Managing and Troubleshooting BitLocker
You can determine whether a system volume, data volume, or inserted
removable drive uses BitLocker by tapping or clicking System And
Security in Control Panel, then double-tapping or double-clicking BitLocker Drive Encryption. You’ll see the status of BitLocker on each volume, as shown in Figure 5.
The BitLocker
Drive Encryption service must be started for BitLocker to work
properly. Normally, this service is configured for manual startup and
runs under the LocalSystem account.
To use smart cards with BitLocker, the Smart Card service must be
started. Normally, this service is configured for manual startup and
runs under the LocalService account.
After you create a startup key or PIN and a recovery key for a
computer, you can create duplicates of the startup key, startup PIN, or
recovery key as necessary for backup or replacement purposes using the
options on the BitLocker Drive Encryption page in Control Panel.
Note
With fixed data and operating system drives, another way to access
this page is to press and hold or right-click the volume in File
Explorer, and then tap or click Manage BitLocker. If BitLocker is turned off, the Turn On BitLocker option is displayed instead.
The management options provided depend on the type of volume you are
working with and the encryption settings you choose. The available
options include the following:
-
Back Up Recovery Key Allows you to save or print the recovery key. Tap or click this option, and then follow the prompts.
-
Change Password
Allows you to change the encryption password. Tap or click this option,
enter the old password, and then type and confirm the new password. Tap
or click Change Password.
-
Remove Password
Tap or click this option to remove the encryption password requirement
for unlocking the drive. You can do this only if another unlocking
method is configured first.
-
Add A Smart Card Allows you to add a smart card for unlocking the drive. Tap or click this option, and then follow the prompts.
-
Remove Smart Card Tap or click this option to remove the smart card requirement for unlocking the drive.
-
Change Smart Card Allows you to change the smart card used to unlock the drive. Tap or click this option, and then follow the prompts.
-
Turn On Auto-Unlock Tap or click this option to turn on automatic unlocking of the drive.
-
Turn Off Auto-Unlock Tap or click this option to turn off automatic unlocking of the drive.
-
Turn Off BitLocker
Tap or click this option to turn off BitLocker and decrypt the drive.
Recovering Data Protected by BitLocker Drive Encryption
If you’ve configured BitLocker
Drive Encryption and the computer enters Recovery mode, you need to
unlock the computer. To unlock the computer using a recovery key stored
on a USB flash drive, follow these steps:
-
Turn on the computer. If the computer is locked, the computer opens the BitLocker Drive Encryption Recovery console.
-
When you are prompted, insert the USB flash drive that contains the recovery key, and then press Enter.
-
The computer will unlock and reboot automatically. You do not need to enter the recovery key manually.
If you saved the recovery key file in a folder on another computer
or on removable media, you can use another computer to open and
validate the recovery key file. To locate the correct file, find
Password ID on the recovery console displayed on the locked computer
and write down this number. The file containing the recovery key uses
this Password ID as the file name. Open the file and locate the
recovery key.
To unlock the computer by typing the recovery key, follow these steps:
-
Turn on the computer. If the computer is locked, the computer opens the BitLocker Drive Encryption Recovery console.
-
Type the recovery key, and then press Enter. The computer will unlock and reboot automatically.
A computer can become locked if a user tries to enter the recovery
key but is repeatedly unsuccessful. In the recovery console, you can
press Esc twice to exit the recovery prompt and turn off the computer.
A computer might also become locked if an error related to TPM occurs
or boot data is modified. In this case, the computer halts very early
in the boot process, before the operating system starts. At this point,
the locked computer might not be able to accept standard keyboard
numbers. If that is the case, you must use the function keys to enter
the recovery password. Here, the function keys F1–F9 represent the
digits 1 through 9, and the F10 function key represents 0.
Disabling or Turning Off BitLocker Drive Encryption
When you need to make changes to TPM or make other changes to the
system, you might first need to temporarily turn off BitLocker
encryption on the system volume. You cannot temporarily turn off
BitLocker encryption on data volumes; you can only decrypt data volumes.
To temporarily turn off BitLocker encryption on the system volume, follow these steps:
-
In Control Panel, tap or click System And Security, and then double-tap or double-click BitLocker Drive Encryption.
-
For the system volume, tap or click Turn Off BitLocker Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box, tap or click Disable BitLocker Drive Encryption.
By completing this procedure, you have temporarily disabled BitLocker on the operating system volume.
To turn off BitLocker Drive Encryption and decrypt a data volume, follow these steps:
-
In Control Panel, tap or click System And Security, and then double-tap or double-click BitLocker Drive Encryption.
-
For the appropriate volume, tap or click Turn Off BitLocker Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box, tap or click Decrypt The Volume.
To turn off BitLocker Drive Encryption and decrypt a USB flash drive, follow these steps:
-
In Control Panel, tap or click System And Security, and then double-tap or double-click BitLocker Drive Encryption.
-
For the appropriate volume, tap or click Turn Off BitLocker Drive Encryption.
-
In the What Level Of Decryption Do You Want? dialog box, tap or click Decrypt The Volume.
