How To Fix ‘This device cannot use a Trusted Platform Module’

If you’re seeing an error that says ‘This device cannot use a trusted platform module’ you are trying to initiate BitLocker on a Windows 8 or Windows 10 computer. This is actually quite a common error for computers that don’t have a TPM (Trusted Platform Module) chip.

The full error syntax will likely be: ‘This device cannot use a Trusted Platform Module. Your administrator must set the ‘Allow BitLocker without a compatible TPM’ option in the ‘Require additional authentication at startup policy for OS volumes’. Say what?

Trusted Platform Module

So what is a Trusted Platform Module anyway? The TPM is a physical chip placed on newer motherboards that stores security keys such as those for disk encryption with BitLocker. If your motherboard doesn’t have a TPM chip or the current BIOS level or driver isn’t working properly, TPM won’t work.

The idea behind TPM is to provide a hardware link between your computer and your disk drive. An encryption key is stored on the TPM chip that allows Windows to decrypt BitLocker when you ask it to. All you need to do is use your Windows password and TPM provides the unlock key and Windows decrypts the data ready for use.

TPM comes into play for if someone takes the drive. Say a business rival, prankster or thief steals your hard drive. They put it into their own computer and try to decrypt it. Without the key stored on your motherboard, they won’t be able to access the data.

Why am I getting the ‘This device cannot use a Trusted Platform Module’ error?

For some reason Windows cannot access the TPM chip or it isn’t working properly. We have a couple of ways to fix it though. First, check the basics.

• Check your exact motherboard make, model and version to see if it has a TPM chip.
• Check your motherboard BIOS level and drivers and update them if necessary.

Not all motherboards have TPM chips installed. Before getting into troubleshooting, make sure yours does. If your board has a TPM chip, make sure you are running the latest BIOS and drivers for the board. Then retest.

Fix the ‘This device cannot use a Trusted Platform Module’ error

If you’re still getting problems, we can use Group Policy Editor to address it.

1. Type or paste ‘gpedit.msc’ into the Search Windows/Cortana box.
2. Navigate to Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.
3. Select ‘Require additional authentication at startup’ in the center pane.
4. Right click and select Edit.
5. Select Enabled in the top left pane and the check box next to ‘Allow BitLocker without a compatible TPM’ should activate.
6. Click OK and close Group Policy Editor.
7. Select your hard drive, right click and select Turn BitLocker on.

You should now see the setup screen for BitLocker rather than the error window. Your drive will encrypt itself properly but instead of storing the key on the TPM chip you will need to use a USB drive instead. Other than that, the process is exactly the same.

How to set up BitLocker

If you want to set up BitLocker from scratch, this is how you do it. BitLocker is available for Windows 7 Ultimate, Windows 8 and Windows 10 Professional, Enterprise and Education editions. If you have one of these operating systems you will be able to use BitLocker to encrypt your hard drive.

1. Open Control Panel and navigate to System and Security and BitLocker Drive Encryption. Or right click the hard drive you want to encrypt and select ‘Turn BitLocker on’.
2. Select ‘Turn BitLocker on’ to begin the setup wizard.
3. Select the unlock method. If your computer has a TPM, select that. Otherwise select password or USB flash drive. Password offers ease of use but it slightly less secure. If you use a USB drive, you will need to keep it connected at all times when using the encrypted drive.
4. Back up the recovery key the setup wizard provides. Make a couple of copies of it somewhere and keep them safe. You have the option to save one to your Microsoft account. While slightly insecure, it saves losing your data.
5. Select the option to just encrypt files and not the entire drive. You can encrypt the drive but the process takes much longer.
6. The system will encrypt your drive and reboot at least once. How long the process takes depends on how fast your computer is and how much data it has to encrypt.
7. Enter your password or USB key to decrypt and access the data on your drive.

That is all there is to using BitLocker in Windows. It is a fairly straightforward process and works well. The only thing to remember is to never lose that key or the USB key if you elected to use that to unlock the drive.