IT tutorials

Windows 7 : BitLocker (part 1) - How to Use BitLocker with TPM Hardware

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/4/2014 8:38:38 PM

NTFS file permissions provide access control when the operating system is online. EFS supplements NTFS file permissions by using encryption to provide access control that is in effect even if an attacker bypasses the operating system (for example, by starting the computer from a bootable DVD). BitLocker Drive Encryption, like EFS, uses encryption. However, BitLocker has several key differences from EFS:

  • BitLocker encrypts entire volumes, including the system volume and all user and system files. EFS cannot encrypt system files.

  • BitLocker protects the computer at startup before the operating system starts. After the operating system starts, BitLocker is completely transparent.

  • BitLocker provides computer-specific encryption, not user-specific encryption. Therefore, you still need to use EFS to protect private files from other valid users.

  • BitLocker can protect the integrity of the operating system, helping to prevent rootkits and offline attacks that modify system files.



BitLocker is a feature of Windows 7 Enterprise and Windows 7 Ultimate. It is not supported on other editions of Windows 7.

Previous versions of Windows required administrators to configure BitLocker partitions manually. Windows 7 setup automatically configures partitions compatible with BitLocker.

1. How to Use BitLocker with TPM Hardware

If available, BitLocker seals the symmetric encryption key in a Trusted Platform Module (TPM) 1.2 chip (available in some newer computers). If the computer does not have a TPM chip, BitLocker stores the encryption key on a USB flash drive that must be provided every time the computer starts or resumes from hibernation.

Many TPM-equipped computers have the TPM chip disabled in the basic input/output system (BIOS). Before you can use it, you must enter the computer's BIOS settings and enable it. After you enable the TPM chip, BitLocker performs the TPM initialization automatically. To allow you to initialize TPM chips manually and turn them on or off at the operating system level, Windows 7 includes the TPM Management snap-in, as shown in Figure 1. To use it, open a blank MMC console and add the snap-in.

Using the TPM Management snap-in to initialize a TPM manually

Figure 1. Using the TPM Management snap-in to initialize a TPM manually



BitLocker has several modes available on computers with TPM hardware:

  • TPM only This mode is transparent to the user, and the user logon experience is exactly the same as it was before BitLocker was enabled. During startup, BitLocker communicates with the TPM hardware to validate the integrity of the computer and operating system. However, if the TPM is missing or changed, if the hard disk is moved to a different computer, or if critical startup files have changed, BitLocker enters recovery mode. In recovery mode, the user needs to enter a 40-digit recovery key or insert a USB flash drive with a recovery key stored on it to regain access to the data. TPM-only mode provides protection from hard-disk theft with no user training necessary.

  • TPM with external key In this mode, BitLocker performs the same integrity checks as TPM-only mode but also requires the user to provide an external key (usually a USB flash drive with a certificate stored on it) to start Windows. This provides protection from both hard-disk theft and stolen computers (assuming the computer was shut down or locked); however, it requires some effort from the user.

  • TPM with PIN In this mode, BitLocker requires the user to type a PIN to start Windows.

  • TPM with PIN and external key In this mode, BitLocker requires the user to provide an external key and to type a PIN.

When TPM hardware is available, BitLocker validates the integrity of the computer and operating system by storing "measurements" of various parts of the computer and operating system in the TPM chip. In its default configuration, BitLocker instructs the TPM to measure the master boot record, the active boot partition, the boot sector, the Windows Boot Manager, and the BitLocker storage root key. Each time the computer is booted, the TPM computes the SHA-1 hash of the measured code and compares this to the hash stored in the TPM from the previous boot. If the hashes match, the boot process continues; if the hashes do not match, the boot process halts. At the conclusion of a successful boot process, the TPM releases the storage root key to BitLocker; BitLocker decrypts data as Windows reads it from the protected volume. Because no other operating system can do this (even an alternate instance of Windows 7), the TPM never releases the key and therefore the volume remains a useless encrypted blob. Any attempts to modify the protected volume will render it unbootable.

- Windows 7 : Encrypting File System (part 3) - How to Recover to an EFS-encrypted File Using a Data Recovery Agent
- Windows 7 : Encrypting File System (part 2) - How to Grant an Additional User Access to an EFS-encrypted File , How to Import Personal Certificates
- Windows 7 : Encrypting File System (part 1) - How to Encrypt a Folder with EFS, How to Create and Back Up EFS Certificates
- Windows 7 : How to Troubleshoot Authentication Issues (part 3) - How to Troubleshoot an Untrusted Certification Authority
- Windows 7 : How to Troubleshoot Authentication Issues (part 2) - How to Use Auditing to Troubleshoot Authentication Problems
- Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions
- Windows 7 : Authenticating Users - How to Use Credential Manager
- Windows 7 : Changing the Default Connection, Managing Multiple Internet Connections
- Windows 7 : Configuring a High-Speed Connection (part 2) - Setting Up a Fixed IP Address
- Windows 7 : Configuring a High-Speed Connection (part 1) - Configuring a PPPoE Broadband Connection, Setting Up Dynamic IP Addressing
Top 10
Technology FAQ
- Microsoft ebs security server configuration
- IIs7 on Windows server 2003
- How to Configure Failover Clusters With Win 2008 Server R2?
- Windows 2008 Network Load Balancing
- Windows Server 2008 - Group Policy Management - Remove Computer Management
- Remove shortcuts possibility in a web page or to put in favorite
- HTA Dynamic Drop Down List
- IIS host header and DNS
- VMware or MS Virtual Server?
- Adobe Acrobat 9 inserting tab pages
programming4us programming4us