6.7 Managing and troubleshooting BitLocker
You can determine whether a system volume, data volume, or
inserted removable drive uses BitLocker by tapping or clicking
System And Security in Control Panel and then double-tapping or
double-clicking BitLocker Drive Encryption. You’ll see the status of BitLocker on each volume, as shown in Figure 21.
The BitLocker Drive Encryption service must be started for
BitLocker to work properly. Normally, this service is configured for
manual startup and runs under the LocalSystem account.
To use smart cards with BitLocker, the Smart Card service
must be started. Normally, this service is configured for manual
startup and runs under the LocalService account.
After you create a startup key or PIN and a recovery key for a
computer, you can create duplicates of the startup key, startup PIN,
or recovery key as necessary for backup or replacement purposes
using the options on the BitLocker Drive Encryption page in Control
Panel.
With fixed-data and operating-system drives, another way to access this
page is to press and hold or right-click the volume in File Explorer
and then tap or click Manage BitLocker. If BitLocker is turned off,
the Turn On BitLocker option is displayed instead.
The management options provided depend on the type of
volume you are working with and the encryption settings you choose.
The available options include the following:
-
Back Up Recovery Key Allows
you to save or print the recovery key. Tap or click this option,
and then follow the prompts.
-
Change Password Allows you
to change the encryption password. Tap or click this option,
enter the old password, and then type and confirm the new
password. Tap or click Change Password.
-
Remove Password Tap or
click this option to remove the encryption password requirement
for unlocking the drive. You can do this only if another
unlocking method is configured first.
-
Add Smart Card Allows you
to add a smart card for unlocking the drive. Tap or click this
option, and then follow the prompts.
-
Remove Smart Card Tap or
click this option to remove the smart card requirement for
unlocking the drive.
-
Change Smart Card Allows
you to change the smart card used to unlock the drive. Tap or
click this option, and then follow the prompts.
-
Turn On Auto-Unlock Tap or
click this option to turn on automatic unlocking of the drive.
-
Turn Off Auto-Unlock Tap or
click this option to turn off automatic unlocking of the
drive.
-
Turn Off BitLocker Tap or
click this option to turn off BitLocker and decrypt the
drive.
6.8 Recovering data protected by BitLocker Drive
Encryption
If you configure BitLocker Drive Encryption and the computer enters
Recovery mode, you need to unlock the computer. To unlock the
computer using a recovery key stored on a USB flash drive, follow
these steps:
-
Turn on the computer. If the computer is locked, the computer opens the BitLocker Drive
Encryption Recovery console.
-
When you are prompted, insert the USB flash drive that
contains the recovery key, and then press Enter.
-
The computer will unlock and reboot automatically.
You do not need to enter the recovery key manually.
If you saved the recovery key file in a folder on another
computer or on removable media, you can use another computer to
open and validate the recovery key file. To locate the correct
file, find Password ID on the recovery console displayed on the
locked computer and write down this number. The file containing
the recovery key uses this Password ID as the file name. Open the
file and locate the recovery key.
To unlock the computer by typing the recovery key, follow
these steps:
-
Turn on the computer. If the computer is locked, the
computer opens the BitLocker Drive Encryption Recovery
console.
-
Type the recovery key, and then press Enter. The
computer will unlock and reboot automatically.
A computer can become locked if a user tries to enter the
recovery key but is repeatedly unsuccessful. In the recovery
console, you can press Esc twice to exit the recovery prompt and
turn off the computer. A computer might also become locked if an
error related to TPM occurs or boot data is modified. In this case, the computer halts
very early in the boot process, before the operating system
starts. At this point, the locked computer might not be able to
accept standard keyboard numbers. If that is the case, you must
use the function keys to enter the recovery password. Here, the
function keys F1–F9 represent the digits 1 through 9, and the F10
function key represents 0.
6.9 Disabling or turning off BitLocker Drive Encryption
When you need to make changes to TPM or make other changes
to the system, you might first need to temporarily turn off
BitLocker encryption on the system volume. You cannot temporarily
turn off BitLocker encryption on data volumes; you can only
decrypt data volumes.
To temporarily turn off BitLocker encryption on the system
volume, follow these steps:
-
In Control Panel, tap or click System And Security, and
then double-tap or double-click BitLocker Drive
Encryption.
-
For the system volume, tap or click Turn Off BitLocker
Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box,
tap or click Disable BitLocker Drive Encryption.
By completing this procedure, you temporarily disable
BitLocker on the operating-system volume.
To turn off BitLocker Drive Encryption and decrypt a data
volume, follow these steps:
-
In Control Panel, tap or click System And Security, and
then double-tap or double-click BitLocker Drive
Encryption.
-
For the appropriate volume, tap or click Turn Off
BitLocker Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box,
tap or click Decrypt The Volume.
To turn off BitLocker Drive Encryption and decrypt a USB
flash drive, follow these steps:
-
In Control Panel, tap or click System And Security, and
then double-tap or double-click BitLocker Drive
Encryption.
-
For the appropriate volume, tap or click Turn Off
BitLocker Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box,
tap or click Decrypt The Volume.
