Menu
homeTelephone

Bitlocker - encrypts and decrypts hard drives. Disabling Bitlocker - an encryptor in Windows

No one is at all surprised by the fact that purely personal information or corporate data of high value can be stored on a personal computer. It is undesirable if such information falls into the hands of third parties who can use it, causing serious problems for the former owner of the PC.

Depending on the circumstances, Bitlocker can be activated or deactivated.

It is for this reason that many users express a desire to take some action aimed at limiting access to all files stored on the computer. Such a procedure actually exists. Having performed certain manipulations, no outsider, without knowing the password or the key to recovering it, will be able to gain access to the documents.

You can protect important information from being accessed by third parties by encrypting your drive with Bitlocker. Such actions help ensure complete confidentiality of documents not only on a specific PC, but also in the case when someone removes the hard drive and inserts it into another personal computer.

Algorithm for enabling and disabling the function

Bitlocker disk encryption works on Windows 7, 8 and 10, but not all versions. It is assumed that the motherboard equipped with the specific computer on which the user wants to perform encryption must have a TPM module.

ADVICE. Don't be upset if you know for sure that there is no such special module on your motherboard. There are some tricks that allow you to “ignore” such a requirement and, accordingly, install without such a module.

Before you begin the process of encrypting all files, it is important to note that this procedure is quite lengthy. It is difficult to give an exact amount of time in advance. It all depends on how much information is on the hard drive. During the encryption process, Windows 10 will continue to work, but it is unlikely to be able to please you with its performance, since the performance indicator will be significantly reduced.

Enabling the feature

If Windows 10 is installed on your computer, and you have an active desire to enable data encryption, use our tips so that you not only succeed, but also the way to realize this desire is not difficult. Initially, find the “Win” key on your keyboard, sometimes it is accompanied by the Windows icon, hold it down, and simultaneously hold down the “R” key. Pressing these two keys at the same time opens the Run window.

In the window that opens, you will find an empty line in which you will need to enter “gpedit.msc”. After clicking the “Ok” button, a new “Local Group Policy Editor” window will open. In this window we have a short way to go.

On the left side of the window, find and immediately click on the line “Computer Configuration”, in the submenu that opens, find “Administrative Templates”, and then in the next submenu that opens, go to the option located first in the list and called “Windows Components”.

Now move your gaze to the right side of the window, find “Bitlocker Disk Encryption” in it, and double-click to activate it. Now a new list will open, in which your next goal should be the line “Operating system disks”. Click on this line as well, you just have to make one more transition to get closer to the window where Bitlocker will be directly configured, allowing you to turn it on, which is exactly what you want.

Find the line “This policy setting allows you to configure the requirement for additional authentication at startup,” double-click to expand this setting. In the open window you will find the desired word “Enable”, next to which you will find a checkbox, in it you need to put a specific mark in the form of a tick of your consent.

Just below in this window there is a subsection “Platforms”, in it you need to check the checkbox next to the offer to use BitLocker without a special module. This is very important, especially if your Windows 10 does not have a TPM.

The configuration of the desired function is completed in this window, so you can close it. Now move the mouse cursor over the “Windows” icon, just right-click on it, which will allow an additional submenu to appear. In it you will find the line “Control Panel”, go to it, and then to the next line “Bitlocker disk encryption”.

Be sure to indicate where you want the encryption to occur. This can be done on both hard and removable drives. After selecting the desired object, click on the “Enable Bitlocker” button.

Now Windows 10 will start an automatic process, occasionally attracting your attention, prompting you to specify your desires. Of course, it is best to make a backup before undertaking such a process. Otherwise, if the password and its key are lost, even the PC owner will not be able to recover the information.

Next, the process of preparing the disk for subsequent encryption will begin. While this process is running, you are not allowed to turn off the computer, as this action can cause serious harm to the operating system. After such a failure, you simply will not be able to start your Windows 10, therefore, instead of encryption, you will have to install a new operating system, wasting extra time.

As soon as the disk preparation is successfully completed, the actual setting up of the disk for encryption begins. You will be prompted to enter a password, which will provide later access to the encrypted files. You will also be asked to create and enter a recovery key. Both of these important components are best kept in a safe place, preferably printed. It is very stupid to store the password and recovery key on the PC itself.

During the encryption process, the system may ask you which part specifically you want to encrypt. It is best to subject the entire disk space to this procedure, although there is an option to encrypt only the occupied space.

All that remains is to select an action option such as “New encryption mode”, and then run an automatic scan of the BitLocker operating system. Next, the system will safely continue the process, after which you will be prompted to restart your PC. Of course, fulfill this requirement and reboot.

After the next launch of Windows 10, you will be convinced that access to documents without entering a password will be impossible. The encryption process will continue, you can control it by clicking on the BitLocker icon located in the notification panel.

Disabling the feature

If for some reason the files on your computer are no longer of high importance, and you don’t really like entering a password every time to access them, then we suggest that you simply disable the encryption function.

To perform such actions, go to the notification panel, find the BitLocker icon there, and click on it. At the bottom of the open window you will find the line “Manage BitLocker”, click on it.

Now the system will prompt you to choose which action is preferable for you:

  • archive the recovery key;
  • change the password for accessing encrypted files;
  • remove a previously set password;
  • disable BitLocker.

Of course, if you decide to disable BitLocker, you should choose the last option offered. A new window will immediately appear on the screen, in which the system will want to make sure that you really want to disable the encryption function.

ATTENTION. As soon as you click on the “Disable BitLocker” button, the decryption process will begin immediately. Unfortunately, this process is not characterized by high speed, so you will definitely have to prepare yourself for some time, during which you will simply have to wait.

Of course, if you need to use a computer at this moment, you can afford it; there is no categorical prohibition on this. However, you should prepare yourself for the fact that PC performance at this moment may be extremely low. It’s not difficult to understand the reason for this slowness, because the operating system has to unlock a huge amount of information.

So, if you want to encrypt or decrypt files on your computer, you just need to read our recommendations, then without haste carry out each step of the indicated algorithm, and upon completion, rejoice at the result achieved.

Many users with the release of the Windows 7 operating system were faced with the fact that an incomprehensible BitLocker service appeared in it. Many people can only guess what BitLocker is. Let's clarify the situation with specific examples. We will also consider questions that relate to whether it is advisable to activate this component or disable it completely.

BitLocker Service: What is it for?

If you look carefully, you can conclude that BitLocker is a fully automated, universal means of encrypting data stored on your hard drive. What is BitLocker on a hard drive? This is a regular service that, without user intervention, allows you to protect folders and files by encrypting them and creating a special text key that provides access to documents. At the moment when the user works under his account, he does not even realize that the data is encrypted. All information is displayed in a readable form and access to folders and files is not blocked for the user. In other words, such a security measure is designed only for those situations in which unauthorized access to the computer terminal is achieved due to an attempt to intervene from the outside.

Cryptography and password issues

If we talk about what BitLocker is like in Windows 7 or in higher-ranking systems, it is necessary to note this unpleasant fact: if they lose their login password, many users will not only be able to log into the system, but also perform some actions to view documents that were previously available for moving, copying, and so on. But the problems don't end there. If you properly understand the question of what BitLocker Windows 8 and 10 is, then there are no significant differences. The only thing that can be noted is more advanced cryptography technology. The problem here is different. The thing is that the service itself is capable of operating in two modes, storing decryption keys either on the hard drive or on a removable USB drive. This suggests a completely logical conclusion: the user, if he has a saved key on the hard drive, without any problems gets access to all the information that is stored on it. When the key is stored on a flash drive, the problem is much more serious. In principle, you can see an encrypted disk or partition, but you won’t be able to read the information. In addition, if we talk about what BitLocker is in Windows 10 and systems of earlier versions, it is necessary to note the fact that the service is integrated into context menus of any type, which are called by right-clicking the mouse. This is simply annoying for many users. Let’s not get ahead of ourselves and consider all the main aspects that are related to the operation of this component, as well as the advisability of its deactivation and use.

Method of encrypting removable media and disks

The strangest thing is that on various systems and their modifications, by default the Windows 10 BitLocker service can be in either active or passive mode. In Windows 7 it is enabled by default, in Windows 8 and Windows 10 it sometimes requires manual activation. As for encryption, nothing new has been invented here. Typically, the same public key-based AES technology is used, which is most often used in corporate networks. Therefore, if your computer terminal with the appropriate operating system is connected to the local network, you can be completely sure that the security and information protection policy used involves the activation of this service. Even if you have administrator rights, you will not be able to change anything.

Enabling the Windows 10 BitLocker service if it has been deactivated

Before you begin to resolve the issue related to BitLocker Windows 10, you need to consider the process of enabling and configuring it. The deactivation steps will need to be carried out in reverse order. Enabling encryption in the simplest way is done from the “Control Panel” by selecting the disk encryption section. This method can only be used if the key should not be saved to removable media. If the non-removable media is locked, then you will have to look for another question about the Windows 10 BitLocker service: how to disable this component? This is done quite simply. Provided that the key is on removable media, to decrypt disks and disk partitions you need to insert it into the appropriate port, and then go to the security system section of the Control Panel. After this, we find the BitLocker encryption item, and then consider the media and drives on which the protection is installed. Below there will be a hyperlink designed to disable encryption. You need to click on it. If the key is recognized, the decryption process will be activated. All you have to do is wait for it to complete.

Configuring ransomware components: problems

As for the setup issue, it won’t be without a headache. First of all, it is worth noting that the system offers to reserve at least 1.5 GB for your needs. Secondly, you need to adjust the permissions of the NTFS file system, for example, reduce the volume size. In order to do such things, you should immediately disable this component, since most users do not need it. Even those who have this service enabled by default in their settings do not always know what to do with it, or whether it is needed at all. And in vain... On a local computer, you can protect data with its help even in the complete absence of anti-virus software.

How to disable BitLocker: getting started

First of all, you need to use the previously specified item in the “Control Panel”. The names of the service disabling fields may change depending on the system modification. The selected drive can be set to suspend protection or indicate to disable the BitLocker service. But that's not the point. Particular attention should be paid to the fact that it is necessary to completely disable updating the BIOS and system boot files. Otherwise, the decryption process may take quite a long time.

Context menu

This is one side of the BitLocker coin. What this service is should already be clear. The flip side is to isolate additional menus from containing links to a given service. To do this, you need to take another look at BitLocker. How to remove all links to a service from the context menu? Yes, it’s very simple... When you select the desired file in Explorer, use the service and editing section of the context menu, go to the settings, and after that use the command settings and organize them. Next, you need to specify the value of “Control Panel” and find the one you need in the list of corresponding panel elements and commands and delete it. Then in the registry editor you need to go to the HKCR branch and find the ROOT Directory Shell section, expand it and delete the desired element by pressing the Del key or using the delete command from the right-click menu. That's the last thing about BitLocker. How to disable it should already be clear to you. But don’t delude yourself ahead of time. This service will still be running in the background whether you want it to or not.

Conclusion

It should be added that this is not all that can be said about the BitLocker encryption system component. We have already figured out what BitLocker is. You also learned how to disable and remove menu commands. The question is: is it worth disabling BitLocker? Here we can give one piece of advice: in a corporate network you should not deactivate this component at all. But if we are talking about a home computer terminal, then why not.

computerology.ru

BitLocker: what is it and how to unlock it?

With the release of the Windows 7 operating system, many users were faced with the fact that a somewhat incomprehensible BitLocker service appeared in it. What BitLocker is, many can only guess. Let's try to clarify the situation with specific examples. Along the way, we will consider questions regarding how appropriate it is to activate this component or disable it completely.

BitLocker: what is BitLocker, why is this service needed

If you look at it, BitLocker is a universal and fully automated means of encrypting data stored on a hard drive. What is BitLocker on a hard drive? Yes, just a service that protects files and folders without user intervention by encrypting them and creating a special text key that provides access to documents.

When a user works in the system under his own account, he may not even realize that the data is encrypted, because the information is displayed in readable form, and access to files and folders is not blocked. In other words, such a protection tool is designed only for those situations when unauthorized access is made to the computer terminal, for example, when attempting to intervene from the outside (Internet attack).

Passwords and cryptography issues

However, if we talk about what BitLocker is in Windows 7 or systems of a higher rank, it is worth noting the unpleasant fact that if they lose their login password, many users not only cannot log into the system, but also perform some browsing actions documents previously available for copying, moving, etc.

But that's not all. If you look at the question of what BitLocker Windows 8 or 10 is, then there are no significant differences, except that they have more advanced cryptography technology. The problem here is clearly different. The fact is that the service itself is capable of operating in two modes, storing decryption keys either on a hard drive or on a removable USB drive.

This suggests the simplest conclusion: if the key is saved on the hard drive, the user gets access to all the information stored on it without problems. But when the key is saved on a flash drive, the problem is much more serious. In principle, you can see an encrypted disk or partition, but you can’t read the information.

In addition, if we talk about what BitLocker is in Windows 10 or earlier systems, we cannot help but note the fact that the service is integrated into any type of right-click context menu, which is simply annoying for many users. But let’s not get ahead of ourselves, but consider all the main aspects related to the operation of this component and the advisability of its use or deactivation.

Method of encrypting disks and removable media

The strangest thing is that on different systems and their modifications, the BitLocker service can be in both active and passive mode by default. In the "seven" it is enabled by default; in the eighth and tenth versions, manual activation is sometimes required.

As for encryption, nothing particularly new has been invented here. As a rule, the same public key-based AES technology is used, which is most often used in corporate networks. Therefore, if your computer terminal with the appropriate operating system on board is connected to the local network, you can be sure that the applicable security and data protection policy implies the activation of this service. Without administrator rights (even if you start changing settings as an administrator), you will not be able to change anything.

Enable BitLocker if the service is disabled

Before addressing the issue related to BitLocker (how to disable the service, how to remove its commands from the context menu), let’s look at enabling and configuring, especially since the deactivation steps will need to be done in reverse order.

Enabling encryption in the simplest way is done from the “Control Panel” by selecting the disk encryption section. This method is applicable only if the key should not be saved to removable media.

If the locked device is a non-removable drive, you will have to find the answer to another question about the BitLocker service: how to disable this component on a flash drive? This is done quite simply.

Provided that the key is located on removable media, to decrypt disks and disk partitions, you first need to insert it into the appropriate port (connector), and then go to the security system section of the Control Panel. After that, we find the BitLocker encryption item, and then look at the drives and media on which the protection is installed. At the very bottom you will see a hyperlink to disable encryption, which you need to click on. If the key is recognized, the decryption process is activated. All that remains is to wait for its completion.

Problems configuring ransomware components

As for the setup, you can’t do without a headache. Firstly, the system offers to reserve at least 1.5 GB for your needs. Secondly, you need to adjust the permissions of the NTFS file system, reduce the volume size, etc. To avoid doing such things, it is better to immediately disable this component, because most users simply do not need it. Even all those who have this service enabled in their default settings also do not always know what to do with it, or whether it is needed at all. But in vain. You can use it to protect data on your local computer even if you don’t have anti-virus software.

BitLocker: how to disable. First stage

Again, use the previously specified item in the “Control Panel”. Depending on the system modification, the names of the service disabling fields may change. The selected drive may have a line to suspend protection or a direct indication to disable BitLocker.

That's not the point. Here it is worth paying attention to the fact that you will need to completely disable updating the BIOS and boot files of the computer system. Otherwise, the decryption process may take quite a long time.

Context menu

This is just one side of the BitLocker coin. What BitLocker is is probably already clear. But the flip side is to isolate additional menus from the presence of links to this service in them.

To do this, let's look again at BitLocker. How to remove all links to a service from the context menu? Elementary! In Explorer, when you select the desired file or folder, use the service section and edit the corresponding context menu, go to the settings, then use the command settings and organize them.

After this, in the registry editor, enter the HKCR branch, where we find the ROOTDirectoryShell section, expand it and delete the desired element by pressing the Del key or the delete command from the right-click menu. Actually, that's the last thing about the BitLocker component. How to disable it, I think, is already clear. But don't delude yourself. All the same, this service will work in the background (just in case), whether you want it or not.

Instead of an afterword

It remains to add that this is not all that can be said about the BitLocker encryption system component. What is BitLocker, we figured out how to disable it and delete menu commands too. The question is: should you disable BitLocker? Here we can give only one piece of advice: in a corporate local network, you should not deactivate this component at all. But if it's a home computer terminal, why not?

fb.ru

Bitlocker encryption of flash drives and disks in Windows 10

Many of us often carry important, valuable information on external devices. These could be ssd drives or other external drives for storing data. The most popular is probably a regular flash drive, on which a person most often transfers the necessary information. But what to do if you lost your flash drive? Or a portable external ssd drive? Answer: encrypt your external devices and put a password on the flash drive so that if you find it, no one can use your information. There are a lot of third-party software for protecting flash drives, but why is it needed if the program that is installed can be deleted over time due to negligence. In this article, we’ll look at how to protect your devices using the built-in Windows 10 tool.

Note: We will use BitLocker, which is present in the Pro or Enterpris versions of Windows 10.

I advise you to look also:

How to password protect folder and files using EFS function

Put a password on a folder without programs

What is BitLocker?

BitLocker is an encryption feature for removable media, including USB flash drives, SD cards and external hard drives. BitLocker supports NTFS, FAT32, exFAT file systems. Formatted with any of these file systems can be protected using BitLocker. Unlike EFS encryption, which is designed to encrypt folders and files, BitLocker cannot work with files; it is intended for removable media.

How to put a password on a flash drive and disks in Windows 10

  • Connect a USB flash drive or external hard drive to Windows 10.
  • Right-click on the drive you want to protect and click Enable BitLocker.
  • Check the Use password to unlock the disk checkbox.
  • Create your own password to protect your data.
  • Select archiving the key Save file.
  • Save the file in a location convenient for you; you will need it to unlock the flash drive if you have forgotten the password.
  • I recommend Encrypting the entire disk.
  • Select the encryption mode Compatibility Mode.
  • Wait for the process to complete.

Access to password protected data

  • Insert your encrypted device into the USB port of your computer and open it.
  • Enter your password that you created at the beginning of encryption.
  • If you forgot your flash drive password, click Advanced options and enter the recovery code that you saved to your computer.

Disable BitLocker and remove password from flash drive

To remove the assigned password and make the flash drive normal again, you need to disable Bitlocker. To do this, insert your USB device into the computer and enter your unlock password.

  • Once unlocked, right-click on the flash drive and select Manage BitLocker.
  • Find the device you want to remove the password from and click Turn Off BitLocker at the bottom.

See also:

Comments powered by HyperComments Report a bug

mywebpc.ru

How to encrypt a disk or flash drive with secret data using Bitlocker

Hi all! Protecting personal data from unauthorized access is an important point for PC users. This is especially true for office computers where commercial or any other information is stored that should be hidden from unauthorized viewing. Today I will cover the topic “Bitlocker Drive Encryption in Windows 10”. This material will help secure data not only on the hard drive, but also on removable media, using standard “tens” tools.

The BitLocker utility first appeared in Windows 7 (extended version), then was implemented in subsequent OS releases. Available only in professional and corporate editions. Simplified Device Encryption setup is provided for home users.

The essence of encryption

What it is? The process involves using a special algorithm to convert data into a special format that can only be read by the owner. Even if someone tries to open protected files, a bunch of meaningless letters and numbers will be displayed.

Enabling BitLocker

Interested in how to enable encoding? Detailed instructions follow.

  1. In Control Panel, go to the “System and Security” section and select the “Disk Encryption” tab.
  2. Second way. Right-click on the desired drive, file or folder. Select the context menu item “On.” BitLocker." If this option is not in the list, then you are using an unsupported version of the operating system. We do the same for encrypting a flash drive.
  3. A window will open that allows you to select one of two options: “Hard Drives” and “BitLocker To Go”.

The first method is suitable for total HDD encryption. In this case, when loading the PC you will need to specify the password you set. Only after this the decoder will do its job and the system will start.

The second method is suitable for external drives. When such a flash drive is connected to a PC, you can open the contents of the disk after entering the password.

  • In cases where the TPM module is not installed on the computer (this is a chip on the chipset that is capable of storing encryption keys. Increases the level of security. Even if the disk is stolen, the data will remain closed), then you will receive the following error window. It will ask you to allow BitLocker without a TPM enabled:

  • To disable TRM, and I think few people have it, we will use the gpedit.msc utility (log in via the Win + R console) to change group policies. Let's go through the folder tree:
“PC Configuration” - “Administration Templates” - “Windows Components” - “BitLocker” - “OS Disks”.
  • On the right side of the window, find the item “Require authentication...” and change the status to “On.” Also, we allow the use of encryption without TPM by checking the appropriate box:

Have questions? Or is everything extremely simple? If difficulties arise (after all, even the most universal instructions may not work in specific cases), then ask questions through the comment form after the article.

Methods for unlocking

After you have successfully completed all the steps of the previous instructions, you will need to select a method by which you can unlock the disk. The most common option is to set a password. But you can create a special external media on which the decryption keys will be stored. If there is a TPM chip on the motherboard, the choice of options will expand significantly. For example, it would be realistic to specify automatic decryption during PC startup, or set a PIN for decryption and an additional code on disks.

Choose the method you like the most from among all available ones.

Backup key

What do you think will happen if you forget your password or lose the media with the master key? Or install the HDD in another PC (with a different TPM)? How to restore access in such a situation? Windows 10 provides the ability to save the backup key (to a disk, flash drive) or print it out. It is important to ensure that the copy is stored securely so that no one can get to it. Otherwise, all efforts to ensure protection will be reduced to zero.

Attention! If you lose all the keys, you will lose your data forever! More precisely, you will not be able to decipher them! It is simply impossible to disable such protection.

The BitLocker utility works offline and encrypts newly added (created) files and folders on drives. In this case, there are two possible paths you can take.

  1. Encrypt the entire disk, including free space (unused). Reliable but slow method. Suitable for cases when you need to hide all information (even about files that were deleted long ago and can be restored).
  2. Protect only used space (occupied partitions). This is a faster method that I recommend choosing in most situations.

After this step, the analysis of the system will begin. The computer will reboot and the encryption process will begin. You can hover over the icon in the notification area to monitor your progress. It should be noted that there is a slight drop in performance due to RAM consumption.

The subsequent startup of the PC will be accompanied by the appearance of a PIN code entry window or a prompt to insert a USB drive with keys. It all depends on the method you choose.

If you need to resort to using a backup key, you should press Esc on your keyboard and follow the requirements of the recovery wizard.

Using BitLocker To Go

The initial setup of the utility for encrypting external drives is the same as the instructions above. But you won't need to restart your PC.

Important point! The drive must not be removed until the process is complete, otherwise the results may be unexpected.

As soon as you connect the “protected” flash drive to the laptop, a password entry window will appear:

Change BitLocker settings

It would be counterintuitive if users couldn't change passwords and other settings. Want to know how to remove protection? This is done simply. Right-click on the desired drive and select “Manage BitLocker”.

On the right there will be a list of possibilities. The very last item “Turn off...” is responsible for turning off encryption.

Personal experience of use

I always have a flash drive encrypted with Bitlocker with me, since I store passwords, photos and work data on it. On one of my business trips, I lost my flash drive, but I wasn’t upset at all, because I understood that all the data was encrypted and the person who found it would not be able to use it. For those who are concerned about safety, this is the most optimal solution.

So we figured out this difficult but important topic. Finally, I would like to note that the use of such protection increases the load on the processor and consumes RAM resources. But these are minor sacrifices compared to the loss of unprotected information due to theft and unauthorized access. Do you agree?

Sincerely, Victor

it-tehnik.ru

BitLocker. Questions and answers

Applies to: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This section, intended for IT professionals, answers frequently asked questions regarding usage, upgrade, deployment, and administration requirements, and key management policies for BitLocker.

BitLocker working with operating system drives

BitLocker can be used to eliminate the risk of unauthorized data access on lost or stolen computers by encrypting all user and system files on the operating system drive, including page files and hibernation files, and by verifying the integrity of previously loaded components and boot configuration data.

BitLocker works with removable and fixed drives

BitLocker can be used to encrypt the entire contents of a data drive. Using Group Policy, you can require BitLocker to be enabled on a drive before data can be written to the drive. BitLocker allows you to configure different unlocking methods for data drives, and the data drive supports multiple unlocking methods.

Yes, BitLocker supports multi-factor authentication for operating system drives. If you enable BitLocker on a computer that has TPM 1.2 or 2.0 installed, you can use additional forms of authentication that are based on that module.

To use all BitLocker features, your computer must meet the hardware and software requirements listed in the Drive configurations supported by BitLocker section in the BitLocker Drive Encryption technical overview.

Having two partitions is required for BitLocker to work because pre-startup authentication and system integrity verification must be performed on a separate partition that is not the same as the encrypted operating system drive. This configuration helps protect the operating system and data on the encrypted drive.

BitLocker supports the TPM versions listed in the Requirements section of the BitLocker Drive Encryption technical overview.

For information about how to do this, see Finding TPM driver information.

For information about how to do this, see Finding TPM driver information.

Yes, you can enable BitLocker on an operating system drive that does not have a TPM 1.2 or 2.0 if the BIOS or UEFI firmware supports reading from the USB flash drive during boot. This is possible because BitLocker does not unlock the protected drive until it obtains the BitLocker volume master key from the TPM on the computer or from a USB flash drive that contains the BitLocker startup key for that computer. However, computers without a TPM will not be able to perform the system integrity check that BitLocker supports.

To verify that the USB device can be read during the boot process, use the BitLocker system test during BitLocker installation. This scan runs tests to ensure that USB devices can be read at the correct time and that the computer meets other BitLocker requirements.

For information about how to enable BitLocker on a computer without a TPM, see BitLocker: How to Enable BitLocker.

For more information about the required Windows operating systems and TPM versions, see the Requirements section in the BitLocker Drive Encryption technical overview.

Ask your computer manufacturer for BIOS or UEFI firmware that meets TCG standards and meets the following requirements.

    It has been certified by the logo, where applicable, and is compatible with the versions listed in the Applications list at the beginning of this section.

    Compliance with TCG standards for the client computer.

    A secure update mechanism that prevents malicious BIOS firmware or boot software from being installed on your computer.

Enabling, disabling, and changing BitLocker configuration on operating system drives and fixed data drives requires membership in the local Administrators group. Regular users can enable, disable, and reconfigure BitLocker on removable data drives.

For more information, see Requirements in the BitLocker Drive Encryption technical overview.

You must configure your computer's startup settings so that the hard drive comes first in the boot order, before all other drives, such as CDs/DVDs or USB drives. If the hard drive is not the first one and you normally boot from the hard drive, you may be able to detect or assume a change in boot order when removable media is detected during boot. Boot order typically affects the system measurement that BitLocker verifies, and changing the boot order will prompt you to request a BitLocker recovery key. For the same reason, if you have a docked laptop, make sure the hard drive comes first in the boot order both when docked and undocked.

For more information, see BitLocker Architecture in the BitLocker Drive Encryption technical overview.

Yes. To upgrade from Windows 7 to Windows 8 or Windows 8.1 without decrypting the operating system drive, open BitLocker Drive Encryption in Control Panel in Windows 7, click Manage BitLocker, and then click Suspend. Pausing protection does not decrypt the drive, but rather disables the authentication mechanisms used by BitLocker and uses an unprotected key to access the drive. Continue the upgrade process using the Windows 8 DVD or Windows 8.1 Upgrade. Once the update is complete, open File Explorer, right-click the drive, and select Resume Protection. BitLocker authentication methods are re-enabled and the unprotected key is removed.

The Decrypt command completely removes BitLocker protection and completely decrypts the drive.

Suspending leaves the data encrypted, but encrypts the BitLocker volume master key with an unprotected key. An unprotected key is a cryptographic key that is stored on disk without encryption or protection. Storing this key without encryption allows the Suspend command to make changes and upgrades to the computer without spending time and resources decrypting and re-encrypting the entire drive. After changes are made and re-enabled, BitLocker seals the encryption key with the new values ​​of the components that changed during the upgrade, the volume master key is changed, the protectors are updated, and the unsecured key is deleted.

The following table lists the steps you must take before you perform an update or install updates.

Update type

Action

Windows Anytime Upgrade

Decoding

Upgrade from Windows 7 to Windows 8

Suspense

Updating non-Microsoft software, such as:

    Firmware update provided by your computer manufacturer;

    Trusted Platform Module firmware update;

    updates to non-Microsoft applications that change boot components.

Suspense

Software and operating system updates from Microsoft Update

These updates do not require disk decryption or disabling or pausing BitLocker.

Yes, BitLocker and TPM deployment and configuration can be automated using TPM tooling or Windows PowerShell scripts. The implementation of scripts depends on the environment. You can also use the BitLocker Manage-bde.exe command-line tool to configure BitLocker locally or remotely. For more information about writing scripts that use WMI BitLocker providers, see the MSDN article BitLocker Drive Encryption Provider. For more information about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see BitLocker Cmdlets in Windows PowerShell.

Yes. In Windows Vista, BitLocker only encrypted operating system drives. Windows Vista SP1 and Windows Server 2008 added support for encrypting fixed data drives. New features in Windows Server 2008 R2 and Windows 7 allow BitLocker to also encrypt removable data drives.

Typically the performance loss does not exceed ten percent.

Although BitLocker encryption occurs in the background while you continue to work and the system remains available, the encryption time depends on the drive type, size, and speed. It is wise to schedule encryption of very large disks at a time when they are not in use.

New features in Windows 8 and Windows Server 2012 allow you to choose whether BitLocker encrypts the entire drive or just the used space when you enable BitLocker. On a new hard drive, encrypting used space is noticeably faster than encrypting the entire drive. Once you select an encryption option, BitLocker automatically encrypts data when it is stored and ensures that no data is stored without encryption.

If your computer turns off or goes into hibernation mode, the BitLocker encryption and decryption process resumes where it left off the next time you start Windows. The same happens in the event of a power failure.

No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. Sectors encrypted on a drive that is protected by BitLocker are decrypted only when requested by system read operations. Blocks that are written to disk are encrypted before the system writes them to the physical disk. On a BitLocker-protected drive, data is never left unencrypted.

Controls introduced in Windows 8 allow you to enable Group Policy settings that will require BitLocker protection to be enabled on data drives before a BitLocker-protected computer can write data to those drives. For more information, see Prevent writing to removable drives that are not BitLocker-protected or Prevent writing to fixed drives that are not BitLocker-protected in the BitLocker Group Policy Settings article.

When these policy settings are enabled, a BitLocker-protected operating system will mount non-BitLocker-protected data drives in read-only mode.

For more information, including how to manage users who may accidentally save data to unencrypted drives when using a computer without BitLocker enabled, see BitLocker: How to prevent online users from saving data to an unencrypted drive.

The following types of system changes may cause an integrity check to fail. In this case, the TPM does not provide the BitLocker key to decrypt the protected operating system drive.

    Move a BitLocker-protected drive to a new computer.

    Installing a new motherboard with a new TPM.

    Disable, disable, or clear the TPM.

    Change boot configuration settings.

    Changing the BIOS, UEFI firmware, master boot record (MBR), boot sector, boot manager, option ROM of other pre-boot components, or boot configuration data.

For more information, see How it works in the BitLocker Drive Encryption technical overview.

Because BitLocker is designed to protect your computer from numerous attacks, there are many reasons why BitLocker might start in recovery mode. For information about these reasons, see Recovery scenarios in the BitLocker Drive Encryption technical overview.

Yes, you can change hard drives on the same computer with BitLocker encryption enabled, as long as they have BitLocker protection enabled on the same computer. BitLocker keys are unique to the TPM and operating system drive. Therefore, to prepare a backup operating system disk or data disk in case of disk failure, you must ensure that they use the same TPM. You can also configure different hard drives for different operating systems, and then enable BitLocker on each drive with different authentication methods (for example, one drive has TPM only and another has TPM with PIN), and that's will not lead to conflicts.

Yes, you can unlock your data drive using BitLocker Drive Encryption in Control Panel as usual (using a password or smart card). If the data disk is only configured to automatically unlock, you must use a recovery key. If you connect the operating system drive to another computer running the version of the operating system listed in the Usage list at the beginning of this section, you can unlock the encrypted hard drive by using the data recovery agent (if configured) or using a recovery key.

Some drives may not support BitLocker encryption. For example, the disk size may be too small, the file system may be incompatible, the disk may be dynamic or designated as a system partition. By default, the system drive (or system partition) is not displayed in the Computer window. However, if the disk was not created as hidden during the custom installation of the operating system, then it can be displayed, but cannot be encrypted.

BitLocker protection is supported for any number of internal fixed drives. Some versions support direct-attached ATA and SATA storage devices. For details about supported drives, see Drive configurations supported by BitLocker in the BitLocker Drive Encryption technical overview.

BitLocker can create and use different keys. Some are mandatory and some are optional fuses that can be used depending on the level of safety required.

For more information, see Understanding BitLocker in the BitLocker Drive Encryption technical overview.

You can save the recovery password or recovery key for your operating system disk or non-removable data disk in a folder, on one or more USB devices, save it to your Microsoft account, or print it.

The recovery password and recovery key for removable data drives can be saved to a folder, saved to your Microsoft account, or printed. By default, the recovery key for a removable drive cannot be stored on the removable drive.

A domain administrator can configure an optional Group Policy to automatically generate recovery passwords and store them in Domain Services for all BitLocker-protected drives.

For more information, see BitLocker: How to Store Passwords and Recovery Keys.

You can use the Manage-bde.exe command-line tool to change the TPM-only authentication mode to multi-factor authentication mode. For example, if BitLocker only has TPM authentication enabled, to add PIN authentication, enter the following commands from an elevated command prompt, replacing the desired numeric PIN:

manage-bde –protectors –delete %systemdrive% -type tpm

manage-bde –protectors –add %systemdrive% -tpmandpin

For more information, see Boot Sequence Authentication Modes in the BitLocker Drive Encryption Technical Overview.

BitLocker is designed so that an encrypted drive cannot be recovered without requiring authentication. In recovery mode, the user needs a recovery password or recovery key to unlock the encrypted drive.

Storing both keys on the same USB flash drive is technically possible, but is not recommended. If the USB flash drive containing the startup key is lost or stolen, you will also lose access to the recovery key. In addition, inserting such a key causes the computer to automatically boot to the recovery key, even if the files measured by the TPM have changed and the system integrity check is not performed.

Yes, your computer's startup key can be stored on multiple USB flash drives. Right-click the BitLocker-protected drive and select Manage BitLocker to open options for copying recovery keys.

Yes, you can store BitLocker startup keys for different computers on a single USB flash drive.

You can use scripts to create different startup keys for the same computer, but for computers with a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.

It is not possible to create multiple PIN code combinations.

Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key, in turn, is encrypted using one of several possible methods depending on the type of authentication (key protectors or TPM) and recovery scenarios.

For more information about encryption keys, how they are used, and where they are stored, see What is BitLocker in the BitLocker Drive Encryption technical overview.

The full volume encryption key is encrypted with the volume master key and stored on the encrypted disk. The volume master key is encrypted with a suitable key guard and stored on the encrypted disk. If BitLocker protection is suspended, the unprotected key that encrypts the volume master key is also stored on the encrypted drive along with the encrypted volume master key.

This storage procedure ensures that the volume master key is never stored without encryption and is always protected unless BitLocker encryption is disabled. Keys are also stored in two additional disk locations for redundancy. The keys can be read and processed by the boot manager.

For more information, see How it works in the BitLocker Drive Encryption technical overview.

The F1–F10 keys have universal polling codes available in the preboot environment on all computers for all languages. Keys numbered 0 through 9 may not be usable in the preboot environment on all keyboards.

If a secure PIN is used, users are advised to perform an additional system check during BitLocker installation to ensure that the correct PIN can be entered in the preboot environment. For more information about improved PINs, see Understanding BitLocker in the BitLocker Drive Encryption technical overview.

An attacker can find out the PIN code by brute force. Brute-force hacking is performed by an attacker using an automated tool that tests various PIN code combinations until the correct code is found. For computers protected by BitLocker, this type of hack, also known as a dictionary attack, requires the attacker to have physical access to the computer.

The TPM has built-in capabilities to detect and counter such attacks. Because TPMs from different manufacturers have different anti-tampering measures, contact the module manufacturer to determine how the TPM on your computer prevents PIN brute force attacks.

Once you have identified the TPM manufacturer, contact them to obtain information about the module's development. Most manufacturers exponentially increase the lockout time of the PIN interface as the number of PIN errors increases. However, each manufacturer has its own rules regarding decreasing or resetting the error counter.

For more information, see Finding TPM driver information.

To determine the TPM manufacturer, see Finding TPM driver information.

Ask your TPM manufacturer the following questions about its dictionary attack mitigation mechanism.

    How many failed access attempts are allowed before blocking?

    What algorithm is used to determine the duration of blocking, taking into account the number of unsuccessful access attempts and other significant parameters?

    What actions can reduce or reset the number of errors or blocking duration?

Yes and no. You can set a minimum PIN length in the Group Policy setting Configure minimum PIN length for startup and allow the use of alphanumeric PINs by enabling the Group Policy setting Allow protected PINs for startup. However, you cannot set PIN complexity requirements in Group Policy.

BitLocker To Go is BitLocker drive encryption for removable data drives. USB flash drives, SD cards, external hard drives, and other drives with the NTFS, FAT16, FAT32, or exFAT file system are encrypted.

For more information, including how to authenticate or unlock a removable data drive and how to verify that the BitLocker To Go reader is not installed on FAT-formatted drives, see BitLocker To Go Overview.

If you enable BitLocker encryption on a drive before you apply Group Policy to force a backup, recovery data will not be automatically backed up to Active Directory Domain Services when the computer joins the domain or Group Policy is applied. However, in Windows 8, you can use the Group Policy settings Select methods for recovering operating system drives protected by BitLocker, Select methods for recovering fixed drives protected by BitLocker, and Select methods for recovering removable drives protected by BitLocker to force the computer to join a domain before enabling BitLocker. This will ensure that recovery data for BitLocker-protected drives in your organization is backed up to Active Directory Domain Services.

The Windows Management Instrumentation (WMI) interface for BitLocker allows administrators to write a script to back up or synchronize existing data to recover an online client, but BitLocker does not automatically manage this process. The Manage-bde command line tool also allows you to manually back up data for recovery to Active Directory Domain Services. For example, to back up all recovery data on the C: drive in Active Directory Domain Services, run the following command at an elevated command prompt: manage-bde -protectors -adbackup C:.

Yes, an entry is written to the event log on the client computer indicating whether the Active Directory backup succeeded or failed. However, even if the event log indicates success, the recovery data may be deleted from Active Directory Domain Services. Additionally, the BitLocker configuration may change so that the information in Active Directory is not sufficient to unlock the drive (for example, if the recovery password key protector is removed). It is also possible to falsify a log entry.

To ensure that AD DS has a valid backup, you must query AD DS with domain administrator credentials by using the BitLocker Password Viewer.

No. BitLocker recovery passwords are not removed from Active Directory Domain Services, and therefore multiple passwords may appear for each drive. To determine the latest password, check the date of the object.

If the initial backup fails, such as when a domain controller becomes unavailable during the BitLocker Setup Wizard, BitLocker does not retry backing up recovery data to Active Directory Domain Services.

If the administrator selects the Require BitLocker backup to AD DS check box in the Store recovery information in Active Directory Domain Services (Windows 2008 and Windows Vista) policy setting or (equivalently) selects the Do not enable BitLocker until recovery data is stored in AD DS for operating system drives check box system (removable data drives, fixed data drives) in any of the policy settings Select recovery methods for BitLocker-protected operating system drives, Select recovery methods for BitLocker-protected fixed drives, Select recovery methods for BitLocker-protected removable drives , then users will not be able to enable BitLocker when the computer is not joined to a domain and BitLocker recovery data is not backed up in Active Directory Domain Services. If these options are configured and the backup fails, you cannot enable BitLocker. This ensures that administrators have the ability to recover all BitLocker-protected drives in the organization.

If the administrator clears these check boxes, the drive can be protected by BitLocker without successfully backing up the recovery data to Active Directory Domain Services. However, BitLocker does not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described previously in the question What happens if you enable BitLocker on a computer before joining a domain?, to collect data after the connection is restored.

BitLocker uses an AES encryption algorithm with a configurable key length (128 or 256 bits). By default, encryption is set to AES-128, but you can configure the settings using Group Policy.

To implement BitLocker on an operating system drive, we recommend a computer with TPM version 1.2 or 2.0 and TCG-compliant BIOS or UEFI firmware and a PIN code. Requiring a user-specified PIN in addition to TPM verification prevents an attacker who gains access to the computer from simply running it.

In its basic configuration, BitLocker on operating system drives (with a TPM but without additional authentication) provides additional protection for hibernation mode. Using optional BitLocker authentication (TPM and PIN, TPM and USB key, or TPM, PIN and USB key) provides additional protection during hibernation mode. This method is more secure because BitLocker authentication is required to return from hibernation. It is recommended that you disable sleep mode and use a TPM/PIN combination for authentication.

Most operating systems use shared memory space and the operating system is responsible for managing the physical memory. A TPM is a hardware component that uses its own firmware and internal logic to process instructions, providing protection against external software vulnerabilities. To hack the TPM, you need physical access to the computer. In addition, hacking hardware security typically requires more expensive tools and skills that are not as common as software hacking tools. Since the TPM on each computer is unique, it would take a lot of time and effort to hack multiple computers with TPMs.

All versions of BitLocker included in the operating system have passed Federal Information Standards certification and Common Criteria EAL4+ certification. These certifications have also been completed for Windows 8 and Windows Server 2012, and are in progress for Windows 8.1 and Windows Server 2012 R2.

BitLocker Network Unlocking makes it easy to manage BitLocker TPM+PIN-protected computers and servers in a domain environment. When you restart a computer connected to a wired corporate network, network unlock allows you to skip the PIN prompt. BitLocker-protected operating system volumes are automatically unlocked using a trusted key that is provided by the Windows Deployment Services server as an additional authentication method.

To use network lock, you also need to set up a PIN code for your computer. If your computer is not connected to a network, you must enter a PIN code to unlock it.

BitLocker Network Unlocking has software and hardware requirements for client computers, Windows Deployment Services, and domain controllers that must be met before you can use it. For more information about these requirements, see How BitLocker Drive Encryption Works Technical Overview.

Network unlock uses two fuses: a TPM fuse and a fuse provided by the network or PIN, while automatic unlock uses a single fuse stored in the TPM. If a computer joins a network without a key protector, you are prompted to enter a PIN code. If the PIN is not available, you will need a recovery key to unlock a computer that cannot be connected to the network. For more information about automatic and network unlocking, see How BitLocker Drive Encryption Works Technical Overview.

Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. For more information, see How it works in the BitLocker Drive Encryption technical overview.

Yes. In this case, the debugger must be enabled before BitLocker is enabled. Enabling the debugger ahead of time ensures that the sealing status in the TPM is calculated correctly, allowing the computer to start up correctly. If you need to turn debugging on or off while using BitLocker, first pause BitLocker to prevent the computer from entering recovery mode.

BitLocker contains a storage driver stack that provides encryption of memory dumps when BitLocker is enabled.

BitLocker does not support smart cards for pre-boot authentication. There is no industry standard for smart card firmware support, and most computers do not have firmware support for smart cards or only support certain types of smart cards and readers. The lack of standardization makes it too difficult to support smart cards.

Microsoft does not support third-party TPM drivers and strongly discourages their use with BitLocker. Using a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that the TPM is not present on the computer, and you will not be able to use the module with BitLocker.

We do not recommend modifying the Master Boot Record (MBR) on computers that have BitLocker-protected operating system drives for security, reliability, and product supportability reasons. Changing the Master Boot Record (MBR) can change the security environment and prevent your computer from starting normally, and can make it more difficult to repair a damaged Master Boot Record (MBR). MBR changes made outside of Windows can put your computer into recovery mode or make booting completely impossible.

A system check verifies that your computer's firmware (BIOS or UEFI) is compatible with BitLocker and that the TPM is working correctly. The system check may fail for the following reasons.

    Your computer's firmware (BIOS or UEFI) does not support reading USB flash memory devices.

    The computer's firmware (BIOS or UEFI) or boot menu does not enable reading from USB flash memory devices.

    There are several USB flash drives inserted into the computer.

    The PIN code was entered incorrectly.

    Your computer's firmware (BIOS or UEFI) only supports function keys (F1–F10) for entering numbers in the preboot environment.

    The startup key was removed while the computer had not yet completed rebooting.

    Due to a faulty TPM, the keys could not be provided.

Some computers do not support reading USB flash drives in the preboot environment. First, check your BIOS or UEFI firmware and boot options to ensure that USB storage is enabled. Enable the use of USB storage in the BIOS or UEFI if it is not enabled, and read the recovery key from the USB flash drive again. If you still cannot read the key, you will need to connect the hard drive as a data drive to another computer running the operating system to read the recovery key from the USB flash drive. If the USB flash drive is damaged, you may need to enter a recovery password or use recovery data that is backed up in Active Directory Domain Services. Also, if the recovery key is used in a pre-boot environment, make sure the drive is an NTFS, FAT16, or FAT32 file system.

To automatically unlock fixed data drives, the operating system drive must also be protected by BitLocker. If you are using a computer where the operating system drive is not protected by BitLocker, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in File Explorer and selecting Manage BitLocker. This removable drive can be unlocked on other computers by entering the password or smart card credentials that you specified when you enabled BitLocker.

In Safe Mode, limited BitLocker functionality is available. BitLocker-protected drives can be unlocked and decrypted using the BitLocker Drive Encryption control panel item. In Safe Mode, you can't right-click the drive to open BitLocker options.

The Manage-bde command line tool and the –lock command allow you to lock removable and non-removable data drives.

Command syntax:

manage-bde -lock

In addition to using this command, data drives are locked during shutdown or reboot of the operating system. A removable data drive that is removed from the computer is also automatically locked.

Yes. but shadow copies created before BitLocker was enabled will be automatically deleted when BitLocker is enabled for software-encrypted drives. If a hardware-encrypted disk is used, shadow copies are preserved.

BitLocker is not supported for boot VHDs, but is supported for VHD data volumes, such as those used in clusters, when running on Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

How to check the sound card on Windows 10

If you have Windows 10 Pro or Enterprise installed on your computer, you can use BitLocker, which encrypts data on your hard drive. Let's find out in more detail how to set it up.

One of the additional features you get with Windows 10 Pro, as opposed to Home, is BitLocker. It allows you to encrypt data on your hard drive so that no one can access it without entering a password.

If someone removes the drive from your computer and tries to access it on another, the contents will be unreadable. This is a useful tool to protect personal data from prying eyes, but there are drawbacks and requirements that you should know before activating the function:

  1. BitLocker reduces performance, especially when using software encryption.
  2. If you forget your password, you will not be able to access your files.
  3. For better protection, a TPM startup key is used.
  4. You should also know that there is an alternative to BitLocker: SSD with full disk encryption. Content is encrypted automatically.

Typically, encryption is not enabled by default, so you may need to download the manufacturer's software (for example, Samsung Magician). During installation, the program may ask you to format the disk, then you need to save the data to another medium, and if this is the system partition C, then reinstall Windows.

Is a TPM key required for BitLocker?

A key is not required, BitLocker will use a software method which is not as secure.

Program mode reduces read and write performance. With hardware encryption, you need to connect a USB device with a key and enter the password every time you boot your computer. When using a key, the BIOS must support booting from USB devices.

To check if your computer meets the BitLocker requirements in Windows 10 version 1803 and later, open Windows Defender Security Center and select the Device Security tab.

To enable protection, open Control Panel and go to BitLocker Drive Encryption.

Select the drive from the list on which personal information is stored and click on the “Enable BitLocker” link.

Another way to enable encryption is to open Explorer, go to the “This PC” tab and right-click on any hard drive.

Then follow the onscreen instructions to set up disk protection.

If the disk is already quite full, the process will take a long time

After activating protection, a lock icon will appear on the disk in Explorer.

Hardware or software encryption

The function supports both methods. If you enable TPM hardware encryption, you can encrypt the entire disk.

When you decide to encrypt a volume (that is, one or more partitions), use software encryption. You can use the software method if your computer is not BitLocker compliant.

What to do if my computer is not compatible with BitLocker

If you see a notification like the one below instead of running the installation wizard, you can bypass it.

A notice does not necessarily mean that the equipment is incompatible. The appropriate settings may not be enabled in the BIOS. Open Bios/UEFI, find the TPM option, and make sure it is enabled.

If the computer is built on an AMD motherboard, then the parameter is located in the PSP section. This is a Processor Security Platform integrated into the processor chip itself, such as Ryzen, which has a security module instead of a TPM.

Please note, in January 2018, the AMD PSP was discovered to have a security flaw and therefore microcode updates (delivered through Windows Security Updates) are disabled. In this case, you will not be able to use hardware mode.

If you activate a software mode that reduces read/write performance, use the Local Group Policy Editor.

Press the Windows key combination + R, enter the command gpedit.msc.

In the left panel, follow the path:

Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives.

On the right side of the window, double-click “This policy setting allows you to configure the requirement for additional authentication at startup.” In the window that opens, set the value to “Enable” and check “Allow BitLocker without a compatible TPM.”

Good day, friends.

Have you set a password for certain information on your computer and now want to remove it? Don't know how to do this? This article provides simple instructions on how to disable Bitlocker - the very program that protects your data from hacking.

Bitlocker is a built-in utility in Windows systems designed to keep important information safe from unauthorized access. Having installed it, the computer owner puts a password on all or individual files. The application allows you to save it on external media or print it in order to leave the PIN only in memory, because it can fail.

Encrypting information means that the program converts it into a special format that can only be read after entering a password.

If you try to open a file without it, you will be presented with unrelated numbers and letters.

Initially, you can configure the utility so that the lock is removed when a flash drive with a key is inserted. It is better to have several media with a password.

Important! If you forget and lose all the keys, along with them you will lose access to all data on the disk (or flash drive) forever.

The application first started working in the extended version of Windows Vista. Now it is available for other generations of this system.

Ways to disable Bitlocker

To unblock a block, you don’t need to be a hacker or a professional IT specialist. Everything is done simply; of course, if you set the password yourself and are not going to hack other people's data. This is true? Then let's start the analysis.

There are several ways to unlock files. The simplest one looks like this:

  • Right-click on the desired drive and in the window that appears, click “Manage BitLocker”;

  • A new menu will open where you should select the “Turn off” option.

When you reinstall Windows 10 or another version of the OS, you will need to pause encryption. To do this, follow the instructions below:

  • Open Start - Control Panel - System and Security - BitLocker Drive Encryption;
  • Select “Pause protection”, or “Manage BitLocker” - then “Disable BitLocker” (In Win7).
  • Click "Yes" to confirm that you are deliberately disabling it.

Through the same menu, you can completely turn off the blocking by pressing the corresponding button.

Keep in mind that Windows Vista and other versions of the system may have different names for the sections described above. But in any case, you will find the necessary settings through the control panel. For example, in Windows 8 you can open it like this:

To be honest, I don’t know how to disable this encryptor if the password is lost... I can only recommend formatting the device - as a result of which the disk will be available for work. But in this situation, naturally all the data on it will be lost.

Well, that's all, I hope it was useful.

See you soon friends!

The disk encryption function or BitLocker appeared in Windows 7. With its help, you can encrypt SSDs, HDDs or removable media. However, this process is accompanied by a number of difficulties, the main one of which is the lack of a TPM module, which can be removable or integrated into the motherboard. As a result, the user may encounter a message that “...the device cannot use the TPM. The administrator must set the parameter. Allow BitLocker to be used without a compatible TPM."

How to fix this error and enable BitLocker in Windows 10?

Read also: Putting a password on a flash drive in Windows 8

Enable BitLocker on Windows 10 without a compatible TPM

To enable disk encryption without a compatible TPM, you need to make changes in the Windows 10 Local Group Policy Editor. To do this, follow these steps:

  • Press “Win+R” and enter “msc”.

  • Go to the branch “Computer Configuration”, “Administrative Templates”, “Windows Components”, “This policy setting allows you to select BitLocker drive encryption”, “Operating system drives”. We find the option “This policy setting allows you to configure the requirement for additional authentication at startup.”

  • Double click to open the parameter settings. We set the following values.

  • After the system restarts, you can go to the “Control Panel” and select “BitLocker Drive Encryption”.

It is worth noting that before creating an encrypted device, it is worth making a backup copy of the data.

SoftikBox.com

How to enable BitLocker on Windows 10

2. In the “Parameters” window, go to “System”

3. Next, go to the “About System” tab, go to the very bottom and click “BitLocker Settings”

4. Here we select the removable media that we want to protect and click “Enable BitLocker”

5. Wait for the end of the action.

6. Next we will need to select one of the blocking options:

7. I chose password protection! Check the box “Use a password to unlock the disk,” then enter the password we created twice and click “Next.”

8. In the next window, select a recovery option in case you forget your password, for example “Save to file”

9. Select the location to save the file and click “Save”

10. Click “Next”

11. Set the following parameters to suit your needs, for example, I chose “Encrypt the entire disk”, select the option and click “Next”

12. In the next window “Start encryption”

13. We are waiting for the end of encryption of the removable storage device you have chosen!

ns1club.ru

How to encrypt your Windows 10 computer using BitLocker

If you store confidential information on your computer, then encrypting your system hard drive will be an excellent option to ensure the safety of your data. In this article we will tell you how to encrypt your computer's system drive using the most popular encryption tool from Microsoft, the BitLocker utility, which comes with all professional versions of Windows. Since the release of Windows Vista, Microsoft has offered a new data protection feature called BitLocker Drive Encryption. Windows 7 introduced BitLocker To Go, encryption for portable storage devices such as flash drives and SD cards.

There is no need to download and install Biltocker, it is already built into the operating system and is only available in Window 10 Pro and Enterprise. You can see which edition of Windows is installed on your computer in the Control Panel on the System tab. If you have Window 10 Home installed, which does not support BitLocker, we recommend that you pay attention to a program such as Vera Crypt.

Why Microsoft doesn't make this feature publicly available is an open question, given that data encryption is one of the most effective ways to keep it secure. Encryption is a way to enhance the security of your data by ensuring that its contents can only be read by the owner of the appropriate encryption key. Windows 10 includes various encryption technologies. For example, EFS file system encryption and BitLocker Drive Encryption, which we will talk about in this article.

  • Encrypting your hard drive may take a long time. Before you begin, we recommend that you back up your data, as an unexpected power outage during the encryption process may damage your data.
  • The Windows 10 November update includes a more secure encryption standard. Please note that the new encryption standard will only be compatible with Windows 10 November Update systems.
  • If your computer does not have a Trusted Platform Module (TPM), a chip that gives the computer additional security features, such as the ability to encrypt BitLocker drives. When you try to enable encryption, you may receive a TPM error message: "This device cannot use the Trusted Platform Module (TPM)"
To resolve this issue, use the EnableNoTPM.reg.zip file. Download, unzip and run this file, this will make the necessary changes to the registry to allow encryption without TPM. Enable BitLocker Drive Encryption in Windows 10. Click Start -> Explorer -> This PC. Then right-click on the Windows system drive (usually drive C), and select “Enable BitLocker” from the drop-down menu.

Create a strong password to unlock your hard drive. Every time you turn on your computer, Windows will ask you for this password to decrypt your data.


Choose how you want to back up the recovery key. You can save it to your Microsoft account, copy it to a USB drive, or print it.


Saved?! Now you need to specify which part of the disk you want to encrypt.

You will have two options:

  • If you are encrypting a new drive or a new PC, you only need to encrypt the part of the drive that is currently in use. BitLocker will then automatically encrypt data as it is added.
  • If you enable BitLocker on a PC or drive you're already using, we recommend encrypting the entire drive. This will ensure that all data is protected.
For us, the second option is more preferable. Please note that encryption will take some time, especially if you have a large drive. Make sure your computer is connected to an uninterruptible power supply in case of power outages.
If you have the November Windows 10 updates installed, then the more secure XTS-AES encryption mode is available to you. Choose this option whenever possible.

When you are ready to start encrypting, click the "Continue" button


Restart your computer when prompted.

Remember the password you created earlier? Now is the time to introduce it.


After logging into Windows, you will notice that nothing global has changed.

To check the encryption status, click Start > File Explorer > This PC. Now you will see a drawn lock on the system disk. Right-click on the drive and then select Manage BitLocker.

You will see the current state of the C:\ drive - BitLocker encryption (enabled). You can continue to use your computer as encryption occurs in the background. You will be notified when it is completed.


If you want to pause encryption, you can do so in the BitLocker Drive Encryption panel Click on the "Pause Protection" link. After this point, newly created files and folders will not be encrypted. Here you can completely disable BitLocker and decrypt all your data.

P.S

We hope our article turned out to be useful, and you have securely encrypted your data, but do not forget to take care of the security of communication - try our anonymous VPN, today on special conditions with a BitLocker promo code.

Read also

VeraСrypt - analogue of TrueCrypt, review, comparison and installation

blog.secretvpn.net

Scenario 1: Enable BitLocker Drive Encryption on the operating system drive (Windows 7)

Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

Click Turn on BitLocker for your operating system drive. BitLocker will check your computer to ensure it meets system requirements. If the computer meets the requirements, BitLocker will provide information about the next steps required to enable BitLocker (drive preparation, TPM enablement, and drive encryption).

If the operating system drive has a single partition, BitLocker prepares the drive by compressing it and creating a new operating system partition that is used for system files that are required to start or recover the operating system and are not encrypted. This drive will not have a letter to prevent files from being accidentally saved to it. After preparing the disk, you must restart the computer.

If the TPM is not initialized, the BitLocker Setup Wizard will prompt you to remove all CD, DVD, and USB drives from the computer and restart the computer to begin enabling the TPM. You will be prompted to enable the TPM before the system boots, but in some cases you will need to go into BIOS settings and manually enable the TPM. This depends on the computer's BIOS module. Once you confirm that the TPM needs to be enabled, the operating system starts and the Security Hardware Initializing indicator for the TPM appears.

If the computer does not have a TPM, BitLocker can be used, but it will use the Startup Key Only authentication method. All necessary encryption key information is stored on a USB flash memory device, which must be connected to the computer by the user during the system boot process. The key, stored on a USB flash drive, is used to unlock the computer. Using the TPM is highly recommended because it helps protect against attacks on the critical boot process of your computer. Using the Start Key Only method provides only disk encryption; it does not provide early boot component verification or hardware spoofing protection. To use this method, the computer must support reading USB devices before loading the operating system, and you must also enable this authentication method by selecting the Allow BitLocker without a compatible TPM policy check box in the Require additional authentication at startup Group Policy setting, located in the following pane of the Local Editor group policies: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Protection\Operating System Drives.

After the TPM is initialized, the BitLocker Setup Wizard will prompt you to select a recovery key storage method. The following options are possible:

  • Save the recovery key to a USB flash drive. Saves the recovery key to a USB flash drive.
  • Save the recovery key to a file. Saves the recovery key on a network drive or other location.
  • Print the recovery key. Prints the recovery key.

Use one or more options for saving the recovery key. For each item, you must follow the wizard to specify the location to save or print the recovery key. When the recovery key is saved, click Next.

Important
The recovery key is required when moving an encrypted disk to another computer or when making changes to the system boot information. The recovery key is a very important component, so it is recommended that you make additional copies of it and store them in a safe place so that you can refer to them if you need to restore access to the disk. The recovery key is required to unlock encrypted data when BitLocker enters a locked state. The recovery key is unique for each disk. The key is not suitable for recovering encrypted data from another BitLocker-protected drive. For added security, you should store your recovery keys separately from your computer.

  • The BitLocker Setup Wizard asks you if you are ready to encrypt the drive. Make sure the Run BitLocker system scan check box is selected, and then click Continue.

    Confirm to restart your computer by clicking the Restart now button. After this, your computer will restart and BitLocker will check that it is compatible with BitLocker and is ready for encryption. If your computer is not ready, you will receive an error message after you log in.

    When the computer is ready for encryption, the Encryption status bar displays with the encryption progress. To check the status of drive encryption, hover your mouse over the BitLocker Drive Encryption icon in the notification area at the right edge of the taskbar. Encrypting the disk will take some time. You can use your computer while encryption is running, but performance will be lower than usual. Once encryption is complete, a success message will be displayed.

    technet.microsoft.com

    How to encrypt a disk in Windows 10 so that no one steals your files?


    Windows 10 and earlier versions of Windows provide file encryption using BitLocker technology. You only need to configure it once, and you can be sure that no one will gain access to your files or be able to run your programs, even if they gain physical access to the drive of your laptop or computer. How do I enable BitLocker encryption? First of all, you need to activate security policies: 1. Press Win+R and run the command gpedit.msc. 2. Go to Administrative Templates > Windows Components BitLocker Drive Encryption > Operating System Drives.

    3. Double-click on “This policy setting allows you to configure the requirement for additional authentication at startup” and select the “Enabled” option. Now you can proceed directly to encryption: 1. Open “Explorer” > “My Computer” and select the drive that you want to encrypt. 2. Right-click the drive icon and select Enable BitLocker.

    3. A dialog box will open with options for accessing encrypted data. Follow its instructions and restart your computer. The disk will be encrypted. The encryption process can be lengthy, its duration depending on the volume of data being encrypted. During the encryption setup process, you will need to create a key or password to decrypt the data. The password must use mixed-case letters and numbers. When the drive is installed in your computer, data is encrypted and decrypted automatically, but if you remove the encrypted drive from it and connect it to another device, you will need a key to access the files.

    The key recovery data can be stored on a flash drive, in a Microsoft account, in a text file, or on a printed sheet of paper. Keep in mind that this is not the key itself, but only information that will help you recover it. The key can only be obtained after entering the login and password for your Microsoft account, which makes it more difficult to crack the encryption.

    If you encrypted the system logical drive, you will have to enter the password during a cold start of the device or after it reboots.