Fix This device can’t use a Trusted Platform Module

When you try to enable Bitlocker on Windows, the error message “This device can’t use a Trusted Platform Module” can prevent that. This often means your device does not have a TPM chip installed or your TPM module is not enabled or available.

bitlocker use a Trusted Platform Module


This notification occurs mainly on virtual machines on Hyper-V and VMWare, because it does not contain a TPM chip by default. But it can also occur on older PCs due to the lack of a Trusted Platform Module. In either case, when you click Enable Bitlocker:

Starting Bitlocker
This device can’t use a Trusted Platform Module. Your administrator must set the “Allow Bitlocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes

Solutions for This device can’t use a Trusted Platform Module

To enable Bitlocker on your PC, you need to lower the security around unlocking your PC so that no TPM is required to apply Bitlocker to your OS drive.
You can also add a virtual TPM chip to your virtual machine. This is more complex, but this keeps the highest security.

Modify Local Group Policy to not require TPM for Bitlocker

To enable Bitlocker on a machine that does not have a TPM chip, do the following:

  1. Click Start, type policy. Click Edit local policy (Control Panel)
    edit group policy
  2. In Local Group Policy Editor, navigate to
    Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives
    local group policy editor navigate to bitlocker require additional authenitcation
  3. Double click “Require additional authentication at startup
  4. In the “Require additional authentication at startup” policy window,
    1. select Enabled
    2. select Allow Bitlocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
      Allow Bitlocker without a compatible TPM
  5. Click OK
    Changes are applied immediately. You can now enable Bitlocker on your OS-drive.

Enable TPM in your virtual machine

To enable a TPM chip in a Hyper-V Windows 10 virtual machine, do the following:

  1. Turn off the VM, as the TPM can’t be enabled when the VM is running.
  2. From the HyperV Manager, open the settings of the VM.
  3. In Settings for <VMname>, go to Security and enable Enable Trusted Platform Module
    Click OK to apply the changes.
    enable Trusted Platform Module TPM in VM settings
  4. Start Powershell as administrator
  5. Type the following cmdlet to import the Hyper-V module:
    import-module Hyper-V
  6. Copy-paste the following cmdlets to configure a valid key protector
    $owner = Get-HgsGuardian UntrustedGuardian
    $kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot
  7. You have now created a valid key protector. You may now apply the HgsKeyProtector to the VM:
    Set-VMKeyProtector -VMName <VMname> -KeyProtector $kp.RawData
    (obviously, replace <VMname> with the name of your Virtual Machine, as shown in HyperV Manager.
  8. You can now turn TPM with this cmdlet:
    Enable-VMTPM -VMName <VM_Name>
  9. You may now start the VM and enable Bitlocker from within the OS.

For more information about enabling TPM within a VM, check:

https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx?Sort=MostRecent&PageIndex=1
https://docs.microsoft.com/en-us/powershell/module/hyper-v/enable-vmtpm?view=win10-ps

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x