6.2 Determining whether a computer has BitLocker-encrypted
volumes
You can determine whether a computer has BitLocker-encrypted
volumes using Disk Management. In Disk Management, any such
encrypted volume is listed as BitLocker Encrypted, as shown in Figure 17.
6.3 Enabling BitLocker on fixed data drives
Encrypting a fixed data drive protects the data stored
on the drive. Any drive formatted with FAT, FAT32, exFAT, NTFS, or
ReFS can be encrypted with BitLocker. The length of time it takes to encrypt a
drive depends on the amount of data to encrypt, the processing power
of the computer, and the level of activity on the
computer.
Before you enable BitLocker, you should configure the
appropriate Fixed Data Drive policies and settings in Group Policy
and then either wait for Group Policy to be refreshed or refresh
Group Policy manually. If you don’t do this and you enable
BitLocker, you might need to turn BitLocker off and then turn
BitLocker back on because certain state and management flags are set
when you turn on BitLocker.
If you dual-boot a computer or move drives between computers,
you can use the Allow Access To BitLocker-Protected Fixed Data
Drives From Earlier Versions Of Windows setting in Group Policy to
ensure that you have access to the volume on other operating systems
and computers. Unlocked drives are read-only. To ensure that you can
recover an encrypted volume, you should allow data-recovery agents
and store recovery information in Active Directory.
You can enable BitLocker encryption on a fixed data drive by
following these steps:
-
Open the BitLocker Drive Encryption console. In Control
Panel, tap or click System And Security, and then tap or click
BitLocker Drive Encryption.
-
In the BitLocker Drive Encryption console, available
drives are listed by category. Under the Fixed Data Drives heading, tap or click Turn On
BitLocker for the fixed data drive you want to encrypt.
BitLocker verifies that your computer meets its requirements and
then initializes the drive. If BitLocker is already enabled on
the drive, you have management options instead.
-
On the Choose How You Want To Unlock This Drive page,
shown in Figure 18, choose one
or more of the following options and then tap or click
Next:
-
Use A Password To Unlock The
Drive Select this option if you want the user to be
prompted for a password to unlock the drive. Passwords allow
a drive to be unlocked in any location and to be shared with
other people.
-
Use My Smart Card To Unlock The
Drive Select this option if you want the user to
use a smart card and enter the smart card PIN to unlock the
drive. Because this feature requires a smart card reader, it
is normally used to unlock a drive in the workplace and not
for drives that might be used outside the workplace.
Important
When you tap or click Next, the wizard generates a
recovery key. You can use the key to unlock the drive if
BitLocker detects a condition that prevents it
from unlocking the drive during boot. Note that you should
save the key on removable media or on a network share. You
can’t store the key on the encrypted volume or the root
directory of a fixed drive.
-
On the How Do You Want To Back Up Your Recovery Key? page,
choose a save location for the recovery key—preferably, a USB
flash drive or other removable media.
-
You can now optionally save the recovery key to another
folder, print the recovery key, or both. For each option, tap or
click the option and then follow the wizard’s steps to set the
location for saving or printing the recovery key. When you
finish, tap or click Next.
-
If it is allowed in Group Policy, you can elect to encrypt
used disk space only or the entire drive and then tap or click
Next. Encrypting the used disk space only is faster than
encrypting an entire volume. It is also the recommended option
for newer computers and drives (except in high-security
environments).
-
On the Are You Ready To Encrypt This Drive? page, tap or
click Start Encrypting. How long the encryption process takes
depends on the amount of data being encrypted and other
factors.
-
Because the encryption process can be paused and resumed,
you can shut down the computer before the drive is completely
encrypted and the encryption of the drive will resume when you
restart the computer. The encryption state is maintained in the
event of a power loss as well.
