BitLocker Won’t Enable ? How to Switch from Legacy BIOS to UEFI for Full Compatibility

1 - Introduction

BitLocker is a powerful encryption tool for securing Windows systems, but it requires UEFI firmware with a GPT partition style for full functionality, especially when using TPM. If your machine is running in Legacy BIOS mode with an MBR disk, BitLocker activation may fail due to incompatible system requirements. This article explains why this happens and how to resolve the issue by converting your system from Legacy BIOS to UEFI.

2 - Why Does BitLocker Require UEFI ?

BitLocker leverages TPM (Trusted Platform Module) to provide secure encryption key storage. However, TPM-based protection requires UEFI firmware and a GPT-formatted disk. Machines using Legacy BIOS mode operate with MBR partitioning, which lacks the necessary Secure Boot and UEFI-based security mechanisms required by BitLocker.

3 - Symptoms of the Issue

• BitLocker fails to activate with an error indicating "This device cannot use a Trusted Platform Module" or "incompatible configuration"
• The TPM is detected but not utilized correctly.
• The BitLocker wizard requires additional authentication methods such as a startup key or PIN.

4 - How to Convert from Legacy BIOS to UEFI and Enable BitLocker

Step 1 : Verify Your Current BIOS Mode and Disk Type

1. Open Command Prompt as Administrator.
2. Check BIOS mode : (If "BIOS Mode" is Legacy, you need to convert to UEFI)

msinfo32        

Step 2 : Convert MBR to GPT

• Open Command Prompt as Administrator.
• Validate the conversion readiness:

mbr2gpt /validate /allowFullOS        

• Perform the conversion :

mbr2gpt /convert /allowFullOS        

Step 3 : Configure BIOS Settings

• Restart the machine and enter BIOS (typically F2, DEL, or F10).
• Change the Boot Mode from Legacy to UEFI.
• Enable Secure Boot (if required for compliance).
• Save changes and restart the system.

Step 4 : Repair Boot Loader (If Necessary)

If Windows fails to boot after conversion :

• Boot using a Windows installation USB.
• Open Command Prompt (Shift + F10).
• Run the following commands:

diskpart
list disk
sel disk 0  # Select the correct disk
list vol
sel vol X  # Select the EFI partition (usually 100-500MB)
assign letter=Z
exit        

• Rebuild the boot configuration :

bcdboot C:\Windows /s Z: /f UEFI        

• Restart system.

Step 5 : Enable BitLocker

1. Open Control Panel > BitLocker Drive Encryption.
2. Click Turn on BitLocker and follow the setup process.
3. Ensure TPM is enabled in BIOS if necessary.

5 - Conclusion

Converting from Legacy BIOS to UEFI ensures compatibility with modern security features, including BitLocker encryption. By following these steps, you can successfully enable BitLocker and enhance your system’s security posture.

Have you faced challenges with BitLocker activation due to Legacy BIOS ?

Share your experience in the comments !

Thanks

Aymen EL JAZIRI

System Administrator