive Encryption - Internal Data Hard Drives - Turn On or Off
How to Turn On or Off BitLocker for Internal Data Hard Drives in Windows 7 This will show you how to turn Windows 7 BitLocker Drive Encryption on or off for internal hard drives or partitions without a operating system installed on them. When BitLocker Drive Encryption is turned on for the...
Tutorials
BitLocker Drive Encryption - Suspend or Resume Protection on Windows 7 Drive
How to Suspend or Resume BitLocker Protection on Windows 7 Drive This will show you how to temporarily suspend (unlock) BitLocker drive encryption protection on a Windows 7 or other operating system drive or partition, and to resume (lock) protection when needed.Suspend protection is...
Tutorials
BitLocker Drive Encryption - Change Encryption Method and Cipher Strength
How to Change Windows 7 BitLocker Drive Encryption Method and Cipher Strength This will show you how to change the encryption algorithm and key cipher strength used by BitLocker to encrypt drives in Windows 7.BitLocker Drive Encryption supports 128-bit and 256-bit encryption keys. Longer...
Tutorials

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:08.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App