As you may know, Bitlocker full disk encryption used to be available only on the enterprise and ultimate editions of Windows Vista, when it was introduced more than 12 years ago. Windows 7 continued that exclusive tradition. Windows 8 made it available to the professional edition for the first time, which allowed a lot of home users that had purchased Pro to finally use it on their private devices. But what could you use, if you had bought the Home edition of Windows and you wanted to keep away from 3rd party encryption software?
Microsoft’s answer was “device encryption”, which I would rather call “Bitlocker light”. Microsoft started to advertise that the home version comes with "device encryption" as well while making "Bitlocker device encryption" a separate feature, still unavailable on Windows Home edition. Under the hood, it is the same as Bitlocker, but it will not offer the end user as many options as Bitlocker does. Well, do the home users normally even need these options? Normally, they don’t.
So, with that said, why would I try to go beyond device encryption? In other words: why would I even write this article? It is because Microsoft only allows device encryption on Windows 10 home when two conditions are met:
1. Your device has a TPM Chip
2. Your device meets certain hardware requirements like InstantGo/”Modern Standby”, that are poorly documented as in "hard to find out why you don't qualify".
Regarding the lower condition, I am going to ask you, the reader: Why would Microsoft make it that hard? Imagine your machine does not qualify, what can you do?
You will be told to buy the Professional version which entitles you to use Bitlocker. If these two requirements don’t apply to users that run Windows 10 Pro on the same hardware with Bitlocker, then why would they matter on the Home edition with "Bitlocker light"? Let’s see.
For a test, I created a Windows 10 Home virtual machine in Hyper-V. I added a (virtual) TPM chip which (according to the windows snapin tpm.msc) is ready for usage.
Now let’s see if device encryption can be used. NO, it can’t. The option is unavailable in control panel. Let me open system information (msinfo32.exe) to check whether there is a reason for the missing option...yes, there is:
Reasons for failed automatic device encryption: Hardware Security Test Interface failed and the device is not Modern Standby, TPM is not usable.
As I wrote: the TPM is usable and as I will show, it would work with Bitlocker, why not with device encryption? Hmm.
You might have noticed something else: the word “automatic”. Microsoft would have enabled device encryption even automatically if the requirements had been fulfilled and you would be logging on with a Microsoft account. That way, they can ensure that the recovery key, the important fallback key, is saved to your OneDrive cloud storage.
Ok, so this is something to understand: As a user of the Pro version, you would not be required to back up your key to the cloud, nor to have a device with certain capabilities – Bitlocker just works without it – you could even choose to use a password instead of the TPM, which, according to Microsoft, is not a safe practice.
So possibly, Microsoft is trying to act in the best interest of the home users that might, after all, not know what they are doing when they are choosing to enable disk encryption and keeps them from using that feature, so that they don't lock themselves out of their computer, possibly rendering their data inaccessible.
But what about you, the home version users, who do understand all of that? This method is for you. This method will give you the same protection and features like device encryption, but on any hardware.
Please note: if you have no idea what Bitlocker is or how it works, you should not encrypt your drive with it.
In any case, let me emphasize that I expect anyone trying this to follow the instructions to the T, but first of all, to have a full data backup.
To make Bitlocker usable on Windows Home edition, you only need a TPM module that is ready for usage – that’s all.
You don’t need to tweak Windows or use illegal practices – Microsoft has left a backdoor open for you. To use it, proceed as follows (you might want to print out the following before you proceed):
Be aware, that if you have set up Windows in a non-standard way (with legacy "MBR" partitioning, that is) and at the same time you use a TPM 2.0 module, you will not be able to use this method right away, so let's begin with two little tests:
powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk!
If this command returns "This is a GPT system disk!", then that's good. If it does not return anything, let's see what the 2nd test says. Now launch:
wmic /namespace:\\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value | findstr SpecVersion=2.0 && cls && echo TPM version 2.0 found, this will only work with GPT.
If this command returns "No Instance(s) Available", then you have no TPM chip. Scroll to the end of this article for an explanation.
If it returns "TPM version 2.0 found, this will only work with GPT", but the first test did not tell you that your system disk is a GPT system disk, scroll to the end of the article for a resolution. Else, if it does not return anything, you are ready to continue here.
Click on the start button and then on the power button, keep the shift key pressed and then click on restart – the following screen will soon appear:
There, select Troubleshoot – Advanced operations – Command prompt
Now the computer will restart and ask for the password of an administrator account before it proceeds with the command prompt
At the command prompt, just run the following command:
manage-bde -on c: -used
As you can read: the encryption is now in progress. Nevertheless, we may restart the PC right now.
Close the command prompt and select “continue” to boot Win10 Home.
When it’s booted, open an elevated command prompt (right click c:\windows\system32\cmd.exe and select “Run as administrator”) and then launch
manage-bde c: -protectors -add -rp -tpm
Now you have added a recovery key which is very important and needs to be saved to a file (text file) and be printed out and kept at a safe place. To do that, simply use copy and paste within the command prompt: mark the recovery key together with the ID and copy it to a word processor like notepad or word, and save it to (for example) your personal backup drive and then print it out.
Congrats, you have added a TPM protector that allows the device to start hands-free.
On to the last command, the one that finally enables Bitlocker protection:
manage-bde -protectors -enable c:
Bingo. Now open file explorer and you see the lock icon on your (C:) drive.
If you want to encrypt additional drives, repeat the whole process, just with the other drive letters.
Note that you cannot add TPM protectors to drives other than (C:), so, for example, (D:) to become protected, when you rebooted, you will need to add an auto-unlock protector and a recovery key like this:
manage-bde -autounlock -enable d: manage-bde -protectors -add -rp d:
Finally, enable the protector using:
manage-bde -protectors -enable d:
In explorer, you now see 2 encrypted partitions, (C:) and (D:)
Note: You CANNOT add pre-boot authentication passwords with Windows 10 Home. This protection relies on the TPM alone, which means, you are not protected against all attack types, but at least against the same attacks that device encryption ought to protect you against!
If you have any questions about this article, feel free to Ask a Related Question at the forum!
At the end, I will refer to possible problems that the pre-test could reveal:
"No Instance(s) Available": You have no TPM chip. This will not work without one. Mainboards of desktop computers are usually not equipped with TPMs, so if you have a desktop computer, you might have to buy a TPM chip that fits on your mainboard first, finding out if that is even possible: Your mainboard would need to have a TPM-header. Modern notebooks will usually have a TPM. If they don't, unfortunately, there is no way to change that.
"TPM version 2.0 found, this will only work with GPT": if you happen to run a TPM in 2.0 mode, but windows is not installed with GPT partitioning - luckily, this can be changed! Please refer to the Microsoft article "MBR2GPT.EXE" for the required command to use in order to convert to GPT.