IT tutorials
 
Technology
 

Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 12) - Enabling BitLocker on operating-system volumes

11/14/2013 2:58:24 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

6.5 Enabling BitLocker on operating-system volumes

Before you can encrypt a system volume, you must remove all bootable media from a computer’s CD/DVD drives, as well as all USB flash drives. You can then enable BitLocker encryption on the system volume by completing the following steps:

  1. Open the BitLocker Drive Encryption console. In Control Panel, tap or click System And Security, and then tap or click BitLocker Drive Encryption.

  2. In the BitLocker Drive Encryption console, available drives are listed by category. Under the Operating System Drives heading, tap or click Turn On BitLocker for the operating-system drive you want to encrypt. BitLocker verifies that your computer meets its requirements and then initializes the drive. If BitLocker is already enabled on the drive, you have management options instead.

    Note

    As part of the setup, Windows prepares the required BitLocker partition, if necessary. If Windows RE is in this partition, Windows moves Windows RE to the system volume and then uses this additional partition for BitLocker.

    Note also that if the computer doesn’t have a TPM, the Allow BitLocker Without A Compatible TPM option must be enabled for operating-system volumes in the Require Additional Authentication At Startup policy.

  3. As Figure 20 shows, you can now configure BitLocker startup preferences. Continue as discussed in the separate procedures that follow. If the computer doesn’t have a TPM, your options will be different. You’ll be able to create a password to unlock the drive, or you can insert a USB flash drive and store the startup key on the flash drive.

Configure BitLocker startup preferences.
Figure 20. Configure BitLocker startup preferences.

When a computer has a TPM, you can use BitLocker to provide basic integrity checks of the volume without requiring any additional keys. In this configuration, BitLocker protects the system volume by encrypting it. This configuration does the following:

  • Grants access to the volume to users who can log on to the operating system

  • Prevents those who have physical access to the computer from booting to an alternative operating system to gain access to the data on the volume

  • Allows the computer to be used with or without a TPM for additional boot security

  • Does not require a password or a smart card with a PIN

To use BitLocker without any additional keys, follow these steps:

  1. On the Choose How To Unlock Your Drive At Startup page, tap or click Let BitLocker Automatically Unlock My Drive.

  2. On the How Do You Want To Back Up Your Recovery Key page, tap or click Save To A File.

  3. In the Save BitLocker Recovery Key As dialog box, choose the location of your USB flash drive or an appropriate network share and then tap or click Save. Do not use a USB flash drive that is BitLocker-encrypted.

  4. You can now optionally save the recovery key to another location, print the recovery key, or both. Tap or click an option, and then follow the wizard steps to set the location for saving or printing the recovery key. When you finish, tap or click Next.

  5. If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).

  6. On the Encrypt The Drive page, tap or click Start Encrypting. How long the encryption process takes depends on the amount of data to encrypt and other factors.

To enhance security, you can require additional authentication at startup. This configuration does the following:

  • Grants access to the volume only to users who can provide a valid key

  • Prevents those who have physical access to the computer from booting to an alternative operating system to gain access to the data on the volume

  • Allows the computer to be used with or without a TPM for additional boot security

  • Requires a password or a smart card with a PIN

  • Optionally, uses Network Unlock to unlock the volume when the computer is joined to and connected to the domain.

A startup key is different from a recovery key. If you create a startup key, this key is required to start the computer. The recovery key is required to unlock the computer if BitLocker enters Recovery mode, which might happen if BitLocker suspects the computer has been tampered with while the computer was offline.

You can enable BitLocker encryption for use with a startup key by following these steps:

  1. Insert a USB flash drive in the computer (if one is not already there). Do not use a USB flash drive that is BitLocker-encrypted.

  2. On the Choose How To Unlock Your Drive At Startup page, tap or click the Insert A USB Flash Drive option.

  3. On the Back Up Your Startup Key page, tap or click the USB flash drive and then tap or click Save. Next, you need to save the recovery key. Because you should not store the recovery key and the startup key on the same medium, remove the USB flash drive and insert a second USB flash drive.

  4. On the How Do You Want To Back Up Your Recovery Key page, tap or click Save To A File. In the Save BitLocker Recovery Key As dialog box, choose the location of your USB flash drive and then tap or click Save. Do not remove the USB drive with the recovery key.

  5. You can now optionally save the recovery key to a network folder, print the recovery key, or both. Tap or click an option, and then follow the wizard’s steps to set the location for saving or printing the recovery key. When you finish, tap or click Next.

  6. If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).

  7. On the Encrypt The Volume page, confirm that Run BitLocker System Check is selected and then tap or click Continue. Confirm that you want to restart the computer by tapping or clicking Restart Now.

The computer restarts, and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If the computer is not ready for encryption, you will see an error and need to resolve the error status before you can complete this procedure. If the computer is ready for encryption, the Encryption In Progress status bar is displayed. You can monitor the status of the disk-volume encryption by pointing to the BitLocker Drive Encryption icon in the notification area. By double-tapping or double-clicking this icon, you can open the Encrypting dialog box and monitor the encryption process more closely. You also have the option to pause the encryption process. Volume encryption takes approximately one minute per gigabyte to complete.

By completing this procedure, you have encrypted the operating-system volume and created a recovery key unique to that volume. The next time you turn on your computer, either the USB flash drive with the startup key must be plugged into a USB port on the computer or the computer must be connected to the domain network and using Network Unlock. If the USB flash drive is required for startup and you do not have the USB flash drive containing your startup key, you need to use Recovery mode and supply the recovery key to gain access to the data.

You can enable BitLocker encryption for use with a startup PIN by following these steps:

  1. On the Choose How To Unlock Your Drive At Startup page, select the Enter A PIN option.

  2. On the Enter A PIN page, type and confirm the PIN. The PIN can be any number you choose and must be 4 to 20 digits in length. The PIN is stored on the computer.

  3. Insert a USB flash drive on which you want to save the recovery key, and then tap or click Set PIN. Do not use a USB flash drive that is BitLocker-encrypted.

    Continue with Steps 4 through 9 in the previous procedure.

When the encryption process is complete, you have encrypted the entire volume and created a recovery key unique to this volume. If you created a PIN or a startup key, you are required to use the PIN or startup key to start the computer (or the computer must be connected to the domain network and using Network Unlock). Otherwise, you will see no change to the computer unless the TPM changes, the TPM cannot be accessed, or someone tries to modify the disk while the operating system is offline. In these cases, the computer enters Recovery mode, and you need to enter the recovery key to unlock the computer.
 
Others
 
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 11) - Enabling BitLocker on removable data drives
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 10) - Enabling BitLocker on fixed data drives
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 9) - Configuring and enabling BitLocker Drive Encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 8) - Deploying BitLocker Drive Encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 7) - Using Network Unlock
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 6) - Setting permitted encryption types
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 5) - Hardware encrypted drives, Optimizing encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 4) - Introducing BitLocker Drive Encryption
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 3) - Clearing the TPM, Changing the TPM owner password
- Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 2) - Preparing and initializing a TPM for first use
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us