Windows Server 2012: Fix “This device can’t use a Trusted Platform Module” When Enabling BitLocker
This device can’t use a Trusted Platform Module When Enabling BitLocker
This device can’t use a Trusted Platform Module. Your administrator must select the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.
- Trusted Platform Module (TPM)– This is basically a chip that in on newer processors that has extra security features. When BitLocker uses TPM, it stores the encryption key on the chip itself. If you don’t have a chip that supports TPM, then you can still use BitLocker, but you’ll have to store the encryption key on a USB stick.
- Administrator Policy – So what’s all the stuff about selecting X and Y policy for OS volumes? Basically, it’s a group policy setting that has to be changed that will allow BitLocker to work without the TPM requirement.
The fix is pretty straight-forward, just follow the instructions and don’t make any other changes.
Step 1– Open the group policy editor by pressing the Windows Key + R or by opening the charms bar in Windows 8 and typing in Run. In the Run dialog box, go ahead and type in gpedit.msc and press Enter.
Now expand to the following section under group policy:
Computer Configuration – Administrative Templates – Windows Components – BitLocker Drive Encryption – Operating System Drives
On the right-hand side, you will see an option called Require additional authentication at startup. Go ahead and double-click on that option.
By default, it is set to Not Configured, so you’ll have to click on the Enabled radio button. Automatically, it should check the Allow BitLocker without a compatible TPM box, but if not, make sure to check it.
Click OK and then close out group policy. Now go back to the BitLocker screen and click the Turn on BitLocker link.
Now instead of getting an error message, you should see the BitLocker setup screen. When you click Next, it’ll start setting up your hard drive for BitLocker.