Versions Compared

Version Old Version 2 New Version Current
Changes made by

Courtney Burkett

William Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is BitLocker?

BitLocker Drive Encryption is a native security feature that encrypts everything on the hard drive that Windows is installed on. Device encryption helps protect your data by encrypting it. Only someone with the right correct encryption key (such as a personal identification number) can can decrypt it.

How Does BitLocker work?

BitLocker is used in conjunction with a piece of hardware component called a Trusted Platform Module (TPM). The TPM is a smartcard-like module on the motherboard that is installed in many newer computers by the computer manufacturer. BitLocker stores its recovery key in the TPM (version 1.2 or higher). When you enable BitLocker, you create a personal identification number (PIN) that will be required to enter each time you start up your computer. While enabling BitLocker, a recovery key is generated. The recovery key is used to gain access to your computer should you forget your password. After the recovery key is generated you will be prompted to restart the machine. The encryption process begins when the computer reboots.

Note: You should print or save the recovery key and store it in a safe place apart from your computer. 

BitLocker Requirements

To use BitLocker, your computer must satisfy meet certain requirements :

Supported operating systems:Windows

and be logged in as an administrator.

  • Operating system: Windows 10 - Education, Pro, or Enterprise edition
  • Windows 8 — Professional or Enterprise edition
  • Windows 7 — Enterprise or Ultimate edition
  • For Windows 7, the Trusted Platform Module (TPM) version 1.2 or higher must be installed. It must also be enabled and activated (or turned on).

Additional requirements:

  • You must be logged in as an administrator.
  • You must have access to a printer to print the recovery key.

Check your TPM status

If the TPM does not meet the system requirements listed above, the Encryption installer displays the TPM status at the point where you choose your encryption options.

Example of TPM status message::
TMP disabledImage Removed

Contact your local IT support if you want to enable BitLocker but need assistance with enabling and activating the TPM.

  • TPM installed and enabled
    • To check if your computer has a TPM chip, click on the Windows menu in the bottom left of your desktop, then go to Windows System > Control Panel > System and Security > BitLocker Drive Encryption. Alternatively you can type "Control Panel" in the search bar on the Task Bar if present.

      Image Added
    • Click on TPM Administration on the left side of the BitLocker Drive Encryption window.

      Image Added



    • You will then be brought to the TPM Administration window. Under "Status" if a TPM is present, the message will say "The TPM is ready for use."

      Image Added


    • You can also check for the TPM chip in Device Manager (Start > type Device Manager).

      Image Added


Store BitLocker Information on Active Directory

Please submit an RT ticket with Desktop Support or contact your DIT for assistance with this section.

In order for a computer with TPM to store BitLocker information to Active Directory, the operating system drive has to be a GUID Partition Table (GPT) partition. Follow the steps below to convert the Master Boot Record (MBR) drive to a GPT drive. You will then need to turn on Unified Extensible Firmware Interface (UEFI) boot in the Basic Input Output System (BIOS) menu.

  1. Log on to your computer with an administrative user account.
  2. Run Command Prompt (as Administrator) or Powershell (as Administrator).
  3. Run MBR2GPT /convert /disk:0 /AllowFullOS 
  4. Restart your computer, press F2 to get to the BIOS menu, and change to UEFI boot. Optional: Uncheck "Allow Legacy Boot" and enable "Secure Boot". Click Exit and Save. Your computer will reboot. 
  5. After your computer restarts, log on with an administrative user account.
  6. Run Command Prompt (as Administrator) and run "gpupdate /force" to force Group Policy update. Optional: Run RSoP.msc, check Group Policy settings on BitLocker.


Image Added

How Do I Enable BitLocker?

If your computer meets the Windows version and TPM requirements, the process for enabling BitLocker is as follows: 

  1. Click Start  , click Control Panel , click System and Security (if the control panel items are listed by category), and then click System and Security > BitLocker Drive Encryption.

    Image Added

  2. Click Turn on BitLocker.
  3. BitLocker scans your computer to verify that it meets the system requirements.
    • If your computer meets the system requirements, the setup wizard continues with the BitLocker Startup Preferences in step 8.
    • If preparations need to be made to your computer to turn on BitLocker, they are displayed. Click Next.
     If
    • When the BitLocker encryption process asks you how you want to back up your recovery key, just click Next. Do not select Save to a USB flash drive, Save to a file, or Print the recovery key.


      Image Added

      Image Added

      Image Added

      Image Added

  4. If prompted to do so, remove any CDs, DVDs, and USB flash drives from your computer and then click Shutdown.
  5. Turn your computer back on after shutdown. Follow the instructions in the message to continue initializing the TMP. (The message varies, depending on the computer manufacturer)TPM.
  6. If your computer shuts down again, turn it back on.
  7. The BitLocker setup wizard resumes atomicallyautomatically. Click Next.When the BitLocker startup preferences page is displayed, click Require a PIN at every startup.
  8. Enter a PIN from 8 to 20 characters long and then enter it again in the Confirm PIN field. Click Set PIN.
    Note: You will need to enter your PIN each time you start your computer.
  9. To store your recovery key, select Print the recovery key and then click Next.
    Note: Make sure your computer is connected to a printer.
  10. Print You will be prompted to restart your computer to start the encryption process. You can use your computer while your drive is being encrypted.

Regenerating a Copy of your Recovery Key

 Please submit an RT ticket to retrieve a copy of your recovery key.

...

 

Login Process After BitLocker is Enabled

The log in process to your computer will be the same after BitLocker is enabled on your computer. Since the BitLocker recovery key and information is stored on Active Directory, your log in process will not change, and will not need to provide a key or a PIN.