Bitlocker Device Encryption with TPM (Trusted Platform Module) on Windows 10

I have a AMD Ryzen 7 3700X build with Asus TUF Gaming X570-Plus motherboard. To improve security of the system, I decided to perform full disk encryption on Windows 10.

There are 2 methods Windows 10 offers: Device Encryption and BitLocker Encryption.

Device Encryption

Device encryption may or may not be available on your system because there are 2 requirements for this option to be available:

TPM (Trusted Platform Module) 2.0

This is a hardware module the is either built-in or installed on the motherboard. To check whether your system has it:

• right click on Windows icon
• select Device Manager
• look for Security devices

If you see Trusted Platform Module 2.0, then that means you have it.

Modern Standby (S0 low-power idle)

This is a newer sleep mode where the system remains partially running. Your system must have this modern standby available and enabled. To check if your system has modern standby enabled:

• start a command prompt
• type powercfg /a

As you can see in the picture, it shows that my system’s firmware does not support this standby state. If you have the same error, then you should check with your system/motherboard manual to see if your motherboard supports this standby state so that you can enable it in the BIOS.

For me, unfortunately, my system’s motherboard does not support this standby state and device encryption is not available to my system. It turns out that S0 standby mode is more widely supported on laptops but not supported in most desktop motherboards.

BitLocker Device Encryption

BitLocker is another method you can choose to encrypt Windows 10 OS. TPM is optional. However, if your system does not have a TPM, you will be greeted with the following error when trying to turn on BitLocker on OS drive:

To enable BitLocker without TPM, you need to modify settings using Group Policy Editor.

Allow BitLocker without TPM

• run gpedit.msc at Windows 10 search box as Administrator
• go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup
• select Enabled
• click Apply

With this setting update, you can then use BitLocker without a TPM.

However, I decided to do BitLocker device encryption with TPM. My system’s motherboard does not come with a built-in TPM. But it does have a TPM-SPI header.

Installing TPM-SPI to Asus TUF Gaming X570-Plus motherboard

So I searched the web to find a compatible TPM. Not all TPMs are the same and compatible. There are several different interfaces (LPC, SPI and I2C) that TPM may connect to.

My motherboard is using SPI bus. I was able to find a TPM-SPI at Amazon. But it’s a little pricey. Then I found it at Newegg with better pricing. So I ordered it, got it and installed it just fine.

• turn off computer
• install the TPM-SPI to motherboard

For my system’s motherboard, the TPM header is located next to the CPU & M2 SSD.

• boot up to the BIOS
• go to Advanced > Trusted Computing
• select Enable for Security Device Support
• press F10 to save the settings

Boot up Windows 10 and verify that TPM 2.0 is now shown in Device Manager.

Encrypt Windows 10 System using BitLocker

• type bitlocker at Windows search box

• click on Manage BitLocker to show the BitLocker screen

Currently BitLocker is off for operating system drive (C:).

• click on Turn on BitLocker

• insert a USB drive
• select Save to a file
• There will be a new popup to ask for file location. select the USB drive as the location
• click Save
• then click Next

• select Encrypt entire drive
• click Next

• select New encryption mode
• click Next

• select Run BitLocker system check
• click Continue
• restart machine

Your computer should be restarted and ready to use as usual while Windows 10 is encrypting the drive in the background. You can check status in BitLocker Manager.

For my experience, the encrypting process was pretty fast. I think it’s less than 1 minute in my case and it’s done.