Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

What is BitLocker?

BitLocker Drive Encryption is a security feature that encrypts everything on the hard drive. Device encryption helps protect your data by encrypting it. Only someone with the correct encryption key can decrypt it.

How Does BitLocker work?

BitLocker is used in conjunction with a piece of hardware called a Trusted Platform Module (TPM). The TPM is a smartcard-like module on the motherboard that is installed in many newer computers.

When you enable BitLocker, you create a personal identification number (PIN) that will be required to enter each time you start up your computer. While enabling BitLocker, a recovery key is generated. The recovery key is used to gain access to your computer should you forget your password. After the recovery key is generated, you will be prompted to restart the machine.

You should print or save the recovery key and store it in a safe place.

BitLocker Requirements

To use BitLocker, your computer must meet certain requirements and be logged in as an administrator:

  • Operating systems:
    • Windows 10 - Education, Pro, or Enterprise edition
    • Windows 8 — Professional or Enterprise edition
    • Windows 7 — Enterprise or Ultimate edition
  • For Windows 7, the Trusted Platform Module (TPM) version 1.2 or higher must be installed. It must also be activated.

Check your TPM status

If the TPM does not meet the system requirements listed above, the Encryption installer displays the TPM status at the point where you choose your encryption options.

 

TMP disabled

Store BitLocker Information to ADS

In order for a Windows 10 computer with TPM to store BitLocker info to ADS, the OS drive has to be a GPT partition. Follow the steps below to convert the MBR drive to GPT drive and edit the BIOS to UEFI boot. 


1. Boot computer up, logon with administrative user account.

2. Run Command Prompt(admin) or Powershell(admin)

3. Run MBR2GPT /convert /disk:0 /AllowFullOS 

4. Reboot computer, press F2 to BIOS setup, change to UEFI boot. Exit and Save. Computer will reboot. *Optional: Uncheck "Allow Legacy Boot" and enable "Security Boot".

5. After computer boot up and logon with administrative user account, run "gpupdate /force" to force Group Policy update. Optional: Run RSoP.msc, check GP settings on BitLocker.

5. Run BitLocker Manager to encrypt the OS drive.

How Do I Enable BitLocker?

If your computer meets the Windows version and TPM requirements, the process for enabling BitLocker is as follows:

 

  1. Click Start > Control Panel > System and Security > BitLocker Drive Encryption.
  2. Click Turn on BitLocker.
  3. BitLocker scans your computer to verify that it meets the system requirements.
    • If your computer meets the system requirements, the setup wizard continues with the BitLocker Startup Preferences in step 8.
    • If preparations need to be made to your computer to turn on BitLocker, they are displayed. Click Next.

  4.  If prompted to do so, remove any CDs, DVDs, and USB flash drives from your computer and then click Shutdown.
  5. Turn your computer back on after shutdown. Follow the instructions in the message to continue initializing the TMP. (The message varies, depending on the computer manufacturer)
  6. If your computer shuts down again, turn it back on.
  7. The BitLocker setup wizard resumes atomically. Click Next.
  8. When the BitLocker startup preferences page is displayed, click Require a PIN at every startup.
  9. Enter a PIN from 8 to 20 characters long and then enter it again in the Confirm PIN field. Click Set PIN.
    Note: You will need to enter your PIN each time you start your computer.
  10. To store your recovery key, select Print the recovery key and then click Next.
    Note: Make sure your computer is connected to a printer.
  11. Print a copy of your recovery key.
  12. You will be prompted to restart your computer to start the encryption process. You can use your computer while your drive is being encrypted.

Logging in

Enabling BitLocker will change the way you log in to your system. You need to enter your PIN at every startup, prior to entering your password. This is designed to provide an additional layer of security for your data.

Changing your PIN or regenerating a copy of your recovery key

Once you have created your PIN, you can change it in the BitLocker Drive Encryption control panel You can also regenerate a new copy of your recovery key if you lose the printed copy.

  1. Click Start , click Control Panel, click System and Security (if the control panel items are listed by category), and then click BitLocker Drive Encryption.
  2. In the BitLocker Drive Encryption control panel, click Manage BitLocker.

 

  • No labels

Request Help | Correct or Suggest an Article