When you try to enable Bitlocker on Windows, the error message “This device can’t use a Trusted Platform Module” can prevent that. This often means your device does not have a TPM chip installed or your TPM module is not enabled or available.
This notification occurs mainly on virtual machines on Hyper-V and VMWare, because it does not contain a TPM chip by default. But it can also occur on older PCs due to the lack of a Trusted Platform Module. In either case, when you click Enable Bitlocker:
This device can’t use a Trusted Platform Module. Your administrator must set the “Allow Bitlocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes
Solutions for This device can’t use a Trusted Platform Module
To enable Bitlocker on your PC, you need to lower the security around unlocking your PC so that no TPM is required to apply Bitlocker to your OS drive.
You can also add a virtual TPM chip to your virtual machine. This is more complex, but this keeps the highest security.
Modify Local Group Policy to not require TPM for Bitlocker
To enable Bitlocker on a machine that does not have a TPM chip, do the following:
- Click Start, type policy. Click Edit local policy (Control Panel)
- In Local Group Policy Editor, navigate to
Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives
- Double click “Require additional authentication at startup“
- In the “Require additional authentication at startup” policy window,
- select Enabled
- select Allow Bitlocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
- Click OK
Changes are applied immediately. You can now enable Bitlocker on your OS-drive.
Enable TPM in your virtual machine
To enable a TPM chip in a Hyper-V Windows 10 virtual machine, do the following:
- Turn off the VM, as the TPM can’t be enabled when the VM is running.
- From the HyperV Manager, open the settings of the VM.
- In Settings for <VMname>, go to Security and enable Enable Trusted Platform Module
Click OK to apply the changes.
- Start Powershell as administrator
- Type the following cmdlet to import the Hyper-V module:
- Copy-paste the following cmdlets to configure a valid key protector
$owner = Get-HgsGuardian UntrustedGuardian
$kp = New-HgsKeyProtector -Owner $owner -AllowUntrustedRoot
- You have now created a valid key protector. You may now apply the HgsKeyProtector to the VM:
Set-VMKeyProtector -VMName <VMname> -KeyProtector $kp.RawData
(obviously, replace <VMname> with the name of your Virtual Machine, as shown in HyperV Manager.
- You can now turn TPM with this cmdlet:
Enable-VMTPM -VMName <VM_Name>
- You may now start the VM and enable Bitlocker from within the OS.
For more information about enabling TPM within a VM, check: