Bitlocker without TPM with both a startup USB and password?

This guide explains it quite well, although consider following the steps below rather than downloading and running .reg files from the internet.

One can turn on Bitlocker without TPM but has to modify the registry in order to allow this, as this isn't what Microsoft originally planned as the drive won't be bound to the computer any longer. For company's convenience this option was added but hidden.


  1. Open the group policy editor (gpedit.msc) as admin.
  2. Go into the "directoy" (left sub-window) "Computer Configuration/Administrative Templates/ Windows Components/ BitLocker Drive Encryption/ Operating System Drives"
  3. Open the "Require additional authentification at startup" entry (right sub-window)
  4. Set the radio box to "enabled" and check "Allow Bitlocker without a compatible TPM"
  5. Optional: Change the cipher strength (128 or 256 bit, difference: 128 is secure for ~50 years and 256 for ~200 years) using the "folder" directly above ("BitLocker Drive Encryption") and the "Choose drive encryption method and cipher strength" entry. Check the enabled and choose your cipher in the dropdown menu.
  6. Encrypt your drive as you normally would.

It seems like USB + PIN is not an option any longer in Windows 8 :(