IT tutorials

Windows 7 : BitLocker (part 2) - How to Enable BitLocker Encryption

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/4/2014 8:39:37 PM

2. How to Enable the Use of BitLocker on Computers without TPM

If TPM hardware is not available, BitLocker can store decryption keys on a USB flash drive instead of using a built-in TPM module. Using BitLocker in this configuration can be risky, however, because if the user loses the USB flash drive, the encrypted volume is no longer accessible and the computer cannot start without the recovery key. Windows 7 does not make this option available by default.

To use BitLocker encryption on a computer without a compatible TPM, you need to change a computer Group Policy setting by performing these steps:

  1. Open the Group Policy Object Editor by clicking Start, typing gpedit.msc, and pressing Enter. Respond to the UAC prompt that appears.

  2. Navigate to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

  3. Enable the Require Additional Authentication At Startup setting. Then select the Allow BitLocker Without A Compatible TPM check box. Click OK.

If you plan to deploy BitLocker in an enterprise using USB flash drives instead of TPM, you should deploy this setting with domain-based Group Policy settings.

3. How to Enable BitLocker Encryption

Individual users can enable BitLocker from Control Panel, but most enterprises should use AD DS to manage keys.



For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" at

To enable BitLocker from Control Panel, perform these steps:

  1. Perform a full backup of the computer, and then run a check of the integrity of the BitLocker partition using ChkDsk.

  2. Open Control Panel. Click the System And Security link. Under BitLocker Drive Encryption, click the Protect Your Computer By Encrypting Data On Your Disk link.

  3. On the BitLocker Drive Encryption page, click Turn On BitLocker.

  4. On the BitLocker Drive Encryption Setup page, click Next.

  5. If the Preparing Your Drive For BitLocker page appears, click Next. If you are required to restart your computer, do so.

  6. If the Turn On The TPM Security Hardware page appears, click Next, and then click Restart.

  7. If the volume is the system volume and the choice has not been blocked by a Group Policy setting, in the Set BitLocker Startup Preferences dialog box (shown in Figure 2), select your authentication choice. The choices vary depending on whether the computer has a built-in TPM chip.

    Startup options in BitLocker

    Figure 2. Startup options in BitLocker

    The choices include the following:

    • Use BitLocker Without Additional Keys Uses the TPM to verify the integrity of the operating system at every startup. This option does not prompt the user during startup, providing completely transparent protection.

    • Require PIN At Every Startup Uses the TPM to verify the integrity of the operating system at startup and requires the user to type a PIN to verify the user's identity. This option provides additional protection but can inconvenience the user. If you choose to use a PIN, the Enter A Startup Pin page appears. Type your PIN and then click Set PIN.

    • Require Startup USB Key At Every Startup Does not require TPM hardware. This option requires the user to insert a USB key containing the decryption key at startup. Alternatively, users can type a recovery key to gain access to the encrypted system partition. If you choose to use a USB key, the Save Your Startup Key page appears. Select the startup key and then click Save.



      The BitLocker wizard allows you to choose either a PIN or a startup USB key. If you want to use both, use the Manage-bde command-line tool. For example, to protect the C:\ drive with both using a startup key located on the E:\ drive, you would run the command manage-bde –protectors –add C: -TPMAndPINAndStartupKey –tsk E:.

  8. On the Save The Recovery Password page, choose the destination (a USB drive, a local or remote folder, or a printer) to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. Save the password and the recovery key on separate devices and store them in different locations. Click Next.

  9. On the Encrypt The Volume page, select the Run BitLocker System Check check box and click Continue if you are ready to begin encryption. Click Restart Now. Upon rebooting, BitLocker ensures that the computer is fully compatible and ready to be encrypted.

  10. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker begins encrypting the C:\ drive after Windows 7 starts, and BitLocker is enabled.

BitLocker encrypts the drive in the background so that you can continue using the computer.

- Windows 7 : BitLocker (part 1) - How to Use BitLocker with TPM Hardware
- Windows 7 : Encrypting File System (part 3) - How to Recover to an EFS-encrypted File Using a Data Recovery Agent
- Windows 7 : Encrypting File System (part 2) - How to Grant an Additional User Access to an EFS-encrypted File , How to Import Personal Certificates
- Windows 7 : Encrypting File System (part 1) - How to Encrypt a Folder with EFS, How to Create and Back Up EFS Certificates
- Windows 7 : How to Troubleshoot Authentication Issues (part 3) - How to Troubleshoot an Untrusted Certification Authority
- Windows 7 : How to Troubleshoot Authentication Issues (part 2) - How to Use Auditing to Troubleshoot Authentication Problems
- Windows 7 : How to Troubleshoot Authentication Issues (part 1) - Identifying Logon Restrictions
- Windows 7 : Authenticating Users - How to Use Credential Manager
- Windows 7 : Changing the Default Connection, Managing Multiple Internet Connections
- Windows 7 : Configuring a High-Speed Connection (part 2) - Setting Up a Fixed IP Address
Top 10
Technology FAQ
- Microsoft ebs security server configuration
- IIs7 on Windows server 2003
- How to Configure Failover Clusters With Win 2008 Server R2?
- Windows 2008 Network Load Balancing
- Windows Server 2008 - Group Policy Management - Remove Computer Management
- Remove shortcuts possibility in a web page or to put in favorite
- HTA Dynamic Drop Down List
- IIS host header and DNS
- VMware or MS Virtual Server?
- Adobe Acrobat 9 inserting tab pages
programming4us programming4us