Windows
 

Windows 7 : BitLocker (part 2) - How to Enable BitLocker Encryption

1/4/2014 8:39:37 PM

2. How to Enable the Use of BitLocker on Computers without TPM

If TPM hardware is not available, BitLocker can store decryption keys on a USB flash drive instead of using a built-in TPM module. Using BitLocker in this configuration can be risky, however, because if the user loses the USB flash drive, the encrypted volume is no longer accessible and the computer cannot start without the recovery key. Windows 7 does not make this option available by default.

To use BitLocker encryption on a computer without a compatible TPM, you need to change a computer Group Policy setting by performing these steps:

  1. Open the Group Policy Object Editor by clicking Start, typing gpedit.msc, and pressing Enter. Respond to the UAC prompt that appears.

  2. Navigate to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

  3. Enable the Require Additional Authentication At Startup setting. Then select the Allow BitLocker Without A Compatible TPM check box. Click OK.

If you plan to deploy BitLocker in an enterprise using USB flash drives instead of TPM, you should deploy this setting with domain-based Group Policy settings.

3. How to Enable BitLocker Encryption

Individual users can enable BitLocker from Control Panel, but most enterprises should use AD DS to manage keys.

Note

MORE INFO CONFIGURING AD DS TO BACK UP BitLocker

For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" at http://go.microsoft.com/fwlink/?LinkId=78953.

To enable BitLocker from Control Panel, perform these steps:

  1. Perform a full backup of the computer, and then run a check of the integrity of the BitLocker partition using ChkDsk.

  2. Open Control Panel. Click the System And Security link. Under BitLocker Drive Encryption, click the Protect Your Computer By Encrypting Data On Your Disk link.

  3. On the BitLocker Drive Encryption page, click Turn On BitLocker.

  4. On the BitLocker Drive Encryption Setup page, click Next.

  5. If the Preparing Your Drive For BitLocker page appears, click Next. If you are required to restart your computer, do so.

  6. If the Turn On The TPM Security Hardware page appears, click Next, and then click Restart.

  7. If the volume is the system volume and the choice has not been blocked by a Group Policy setting, in the Set BitLocker Startup Preferences dialog box (shown in Figure 2), select your authentication choice. The choices vary depending on whether the computer has a built-in TPM chip.

    Startup options in BitLocker

    Figure 2. Startup options in BitLocker

    The choices include the following:

    • Use BitLocker Without Additional Keys Uses the TPM to verify the integrity of the operating system at every startup. This option does not prompt the user during startup, providing completely transparent protection.

    • Require PIN At Every Startup Uses the TPM to verify the integrity of the operating system at startup and requires the user to type a PIN to verify the user's identity. This option provides additional protection but can inconvenience the user. If you choose to use a PIN, the Enter A Startup Pin page appears. Type your PIN and then click Set PIN.

    • Require Startup USB Key At Every Startup Does not require TPM hardware. This option requires the user to insert a USB key containing the decryption key at startup. Alternatively, users can type a recovery key to gain access to the encrypted system partition. If you choose to use a USB key, the Save Your Startup Key page appears. Select the startup key and then click Save.

      Note

      REQUIRING BOTH A STARTUP USB KEY AND A PIN

      The BitLocker wizard allows you to choose either a PIN or a startup USB key. If you want to use both, use the Manage-bde command-line tool. For example, to protect the C:\ drive with both using a startup key located on the E:\ drive, you would run the command manage-bde –protectors –add C: -TPMAndPINAndStartupKey –tsk E:.

  8. On the Save The Recovery Password page, choose the destination (a USB drive, a local or remote folder, or a printer) to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. Save the password and the recovery key on separate devices and store them in different locations. Click Next.

  9. On the Encrypt The Volume page, select the Run BitLocker System Check check box and click Continue if you are ready to begin encryption. Click Restart Now. Upon rebooting, BitLocker ensures that the computer is fully compatible and ready to be encrypted.

  10. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker begins encrypting the C:\ drive after Windows 7 starts, and BitLocker is enabled.

BitLocker encrypts the drive in the background so that you can continue using the computer.
 
Others
 
- Windows 7 : BitLocker (part 1) - How to Use BitLocker with TPM Hardware
- Windows 7 : Encrypting File System (part 3) - How to Recover to an EFS-encrypted File Using a Data Recovery Agent
- Windows 7 : Encrypting File System (part 2) - How to Grant an Additional User Access to an EFS-encrypted File , How to Import Personal Certificates
- Windows 7 : Encrypting File System (part 1) - How to Encrypt a Folder with EFS, How to Create and Back Up EFS Certificates
- Windows 7 : How to Troubleshoot Authentication Issues (part 3) - How to Troubleshoot an Untrusted Certification Authority
- Windows 7 : How to Troubleshoot Authentication Issues (part 2) - How to Use Auditing to Troubleshoot Authentication Problems
- Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions
- Windows 7 : Authenticating Users - How to Use Credential Manager
- Windows 7 : Changing the Default Connection, Managing Multiple Internet Connections
- Windows 7 : Configuring a High-Speed Connection (part 2) - Setting Up a Fixed IP Address
- Windows 7 : Configuring a High-Speed Connection (part 1) - Configuring a PPPoE Broadband Connection, Setting Up Dynamic IP Addressing
- Windows 7 : Installing a Network Adapter for Broadband Service
- Windows Server 2008 : Understanding Group Policy Settings (part 2) - Deploying Applications
- Windows Server 2008 : Understanding Group Policy Settings (part 1) - Enabling Auditing Through Group Policy
- Windows Server 2008 : Filtering GPOs by Modifying Permissions
- Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence
- Windows Server 2008 : Creating and Running a PowerShell Script - Scheduling PowerShell Scripts
- Windows Server 2008 : Creating and Running a PowerShell Script - Running a Script Against Multiple Computers
- Windows Server 2012 : Preparing for deploying domain controllers (part 3) - Existing forest domain controller deployment
- Windows Server 2012 : Preparing for deploying domain controllers (part 2) - New forest domain controller deployment
 
 
Most View
 
- Microsoft PowerPoint 2010 : Working with Charts - Understanding Charts
- Windows 8 : Wireless Connections (part 1) - To switch wireless networks
- Windows Server 2012 : Installing and Configuring FTP Services (part 6) - Configuring FTP 8 Features and Properties - FTP User Isolation Feature Page
- Sharepoint 2013 : Customizing a SharePoint Site - Open the Site Settings Page
- Sharepoint 2013 : Customizing a SharePoint Site - Modify the Top or Left Navigation Bar (part 3) - Use Structural Navigation to Add a Link to the Top or Left Navigation Bar
- Microsoft Accesss 2010 : Enhancing the Queries That You Build - Creating and Running Action Queries (part 2) - Creating and Running Delete Queries
- Windows 7 : Working with Files - Select a File
- Windows 8 : Internet Explorer 10 - The Address Bar
- SQL Server 2012 : Query Optimization (part 2) - Understanding Statistics
- Sharepoint 2013 : Installing and Configuring Windows Azure Workflow Server (part 1) - Workflow Manager Install
 
 
Top 10
 
- Windows 8 : Navigating the Windows 8 Folder Windows (part 2) - Instant Search, The Ribbon, The Navigation Pane
- Windows 8 : Navigating the Windows 8 Folder Windows (part 1) - Folder Navigation
- Windows 8 : Understanding File Types - File Types and File Extensions, File Types and the Registry
- SQL Server 2012 : Other PerfMon Log Analysis Tools - Using SQL Server to Analyze PerfMon Logs
- SQL Server 2012 : Performance Analysis of Logs - Getting Started with PAL
- SQL Server 2012 : Getting More from Performance Monitor (part 2) - Disk or Storage-Related Problems, SQL Server Performance Problems
- SQL Server 2012 : Getting More from Performance Monitor (part 1) - Investigating CPU Problems, Investigating Memory-Related Problems
- Active Directory 2008 : Publishing Active Directory Objects (part 2) - Publishing Shared Folders, Querying Active Directory
- Active Directory 2008 : Publishing Active Directory Objects (part 1) - Publishing Printers
- Windows Phone 8 : Range Controls (part 2) - Progress Indicator, Slider , ScrollBar