You can configure and enable BitLocker Drive Encryption on both system volumes and data
volumes. When you encrypt system volumes, you must unlock the computer
at startup, typically by using a TPM and network unlock when connected
to the domain as well as a TPM, a startup key, a startup PIN, or any
required or optional combination of these. To enforce the strictest and
highest security possible, use all three authentication methods.
In the current implementation of BitLocker, you do not have to
encrypt a computer’s system volume prior to encrypting a computer’s data
volumes. When you use encrypted data volumes, the operating system
mounts BitLocker data volumes as it would any other volume, but it
requires either a password or a smart card with a valid certificate to
unlock the drive.
The encryption key for a protected data volume is created and stored
independently from the system volume and all other protected data
volumes. To allow the operating system to mount encrypted volumes, the
key chain protecting the data volume is stored in an encrypted state on
the operating system volume. If the operating system enters Recovery
mode, the data volumes are not unlocked until the operating system is
out of Recovery mode.
Setting up BitLocker Drive Encryption requires these steps:
-
Partitioning a computer’s hard disks appropriately and installing
the operating system (if you are configuring a new computer). Windows
Setup partitions the drives for you automatically. However, the volume
where BitLocker data is stored must always be the active, system volume.
-
Initializing and configuring a computer’s TPM (if applicable).
-
Turning on the BitLocker Drive Encryption feature (as necessary).
-
Checking firmware to ensure that the computer is set to start first
from the disk containing the active, system partition and the boot
partition, not from USB or CD/DVD drives (applicable only when you
encrypt system volumes).
-
Turning on and configuring BitLocker Drive Encryption.
Note
When you are using a Microsoft account on a non-domain-joined
computer, you have an additional save option. You can save the recovery
key to the Windows Live SkyDrive. The user’s SkyDrive account will then contain a BitLocker folder with a separate file for each saved recovery key.
After you’ve turned on and configured BitLocker encryption, you can
use several techniques to maintain the environment and perform recovery.
Preparing for BitLocker Drive Encryption
BitLocker
Drive Encryption can be used in a TPM or a non-TPM configuration.
Either configuration requires some preliminary work before you can turn
on and configure BitLocker Drive Encryption.
With Windows 8 Pro and Enterprise editions, BitLocker should be
installed by default. If it is not, you can install the BitLocker Drive
Encryption feature by using the Add Features Wizard. You need to
restart the computer to complete the installation process.
You can determine the readiness status of a computer by accessing
the BitLocker Drive Encryption console. In Control Panel, tap or click
System And Security, and then tap or click BitLocker Drive Encryption.
If the system isn’t properly configured, you’ll see an error message.
Note the following:
-
If you see an error message related to TPM on a computer with a compatible TPM.
-
If you see an error message related to TPM on a computer with an
incompatible TPM or no TPM, you need to change the computer’s Group
Policy settings so that you can turn on BitLocker Drive Encryption
without a TPM.
You can configure policy settings for BitLocker encryption in local
Group Policy or in Active Directory–based Group Policy. In local
policy, you apply the settings to the computer’s local GPO. For domain
policy, you apply the settings to a Group Policy object processed by
the computer. While you are working with domain policy, you can also
specify requirements for computers with a TPM.
To configure the way BitLocker can be used with or without a TPM, follow these steps:
-
Open the appropriate GPO for editing in the Group Policy Management Editor.
-
In the Administrative Templates policies
for Computer Configuration under Windows Components\BitLocker Drive
Encryption\Operating System Drives, double-tap or double-click the
Require Additional Authentication At Startup setting.
Important
There are several versions of this policy and they are specific to
the operating system. Configure the version or versions of this policy
that are appropriate for your working environment and the computers to
which the policy will be applied. The options for each related policy
are slightly different because the TPM features supported are slightly
different for each operating system.
-
In the Require Additional Authentication At Startup dialog box define the policy setting by selecting Enabled.
-
Do one of the following:
-
If you want to allow BitLocker to be used without a compatible TPM,
select the Allow BitLocker Without A Compatible TPM check box. This
changes the policy setting so that you can use BitLocker encryption with a password or startup key on a computer without a TPM.
-
If you want to require BitLocker to be used with a TPM, clear the Allow BitLocker
Without A Compatible TPM check box. This changes the policy setting so
that you can use BitLocker encryption on a computer with a TPM by using
a startup PIN, a startup key, or both.
-
On a computer with a compatible TPM, several authentication methods
can be used at startup to provide added protection for encrypted data.
These authentication methods can be allowed or required. Use Table 1
to help you configure how TPM is used with these authentication
methods. The methods available depend on the operating system specific
version of the policy you are working with.
Table 1. Common Options for Using TPM with BitLocker
| SETTING FOR |
|---|
|
WHEN THE COMPUTER STARTS |
CONFIGURE TPM STARTUP |
CONFIGURE TPM STARTUP PIN |
CONFIGURE TPM STARTUP KEY |
CONFIGURE TPM STARTUP KEY AND PIN |
|---|
|
Allow TPM to be used at startup |
Allow TPM |
Do Not Allow |
Do Not Allow |
Do Not Allow |
|
Require TPM to be used at startup |
Require TPM |
Do Not Allow |
Do Not Allow |
Do Not Allow |
|
Use TPM only with a startup key |
Allow or Require TPM |
Allow or Require Startup PIN with TPM |
Do Not Allow |
Do Not Allow |
|
Use TPM only with a startup PIN |
Allow or Require TPM |
Do Not Allow |
Allow or Require Startup Key with TPM |
Do Not Allow |
|
Use TPM only with a startup key and PIN |
Allow or Require TPM |
Do Not Allow |
Do Not Allow |
Allow or Require Startup Key and PIN with TPM |
|
Allow TPM with any other authentication method |
Allow or Require TPM |
Allow Startup PIN with TPM |
Allow Startup Key with TPM |
Allow Startup Key and PIN with TPM |
-
Tap or click OK to save your settings. This policy is enforced the next time Group Policy is applied.
-
Close the Group Policy Management Editor. To apply Group Policy immediately to the computer you are logged on to, enter gpupdate.exe/force in the Apps Search box, and then press Enter.
Computers that have a startup key or a startup PIN also have a
recovery password or certificate. The recovery password or certificate
is required in the event of the following:
-
Changes are made to the system startup information.
-
The encrypted drive must be moved to another computer.
-
The user is unable to provide the appropriate startup key or PIN.
The recovery password or certificate should be managed and stored
separately from the startup key or startup PIN. Although users are
given the startup key or startup PIN, administrators should be the only
ones with the recovery password or certificate. As an administrator,
you need the recovery password or certificate to unlock the encrypted
data on the volume if BitLocker
enters a locked state. Generally, unless you use a common data-recovery
agent, the recovery password or certificate is unique to this
particular BitLocker
encryption. This means you cannot use it to recover encrypted data from
any other BitLocker-encrypted volume—even from other
BitLocker-encrypted volumes on the same computer. To increase security,
you should store startup keys and recovery data apart from the computer.
When BitLocker is installed, the BitLocker Drive Encryption console is available in Control Panel. Your configuration options for BitLocker depend on whether the computer has a TPM and on how you’ve configured Group Policy.
Enabling BitLocker on Nonsystem Volumes
Encrypting a nonsystem volume protects the data stored on the
volume. Any volume formatted with FAT, FAT32, exFAT or NTFS can be
encrypted with BitLocker. The length of time it takes to encrypt a
drive depends on the amount of data to encrypt, the processing power of
the computer, and the level of activity on the computer.
Before you enable BitLocker, you should configure the appropriate Fixed Data Drive policies
and settings in Group Policy and then wait for Group Policy to be
refreshed. If you don’t do this and you enable BitLocker, you might
need to turn BitLocker off and then turn BitLocker back on because
certain state and management flags are set when you turn on BitLocker.
If you dual-boot a computer or move drives between computers, the
Allow Access To BitLocker-Protected Fixed Data Drives From Earlier
Versions Of Windows setting in Group Policy can ensure that you have
access to the volume on other operating systems and computers. Unlocked
drives are read-only. To ensure that you can recover an encrypted
volume, you should allow data-recovery agents and store recovery
information in Active Directory.
To enable BitLocker encryption on a nonsystem volume, follow these steps:
-
In File Explorer, press and hold or right-click the data volume, and then tap or click Turn On BitLocker. BitLocker then verifies that your computer meets its requirements and then initializes the drive.
Note
If BitLocker is already enabled, the Manage BitLocker option is displayed instead of Turn On BitLocker.
-
On the Choose How You Want To Unlock This Drive page, shown in Figure 1, choose one or more of the following options, and then tap or click Next:
-
Use A Password To Unlock The Drive
Select this option if you want the user to be prompted for a password
to unlock the drive. Passwords allow a drive to be unlocked in any
location and to be shared with other people.
-
Use My Smart Card To Unlock The Drive
Select this option if you want the user to use a smart card and enter
the smart card PIN to unlock the drive. Because this feature requires a
smart card reader, it is normally used to unlock a drive in the
workplace and not for drives that might be used outside the workplace.
Note
When you tap or click Next, the wizard generates a recovery key. You
can use the key to unlock the drive if BitLocker detects a condition
that prevents it from unlocking the drive during boot. Note that you
should save the key on removable media or on a network share. You can’t
store the key on the encrypted volume or the root directory of a fixed
drive.
-
On the How Do You Want To Back Up Your Recovery Key? page, choose a
save location for the recovery key, preferably a USB flash drive or
other removable media.
-
You can now optionally save the recovery key to another folder,
print the recovery key, or both. For each option, tap or click the
option, and then follow the wizard’s steps to set the location for
saving or printing the recovery key. When you have finished, tap or
click Next.
-
If allowed in Group Policy, you can elect to encrypt used disk space
only or the entire drive and then tap or click Next. Encrypting the
used disk space only is faster than encrypting an entire volume. It is
also the recommended option for newer computers and drives (except in
high-security environments).
-
On the Are You Ready To Encrypt This Drive? page, tap or click Start
Encrypting. How long the encryption process takes depends on the amount
of data being encrypted and other factors.
As the encryption process can be paused and resumed, you
can shut down the computer before the drive is completely encrypted and
the encryption of the drive will resume when you restart the computer.
The encryption state is maintained in the event of a power loss as well.
