You can choose how to unlock the operating system drive when you turn on your PC with a PIN (requires TPM), Password, or a Startup key on a connected USB flash drive. In this post, we will show you how to turn on or off BitLocker to encrypt or decrypt operating system drives without a TPM in Windows 11/10.
Turn On BitLocker for Windows 11/10 System Drives without TPM
Allowing BitLocker without a TPM will require unlocking the operating system drive at startup with either a password or startup key on a USB flash drive. This option is used when you don’t want to use or have a TPM chip on your PC.
1] Open the Local Group Policy Editor and navigate to this setting-
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
On the right pane of Operating System Drives double-click Require additional authentication at startup policy to edit it.
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN).
A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.
If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.
If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.
Select Enabled at the top, check the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box under Options.
You can now exit Group Policy editor and continue to Step 2 below.
2] Launch File Explorer, right-click the operating system drive that you want to encrypt, and click Turn on BitLocker.
Choose how (USB or Password) you want to unlock the operating system drive at startup.
You have two options:
- Insert USB flash drive – This option allows you to unlock the operating system drive with a connected USB flash drive with the startup key saved on it.
- Enter a password – This option allows you to unlock the operating system drive with a password.
Now, select how (Microsoft account, USB, file, and/or print) you want to back up your BitLocker recovery key for this drive, and click Next.
Select the radio button for how much of your drive to encrypt (Encrypt entire drive is recommended), and click Next.
Now, select the radio button for which encryption mode [New encryption mode (XTS-AES 128-bit) or Compatible mode (AES-CBC 128-bit)] to use, and click Next.
In the next window, uncheck or check (recommended) the Run BitLocker system check box for what you want, and click Continue when ready to start encrypting.
The operating system drive will now start encrypting.
When encryption completes, click on Close.
Turn Off BitLocker for Windows System Drives with/without TPM
Whether you encryped your Windows OS drives with a PIN (TPM) or with a password(without TPM), the procedure to decrypt is the same for both cases.
To turn Off BitLocker for Windows 11/10 Operating System Drives
Open an elevated command prompt, type the command below into the elevated command prompt, and hit Enter.
manage-bde -off <drive letter>
Substitute <drive letter> in the command above with the actual drive letter of the encrypted drive you want to decrypt. For example:
manage-bde -off C:
Having done this, you can check the status of BitLocker for the drive at any time.
Thus you can turn on/off BitLocker for Windows Operating System Drives with/without TPM.