Bitlocker - encrypts and decrypts hard drives. Unlock drives D, E and so on in the Windows environment. What to do with the recovery key, what to do if it is lost

You can unlock removable data drives using a password, a smart card, or you can configure SID protection to unlock the drive using domain credentials. Once disk encryption has started, it can also be unlocked automatically on a specific computer for a user account. System administrators can configure which options are available to users, as well as the complexity and minimum length requirements for passwords. To unlock using SID protection, use Manage-bde:

Manage-bde -protectors -add e: -sid domain\username

What is the difference between a recovery password, a recovery key, a PIN, a secure PIN, and a startup key?

For tables listing and describing items such as recovery password, recovery key, and PIN, see BitLocker Key Security Tools and BitLocker Authentication Methods.

Where to store the recovery password and recovery key?

You can save the recovery password or recovery key for your operating system disk or non-removable data disk in a folder, on one or more USB devices, in your Microsoft account, or print it.

You can save the recovery password and recovery key for removable data drives in a folder or Microsoft account, or print them. By default, the recovery key for removable media cannot be stored on removable media.

A domain administrator can configure an optional Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for all BitLocker-protected drives.

Is it possible to add an additional authentication method without disk decryption if only the TPM authentication method is enabled?

You can use the Manage-bde.exe command-line tool to change the TPM-only authentication mode to multi-factor authentication mode. For example, if BitLocker uses only TPM authentication and you want to add PIN authentication, run the following commands at an administrative command prompt, replacing 4-20 digit numeric PIN the numeric PIN you want to use.

manage-bde –protectors –delete %systemdrive% -type tpm

manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN

When should you consider an additional authentication method?

With new compliant hardware, the PIN is no longer a critical security feature, and having a TPM will likely suffice, subject to policies such as device locking. For example, Surface Pro and Surface Book devices do not have external DMA ports, which can be used for attacks. If you have older equipment that may require a PIN, we recommend turning on the Enhanced PINs feature, which allows you to use non-numeric characters such as letters and punctuation, and select the PIN length based on your equipment's risk tolerance and capability. anti-password brute force functionality available to trusted platform modules on your computer.

Can I recover BitLocker-protected data if I have lost the information needed for recovery?

BitLocker is designed so that an encrypted drive cannot be recovered without requiring authentication. In recovery mode, the user needs a recovery password or recovery key to unlock the encrypted drive.

Store recovery information in Active Directory Domain Services, along with your Microsoft account, or in another secure location.

Is it possible to store the recovery key on the same USB flash drive where the startup key is stored?

Storing both keys on the same USB flash drive is technically possible, but is not recommended. If the USB flash drive containing the startup key is lost or stolen, you will also lose access to the recovery key. In addition, when such a key is inserted, the computer will automatically boot using the recovery key, even if files whose indicators are determined by the TPM have changed, and the system integrity check will not be performed.

Is it possible to store the startup key on multiple USB flash drives?

Yes, your computer's startup key can be stored on multiple USB flash drives. Right-click the BitLocker-protected drive and select BitLocker Management to open options for copying recovery keys.

Is it possible to store several different startup keys on one USB flash drive?

Yes, you can store BitLocker startup keys for different computers on a single USB flash drive.

Is it possible to create several different startup keys for one computer?

Using scripts, you can create different startup keys for the same computer. But for computers with a TPM, creating different startup keys prevents BitLocker from using the system integrity check that the TPM performs.

Can I create multiple PIN code combinations?

It is not possible to create multiple PIN code combinations.

What encryption keys does BitLocker use? How do they work together?

Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key, in turn, is encrypted using one of several possible methods, depending on the type of authentication (using key protectors or TPM) and recovery scenarios.

Where are the encryption keys stored?

The full volume encryption key is encrypted with the volume master key and stored on the encrypted disk. The volume master key is encrypted with a suitable key guard and stored on the encrypted disk. If BitLocker protection is suspended, the unprotected key that encrypts the volume master key is also stored on the encrypted drive along with the encrypted volume master key.

This storage procedure ensures that the volume master key is never stored without encryption and is always protected unless BitLocker encryption is disabled. Keys are also stored in two additional disk locations for redundancy. The boot manager can read and process the keys.

Why do I need to use the function keys to enter my PIN or 48-character recovery password?

The F1–F10 keys have universal polling codes available in the preboot environment on all computers for all languages. The number keys 0 through 9 are not used in the preboot environment on all keyboards.

If an enhanced PIN is used, users are advised to perform an additional system check during BitLocker setup to ensure that the correct PIN can be entered in the preboot environment.

How does BitLocker protect your operating system drive PIN from attackers?

An attacker can obtain the PIN code through a brute force attack. A brute force attack is carried out using an automated tool that tests different PIN code combinations until the correct code is found. For BitLocker-protected computers, this type of hack, also known as a dictionary attack, requires the attacker to have physical access to the computer.

The TPM has built-in capabilities to detect and counter such attacks. Because TPMs from different manufacturers have different measures to counteract PIN brute force attacks, contact the module manufacturer to determine how the module on your computer counters PIN brute force attacks. Once you have identified the manufacturer of the TPM, contact the manufacturer to obtain information about the TPM that only the manufacturer can provide. Most manufacturers exponentially increase the lockout time of the PIN interface as the number of PIN errors increases. However, each manufacturer has its own rules regarding resetting the error counter or decreasing its values.

How can I determine the manufacturer of my TPM?

You can determine the TPM by the manufacturer in Windows Defender Security Center > Device security > processor security information.

How to evaluate the dictionary attack mitigation mechanism used in a TPM?

Ask your TPM manufacturer the following questions about its dictionary attack mitigation mechanism:

How many failed login attempts are allowed before being blocked?
What algorithm is used to determine the duration of blocking, taking into account the number of unsuccessful authorization attempts and other significant parameters?
What actions can cause the error counter to be reset, decreased, or blocked for longer?

Can I change the PIN length and complexity using Group Policy?

Yes and no. You can set the minimum PIN length in a Group Policy setting This policy setting allows you to set the minimum PIN length for startup and allow the use of alphanumeric PINs by enabling the Group Policy setting This policy setting allows you to allow enhanced PINs to be used at computer startup. However, it is not possible to set PIN complexity requirements in Group Policy.

For more information, see BitLocker Group Policy Settings.

Feedback

We would like to know your opinion. Please indicate what you would like to tell us about.

Our feedback system is based on the principles of working with issues on GitHub. For more information, see .

Many users with the release of the Windows 7 operating system were faced with the fact that an incomprehensible BitLocker service appeared in it. Many people can only guess what BitLocker is. Let's clarify the situation with specific examples. We will also consider questions that relate to whether it is advisable to activate this component or disable it completely.

BitLocker Service: What is it for?

If you look carefully, you can conclude that BitLocker is a fully automated, universal means of encrypting data stored on your hard drive. What is BitLocker on a hard drive? This is a regular service that, without user intervention, allows you to protect folders and files by encrypting them and creating a special text key that provides access to documents. At the moment when the user works under his account, he does not even realize that the data is encrypted. All information is displayed in a readable form and access to folders and files is not blocked for the user. In other words, such a security measure is designed only for those situations in which unauthorized access to the computer terminal is achieved due to an attempt to intervene from the outside.

Cryptography and password issues

If we talk about what BitLocker is like in Windows 7 or in higher-ranking systems, it is necessary to note this unpleasant fact: if they lose their login password, many users will not only be able to log into the system, but also perform some actions to view documents that were previously available for moving, copying, and so on. But the problems don't end there. If you properly understand the question of what BitLocker Windows 8 and 10 is, then there are no significant differences. The only thing that can be noted is more advanced cryptography technology. The problem here is different. The thing is that the service itself is capable of operating in two modes, storing decryption keys either on the hard drive or on a removable USB drive. This suggests a completely logical conclusion: the user, if he has a saved key on the hard drive, without any problems gets access to all the information that is stored on it. When the key is stored on a flash drive, the problem is much more serious. In principle, you can see an encrypted disk or partition, but you won’t be able to read the information. In addition, if we talk about what BitLocker is in Windows 10 and systems of earlier versions, it is necessary to note the fact that the service is integrated into context menus of any type, which are called by right-clicking the mouse. This is simply annoying for many users. Let’s not get ahead of ourselves and consider all the main aspects that are related to the operation of this component, as well as the advisability of its deactivation and use.

Method of encrypting removable media and disks

The strangest thing is that on various systems and their modifications, by default the Windows 10 BitLocker service can be in either active or passive mode. In Windows 7 it is enabled by default, in Windows 8 and Windows 10 it sometimes requires manual activation. As for encryption, nothing new has been invented here. Typically, the same public key-based AES technology is used, which is most often used in corporate networks. Therefore, if your computer terminal with the appropriate operating system is connected to the local network, you can be completely sure that the security and information protection policy used involves the activation of this service. Even if you have administrator rights, you will not be able to change anything.

Enabling the Windows 10 BitLocker service if it has been deactivated

Before you begin to resolve the issue related to BitLocker Windows 10, you need to consider the process of enabling and configuring it. The deactivation steps will need to be carried out in reverse order. Enabling encryption in the simplest way is done from the “Control Panel” by selecting the disk encryption section. This method can only be used if the key should not be saved to removable media. If the non-removable media is locked, then you will have to look for another question about the Windows 10 BitLocker service: how to disable this component? This is done quite simply. Provided that the key is on removable media, to decrypt disks and disk partitions you need to insert it into the appropriate port, and then go to the security system section of the Control Panel. After this, we find the BitLocker encryption item, and then consider the media and drives on which the protection is installed. Below there will be a hyperlink designed to disable encryption. You need to click on it. If the key is recognized, the decryption process will be activated. All you have to do is wait for it to complete.

Configuring ransomware components: problems

As for the setup issue, it won’t be without a headache. First of all, it is worth noting that the system offers to reserve at least 1.5 GB for your needs. Secondly, you need to adjust the permissions of the NTFS file system, for example, reduce the volume size. In order to do such things, you should immediately disable this component, since most users do not need it. Even those who have this service enabled by default in their settings do not always know what to do with it, or whether it is needed at all. And in vain... On a local computer, you can protect data with its help even in the complete absence of anti-virus software.

How to disable BitLocker: getting started

First of all, you need to use the previously specified item in the “Control Panel”. The names of the service disabling fields may change depending on the system modification. The selected drive can be set to pause protection or indicate to disable the BitLocker service. But that's not the point. Particular attention should be paid to the fact that it is necessary to completely disable updating the BIOS and system boot files. Otherwise, the decryption process may take quite a long time.

Context menu

This is one side of the BitLocker coin. What this service is should already be clear. The flip side is to isolate additional menus from containing links to a given service. To do this, you need to take another look at BitLocker. How to remove all links to a service from the context menu? Yes, it’s very simple... When you select the desired file in Explorer, use the service and editing section of the context menu, go to the settings, and after that use the command settings and organize them. Next, you need to specify the value of “Control Panel” and find the one you need in the list of corresponding panel elements and commands and delete it. Then in the registry editor you need to go to the HKCR branch and find the ROOT Directory Shell section, expand it and delete the desired element by pressing the Del key or using the delete command from the right-click menu. That's the last thing about BitLocker. How to disable it should already be clear to you. But don’t delude yourself ahead of time. This service will still be running in the background whether you want it to or not.

Conclusion

It should be added that this is not all that can be said about the BitLocker encryption system component. We have already figured out what BitLocker is. You also learned how to disable and remove menu commands. The question is: is it worth disabling BitLocker? Here we can give one piece of advice: in a corporate network you should not deactivate this component at all. But if we are talking about a home computer terminal, then why not.

computerology.ru

BitLocker: what is it and how to unlock it?

With the release of the Windows 7 operating system, many users were faced with the fact that a somewhat incomprehensible BitLocker service appeared in it. What BitLocker is, many can only guess. Let's try to clarify the situation with specific examples. Along the way, we will consider questions regarding how appropriate it is to activate this component or disable it completely.

BitLocker: what is BitLocker, why is this service needed

If you look at it, BitLocker is a universal and fully automated means of encrypting data stored on a hard drive. What is BitLocker on a hard drive? Yes, just a service that protects files and folders without user intervention by encrypting them and creating a special text key that provides access to documents.

When a user works in the system under his own account, he may not even realize that the data is encrypted, because the information is displayed in readable form, and access to files and folders is not blocked. In other words, such a protection tool is designed only for those situations when unauthorized access is made to the computer terminal, for example, when attempting to intervene from the outside (Internet attack).

Passwords and cryptography issues

However, if we talk about what BitLocker is in Windows 7 or systems of a higher rank, it is worth noting the unpleasant fact that if they lose their login password, many users not only cannot log into the system, but also perform some browsing actions documents previously available for copying, moving, etc.

But that's not all. If you look at the question of what BitLocker Windows 8 or 10 is, then there are no significant differences, except that they have more advanced cryptography technology. The problem here is clearly different. The fact is that the service itself is capable of operating in two modes, storing decryption keys either on a hard drive or on a removable USB drive.

This suggests the simplest conclusion: if the key is saved on the hard drive, the user gets access to all the information stored on it without problems. But when the key is saved on a flash drive, the problem is much more serious. In principle, you can see an encrypted disk or partition, but you can’t read the information.

In addition, if we talk about what BitLocker is in Windows 10 or earlier systems, we cannot help but note the fact that the service is integrated into any type of right-click context menu, which is simply annoying for many users. But let’s not get ahead of ourselves, but consider all the main aspects related to the operation of this component and the advisability of its use or deactivation.

Method of encrypting disks and removable media

The strangest thing is that on different systems and their modifications, the BitLocker service can be in both active and passive mode by default. In the "seven" it is enabled by default; in the eighth and tenth versions, manual activation is sometimes required.

As for encryption, nothing particularly new has been invented here. As a rule, the same public key-based AES technology is used, which is most often used in corporate networks. Therefore, if your computer terminal with the appropriate operating system on board is connected to the local network, you can be sure that the applicable security and data protection policy implies the activation of this service. Without administrator rights (even if you start changing settings as an administrator), you will not be able to change anything.

Enable BitLocker if the service is disabled

Before addressing the issue related to BitLocker (how to disable the service, how to remove its commands from the context menu), let’s look at enabling and configuring, especially since the deactivation steps will need to be done in reverse order.

Enabling encryption in the simplest way is done from the “Control Panel” by selecting the disk encryption section. This method is applicable only if the key should not be saved to removable media.

If the locked device is a non-removable drive, you will have to find the answer to another question about the BitLocker service: how to disable this component on a flash drive? This is done quite simply.

Provided that the key is located on removable media, to decrypt disks and disk partitions, you first need to insert it into the appropriate port (connector), and then go to the security system section of the Control Panel. After that, we find the BitLocker encryption item, and then look at the drives and media on which the protection is installed. At the very bottom you will see a hyperlink to disable encryption, which you need to click on. If the key is recognized, the decryption process is activated. All that remains is to wait for its completion.

Problems configuring ransomware components

As for the setup, you can’t do without a headache. Firstly, the system offers to reserve at least 1.5 GB for your needs. Secondly, you need to adjust the permissions of the NTFS file system, reduce the volume size, etc. To avoid doing such things, it is better to immediately disable this component, because most users simply do not need it. Even all those who have this service enabled in their default settings also do not always know what to do with it, or whether it is needed at all. But in vain. You can use it to protect data on your local computer even if you don’t have anti-virus software.

BitLocker: how to disable. First stage

Again, use the previously specified item in the “Control Panel”. Depending on the system modification, the names of the service disabling fields may change. The selected drive may have a line to suspend protection or a direct indication to disable BitLocker.

That's not the point. Here it is worth paying attention to the fact that you will need to completely disable updating the BIOS and boot files of the computer system. Otherwise, the decryption process may take quite a long time.

Context menu

This is just one side of the BitLocker coin. What BitLocker is is probably already clear. But the flip side is to isolate additional menus from the presence of links to this service in them.

To do this, let's look again at BitLocker. How to remove all links to a service from the context menu? Elementary! In Explorer, when you select the desired file or folder, use the service section and edit the corresponding context menu, go to the settings, then use the command settings and organize them.

After this, in the registry editor, enter the HKCR branch, where we find the ROOTDirectoryShell section, expand it and delete the desired element by pressing the Del key or the delete command from the right-click menu. Actually, that's the last thing about the BitLocker component. How to disable it, I think, is already clear. But don't delude yourself. All the same, this service will work in the background (just in case), whether you want it or not.

Instead of an afterword

It remains to add that this is not all that can be said about the BitLocker encryption system component. What is BitLocker, we figured out how to disable it and delete menu commands too. The question is: should you disable BitLocker? Here we can give only one piece of advice: in a corporate local network, you should not deactivate this component at all. But if it's a home computer terminal, why not?

fb.ru

Bitlocker encryption of flash drives and disks in Windows 10

Many of us often carry important, valuable information on external devices. These could be ssd drives or other external drives for storing data. The most popular is probably a regular flash drive, on which a person most often transfers the necessary information. But what to do if you lost your flash drive? Or a portable external ssd drive? Answer: encrypt your external devices and put a password on the flash drive so that if you find it, no one can use your information. There are a lot of third-party software for protecting flash drives, but why is it needed if the program that is installed can be deleted over time due to negligence. In this article, we’ll look at how to protect your devices using the built-in Windows 10 tool.

Note: We will use BitLocker, which is present in the Pro or Enterpris versions of Windows 10.

I also recommend watching:

How to password protect folder and files using EFS function

Put a password on a folder without programs

What is BitLocker?

BitLocker is an encryption feature for removable media, including USB flash drives, SD cards and external hard drives. BitLocker supports NTFS, FAT32, exFAT file systems. Formatted with any of these file systems can be protected using BitLocker. Unlike EFS encryption, which is designed to encrypt folders and files, BitLocker cannot work with files; it is intended for removable media.

How to put a password on a flash drive and disks in Windows 10

Connect a USB flash drive or external hard drive to Windows 10.
Right-click on the drive you want to protect and click Enable BitLocker.

Check the Use password to unlock the disk checkbox.
Create your own password to protect your data.

Select archiving the key Save file.
Save the file in a location convenient for you; you will need it to unlock the flash drive if you have forgotten the password.

I recommend Encrypting the entire disk.

Select the encryption mode Compatibility Mode.

Wait for the process to complete.

Access to password protected data

Insert your encrypted device into the USB port of your computer and open it.

Enter your password that you created at the beginning of encryption.
If you forgot your flash drive password, click Advanced options and enter the recovery code that you saved to your computer.

Disable BitLocker and remove password from flash drive

To remove the assigned password and make the flash drive normal again, you need to disable Bitlocker. To do this, insert your USB device into the computer and enter your unlock password.

Once unlocked, right-click on the flash drive and select Manage BitLocker.

Find the device you want to remove the password from and click Turn Off BitLocker at the bottom.

How to encrypt a disk or flash drive with secret data using Bitlocker

Hi all! Protecting personal data from unauthorized access is an important point for PC users. This is especially true for office computers where commercial or any other information is stored that should be hidden from unauthorized viewing. Today I will cover the topic “Bitlocker Drive Encryption in Windows 10”. This material will help secure data not only on the hard drive, but also on removable media, using standard “tens” tools.

The BitLocker utility first appeared in Windows 7 (extended version), then was implemented in subsequent OS releases. Available only in professional and corporate editions. Simplified Device Encryption setup is provided for home users.

The essence of encryption

What it is? The process involves using a special algorithm to convert data into a special format that can only be read by the owner. Even if someone tries to open protected files, a bunch of meaningless letters and numbers will be displayed.

Enabling BitLocker

Interested in how to enable encoding? Detailed instructions follow.

In Control Panel, go to the “System and Security” section and select the “Disk Encryption” tab.
Second way. Right-click on the desired drive, file or folder. Select the context menu item “On.” BitLocker." If this option is not in the list, then you are using an unsupported version of the operating system. We do the same for encrypting a flash drive.
A window will open that allows you to select one of two options: “Hard Drives” and “BitLocker To Go”.

The first method is suitable for total HDD encryption. In this case, when loading the PC you will need to specify the password you set. Only after this the decoder will do its job and the system will start.

The second method is suitable for external drives. When such a flash drive is connected to a PC, you can open the contents of the disk after entering the password.

In cases where the TPM module is not installed on the computer (this is a chip on the chipset that is capable of storing encryption keys. Increases the level of security. Even if the disk is stolen, the data will remain closed), then you will receive the following error window. It will ask you to allow BitLocker without a TPM enabled:

To disable TRM, and I think few people have it, we will use the gpedit.msc utility (log in via the Win + R console) to change group policies. Let's go through the folder tree:

“PC Configuration” - “Administration Templates” - “Windows Components” - “BitLocker” - “OS Disks”.

On the right side of the window, find the item “Require authentication...” and change the status to “On.” We also allow the use of encryption without TPM by checking the appropriate box:

Have questions? Or is everything extremely simple? If difficulties arise (after all, even the most universal instructions may not work in specific cases), then ask questions through the comment form after the article.

Methods for unlocking

After you have successfully completed all the steps of the previous instructions, you will need to select a method by which you can unlock the disk. The most common option is to set a password. But you can create a special external media on which the decoding keys will be stored. If there is a TPM chip on the motherboard, the choice of options will expand significantly. For example, it would be realistic to specify automatic decryption during PC startup, or set a PIN for decryption and an additional code on disks.

Choose the method you like the most from all available.

Backup key

What do you think will happen if you forget your password or lose the media with the master key? Or install the HDD in another PC (with a different TPM)? How to restore access in such a situation? Windows 10 provides the ability to save the backup key (to a disk, flash drive) or print it out. It is important to ensure that the copy is stored securely so that no one can get to it. Otherwise, all efforts to ensure protection will be reduced to zero.

Attention! If you lose all the keys, you will lose your data forever! More precisely, you will not be able to decipher them! It is simply impossible to disable such protection.

The BitLocker utility works offline and encrypts newly added (created) files and folders on drives. In this case, there are two possible paths you can take.

Encrypt the entire disk, including free space (unused). Reliable but slow method. Suitable for cases when you need to hide all information (even about files that were deleted long ago and can be restored).
Protect only used space (occupied partitions). This is a faster method that I recommend choosing in most situations.

After this step, the analysis of the system will begin. The computer will reboot and the encryption process will begin. You can hover over the icon in the notification area to monitor your progress. It should be noted that there is a slight drop in performance due to RAM consumption.

The subsequent startup of the PC will be accompanied by the appearance of a PIN code entry window or a prompt to insert a USB drive with keys. It all depends on the method you choose.

If you need to resort to using a backup key, you should press Esc on your keyboard and follow the requirements of the recovery wizard.

Using BitLocker To Go

The initial setup of the utility for encrypting external drives is the same as the instructions above. But you won't need to restart your PC.

Important point! The drive must not be removed until the process is complete, otherwise the results may be unexpected.

As soon as you connect the “protected” flash drive to the laptop, a password entry window will appear:

Change BitLocker settings

It would be counterintuitive if users couldn't change passwords and other settings. Want to know how to remove protection? This is done simply. Right-click on the desired drive and select “Manage BitLocker”.

On the right there will be a list of possibilities. The very last item “Turn off...” is responsible for turning off encryption.

Personal experience of use

I always have a flash drive encrypted with Bitlocker with me, since I store passwords, photos and work data on it. On one of my business trips, I lost my flash drive, but I wasn’t upset at all, because I understood that all the data was encrypted and the person who found it would not be able to use it. For those who are concerned about safety, this is the most optimal solution.

So we figured out this difficult but important topic. Finally, I would like to note that the use of such protection increases the load on the processor and consumes RAM resources. But these are minor sacrifices compared to the loss of unprotected information due to theft and unauthorized access. Do you agree?

Sincerely, Victor

it-tehnik.ru

BitLocker. Questions and answers

Applies to: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This section, intended for IT professionals, answers frequently asked questions regarding usage, upgrade, deployment, and administration requirements, and key management policies for BitLocker.

BitLocker working with operating system drives

BitLocker can be used to eliminate the risk of unauthorized data access on lost or stolen computers by encrypting all user and system files on the operating system drive, including page files and hibernation files, and by verifying the integrity of previously loaded components and boot configuration data.

BitLocker works with removable and fixed drives

BitLocker can be used to encrypt the entire contents of a data drive. Using Group Policy, you can require BitLocker to be enabled on a drive before data can be written to the drive. BitLocker allows you to configure different unlocking methods for data drives, and the data drive supports multiple unlocking methods.

Yes, BitLocker supports multi-factor authentication for operating system drives. If you enable BitLocker on a computer that has TPM 1.2 or 2.0 installed, you can use additional forms of authentication that are based on that module.

To use all BitLocker features, your computer must meet the hardware and software requirements listed in the Drive configurations supported by BitLocker section in the BitLocker Drive Encryption technical overview.

Having two partitions is required for BitLocker to work because pre-startup authentication and system integrity verification must be performed on a separate partition that is not the same as the encrypted operating system drive. This configuration helps protect the operating system and data on the encrypted drive.

BitLocker supports the TPM versions listed in the Requirements section of the BitLocker Drive Encryption technical overview.

For information about how to do this, see Finding TPM driver information.

Yes, you can enable BitLocker on an operating system drive that does not have a TPM 1.2 or 2.0 if the BIOS or UEFI firmware supports reading from the USB flash drive during boot. This is possible because BitLocker does not unlock the protected drive until it obtains the BitLocker volume master key from the TPM on the computer or from a USB flash drive that contains the BitLocker startup key for that computer. However, computers without a TPM will not be able to perform the system integrity check that BitLocker supports.

To verify that the USB device can be read during the boot process, use the BitLocker system test during BitLocker installation. This scan runs tests to ensure that USB devices can be read at the correct time and that the computer meets other BitLocker requirements.

For information about how to enable BitLocker on a computer without a TPM, see BitLocker: How to Enable BitLocker.

For more information about the required Windows operating systems and TPM versions, see the Requirements section in the BitLocker Drive Encryption technical overview.

Ask your computer manufacturer for BIOS or UEFI firmware that meets TCG standards and meets the following requirements.

It has been certified by the logo, where applicable, and is compatible with the versions listed in the Applications list at the beginning of this section.

Compliance with TCG standards for the client computer.

A secure update mechanism that prevents malicious BIOS firmware or boot software from being installed on your computer.

Enabling, disabling, and changing BitLocker configuration on operating system drives and fixed data drives requires membership in the local Administrators group. Regular users can enable, disable, and reconfigure BitLocker on removable data drives.

For more information, see Requirements in the BitLocker Drive Encryption technical overview.

You must configure your computer's startup settings so that the hard drive comes first in the boot order, before all other drives, such as CDs/DVDs or USB drives. If the hard drive is not the first one and you normally boot from the hard drive, you may be able to detect or assume a change in boot order when removable media is detected during boot. Boot order typically affects the system measurement that BitLocker verifies, and changing the boot order will prompt you to request a BitLocker recovery key. For the same reason, if you have a docked laptop, make sure the hard drive comes first in the boot order both when docked and undocked.

For more information, see BitLocker Architecture in the BitLocker Drive Encryption technical overview.

Yes. To upgrade from Windows 7 to Windows 8 or Windows 8.1 without decrypting the operating system drive, open BitLocker Drive Encryption in Control Panel in Windows 7, click Manage BitLocker, and then click Suspend. Pausing protection does not decrypt the drive, but rather disables the authentication mechanisms used by BitLocker and uses an unprotected key to access the drive. Continue the upgrade process using the Windows 8 DVD or Windows 8.1 Upgrade. Once the update is complete, open File Explorer, right-click the drive, and select Resume Protection. BitLocker authentication methods are re-enabled and the unprotected key is removed.

The Decrypt command completely removes BitLocker protection and completely decrypts the drive.

Suspending leaves the data encrypted, but encrypts the BitLocker volume master key with an unprotected key. An unprotected key is a cryptographic key that is stored on disk without encryption or protection. Storing this key without encryption allows the Suspend command to make changes and upgrades to the computer without spending time and resources decrypting and re-encrypting the entire drive. After changes are made and re-enabled, BitLocker seals the encryption key with the new values of the components that changed during the upgrade, the volume master key is changed, the protectors are updated, and the unsecured key is deleted.

The following table lists the steps you must take before you perform an update or install updates.

Update type

Action

Windows Anytime Upgrade	Decoding
Upgrade from Windows 7 to Windows 8	Suspense
Updating non-Microsoft software, such as: Firmware update provided by your computer manufacturer; Trusted Platform Module firmware update; updates to non-Microsoft applications that change boot components.	Suspense
Software and operating system updates from Microsoft Update	These updates do not require disk decryption or disabling or pausing BitLocker.

Yes, BitLocker and TPM deployment and configuration can be automated using TPM tooling or Windows PowerShell scripts. The implementation of scripts depends on the environment. You can also use the BitLocker Manage-bde.exe command-line tool to configure BitLocker locally or remotely. For more information about writing scripts that use WMI BitLocker providers, see the MSDN article BitLocker Drive Encryption Provider. For more information about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see BitLocker Cmdlets in Windows PowerShell.

Yes. In Windows Vista, BitLocker only encrypted operating system drives. Windows Vista SP1 and Windows Server 2008 added support for encrypting fixed data drives. New features in Windows Server 2008 R2 and Windows 7 allow BitLocker to also encrypt removable data drives.

Typically the performance loss does not exceed ten percent.

Although BitLocker encryption occurs in the background while you continue to work and the system remains available, the encryption time depends on the drive type, size, and speed. It is wise to schedule encryption of very large disks at a time when they are not in use.

New features in Windows 8 and Windows Server 2012 allow you to choose whether BitLocker encrypts the entire drive or just the used space when you enable BitLocker. On a new hard drive, encrypting used space is noticeably faster than encrypting the entire drive. Once you select an encryption option, BitLocker automatically encrypts data when it is stored and ensures that no data is stored without encryption.

If your computer turns off or goes into hibernation mode, the BitLocker encryption and decryption process resumes where it left off the next time you start Windows. The same happens in the event of a power failure.

No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. Sectors encrypted on a drive that is protected by BitLocker are decrypted only when requested by system read operations. Blocks that are written to disk are encrypted before the system writes them to the physical disk. On a BitLocker-protected drive, data is never left unencrypted.

Controls introduced in Windows 8 allow you to enable Group Policy settings that will require BitLocker protection to be enabled on data drives before a BitLocker-protected computer can write data to those drives. For more information, see Prevent writing to removable drives that are not BitLocker-protected or Prevent writing to fixed drives that are not BitLocker-protected in the BitLocker Group Policy Settings article.

When these policy settings are enabled, a BitLocker-protected operating system will mount non-BitLocker-protected data drives in read-only mode.

For more information, including how to control users who may accidentally save data to unencrypted drives when using a computer without BitLocker enabled, see BitLocker: How to prevent online users from saving data to an unencrypted drive.

The following types of system changes may cause an integrity check to fail. In this case, the TPM does not provide the BitLocker key to decrypt the protected operating system drive.

Move a BitLocker-protected drive to a new computer.

Installing a new motherboard with a new TPM.

Disable, disable, or clear the TPM.

Change boot configuration settings.

Changing the BIOS, UEFI firmware, master boot record (MBR), boot sector, boot manager, option ROM of other pre-boot components, or boot configuration data.

For more information, see How it works in the BitLocker Drive Encryption technical overview.

Because BitLocker is designed to protect your computer from numerous attacks, there are many reasons why BitLocker might start in recovery mode. For information about these reasons, see Recovery scenarios in the BitLocker Drive Encryption technical overview.

Yes, you can change hard drives on the same computer with BitLocker encryption enabled, as long as they have BitLocker protection enabled on the same computer. BitLocker keys are unique to the TPM and operating system drive. Therefore, to prepare a backup operating system disk or data disk in case of disk failure, you must ensure that they use the same TPM. You can also configure different hard drives for different operating systems, and then enable BitLocker on each drive with different authentication methods (for example, one drive has TPM only and another has TPM with PIN), and that's will not lead to conflicts.

Yes, you can unlock your data drive using BitLocker Drive Encryption in Control Panel as usual (using a password or smart card). If the data disk is only configured to automatically unlock, you must use a recovery key. If you connect the operating system drive to another computer running the version of the operating system listed in the Usage list at the beginning of this section, you can unlock the encrypted hard drive by using the data recovery agent (if configured) or using a recovery key.

Some drives may not support BitLocker encryption. For example, the disk size may be too small, the file system may be incompatible, the disk may be dynamic or designated as a system partition. By default, the system drive (or system partition) is not displayed in the Computer window. However, if the disk was not created as hidden during the custom installation of the operating system, then it can be displayed, but cannot be encrypted.

BitLocker protection is supported for any number of internal fixed drives. Some versions support direct-attached ATA and SATA storage devices. For details about supported drives, see Drive configurations supported by BitLocker in the BitLocker Drive Encryption technical overview.

BitLocker can create and use different keys. Some are mandatory and some are optional fuses that can be used depending on the level of safety required.

For more information, see Understanding BitLocker in the BitLocker Drive Encryption technical overview.

You can save the recovery password or recovery key for your operating system disk or non-removable data disk in a folder, on one or more USB devices, save it to your Microsoft account, or print it.

The recovery password and recovery key for removable data drives can be saved to a folder, saved to your Microsoft account, or printed. By default, the recovery key for a removable drive cannot be stored on the removable drive.

A domain administrator can configure an optional Group Policy to automatically generate recovery passwords and store them in Domain Services for all BitLocker-protected drives.

For more information, see BitLocker: How to Store Passwords and Recovery Keys.

You can use the Manage-bde.exe command-line tool to change the TPM-only authentication mode to multi-factor authentication mode. For example, if BitLocker only has TPM authentication enabled, to add PIN authentication, enter the following commands from an elevated command prompt, replacing the desired numeric PIN:

manage-bde –protectors –delete %systemdrive% -type tpm

manage-bde –protectors –add %systemdrive% -tpmandpin

For more information, see Boot Sequence Authentication Modes in the BitLocker Drive Encryption Technical Overview.

Storing both keys on the same USB flash drive is technically possible, but is not recommended. If the USB flash drive containing the startup key is lost or stolen, you will also lose access to the recovery key. In addition, inserting such a key causes the computer to automatically boot to the recovery key, even if the files measured by the TPM have changed and the system integrity check is not performed.

Yes, your computer's startup key can be stored on multiple USB flash drives. Right-click the BitLocker-protected drive and select Manage BitLocker to open options for copying recovery keys.

Yes, you can store BitLocker startup keys for different computers on a single USB flash drive.

You can use scripts to create different startup keys for the same computer, but for computers with a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.

It is not possible to create multiple PIN code combinations.

Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key, in turn, is encrypted using one of several possible methods depending on the type of authentication (key protectors or TPM) and recovery scenarios.

For more information about encryption keys, how they are used, and where they are stored, see What is BitLocker in the BitLocker Drive Encryption technical overview.

For more information, see How it works in the BitLocker Drive Encryption technical overview.

The F1–F10 keys have universal polling codes available in the preboot environment on all computers for all languages. Keys numbered 0 through 9 may not be usable in the preboot environment on all keyboards.

If a secure PIN is used, users are advised to perform an additional system check during BitLocker installation to ensure that the correct PIN can be entered in the preboot environment. For more information about improved PINs, see Understanding BitLocker in the BitLocker Drive Encryption technical overview.

An attacker can find out the PIN code by brute force. Brute-force hacking is performed by an attacker using an automated tool that tests various PIN code combinations until the correct code is found. For BitLocker-protected computers, this type of hack, also known as a dictionary attack, requires the attacker to have physical access to the computer.

The TPM has built-in capabilities to detect and counter such attacks. Because TPMs from different manufacturers have different anti-tampering measures, contact the module manufacturer to determine how the TPM on your computer prevents PIN brute force attacks.

Once you have identified the TPM manufacturer, contact them to obtain information about the module's development. Most manufacturers exponentially increase the lockout time of the PIN interface as the number of PIN errors increases. However, each manufacturer has its own rules regarding decreasing or resetting the error counter.

For more information, see Finding TPM driver information.

To determine the TPM manufacturer, see Finding TPM driver information.

Ask your TPM manufacturer the following questions about its dictionary attack mitigation mechanism.

How many failed access attempts are allowed before blocking?

What algorithm is used to determine the duration of blocking, taking into account the number of unsuccessful access attempts and other significant parameters?

What actions can reduce or reset the number of errors or blocking duration?

Yes and no. You can set a minimum PIN length in the Group Policy setting Configure minimum PIN length for startup and allow the use of alphanumeric PINs by enabling the Group Policy setting Allow protected PINs for startup. However, you cannot set PIN complexity requirements in Group Policy.

BitLocker To Go is BitLocker drive encryption for removable data drives. USB flash drives, SD cards, external hard drives, and other drives with the NTFS, FAT16, FAT32, or exFAT file system are encrypted.

For more information, including how to authenticate or unlock a removable data drive and how to verify that the BitLocker To Go reader is not installed on FAT-formatted drives, see BitLocker To Go Overview.

If you enable BitLocker encryption on a drive before you apply Group Policy to force a backup, recovery data will not be automatically backed up to Active Directory Domain Services when the computer joins the domain or Group Policy is applied. However, in Windows 8, you can use the Group Policy settings Select methods for recovering operating system drives protected by BitLocker, Select methods for recovering fixed drives protected by BitLocker, and Select methods for recovering removable drives protected by BitLocker to force the computer to join a domain before enabling BitLocker. This will ensure that recovery data for the organization's BitLocker-protected drives is backed up to Active Directory Domain Services.

The Windows Management Instrumentation (WMI) interface for BitLocker allows administrators to write a script to back up or synchronize existing data to recover an online client, but BitLocker does not automatically manage this process. The Manage-bde command line tool also allows you to manually back up data for recovery to Active Directory Domain Services. For example, to back up all recovery data on the C: drive in Active Directory Domain Services, run the following command at an elevated command prompt: manage-bde -protectors -adbackup C:.

Yes, an entry is written to the event log on the client computer indicating whether the Active Directory backup succeeded or failed. However, even if the event log indicates success, the recovery data may be deleted from Active Directory Domain Services. Additionally, the BitLocker configuration may change so that the information in Active Directory is not sufficient to unlock the drive (for example, if the recovery password key protector is removed). It is also possible to falsify a log entry.

To ensure that AD DS has a valid backup, you must query AD DS with domain administrator credentials by using the BitLocker Password Viewer.

No. BitLocker recovery passwords are not removed from Active Directory Domain Services, and therefore multiple passwords may appear for each drive. To determine the latest password, check the date of the object.

If the initial backup fails, such as when a domain controller becomes unavailable during the BitLocker Setup Wizard, BitLocker does not retry backing up recovery data to Active Directory Domain Services.

If the administrator selects the Require BitLocker backup to AD DS check box in the Store recovery information in Active Directory Domain Services (Windows 2008 and Windows Vista) policy setting or (equivalently) selects the Do not enable BitLocker until recovery data is stored in AD DS for operating system drives check box system (removable data drives, fixed data drives) in any of the policy settings Select recovery methods for BitLocker-protected operating system drives, Select recovery methods for BitLocker-protected fixed drives, Select recovery methods for BitLocker-protected removable drives , then users will not be able to enable BitLocker when the computer is not joined to a domain and BitLocker recovery data is not backed up in Active Directory Domain Services. If these options are configured and the backup fails, you cannot enable BitLocker. This ensures that administrators have the ability to recover all BitLocker-protected drives in the organization.

If the administrator clears these check boxes, the drive can be protected by BitLocker without successfully backing up the recovery data to Active Directory Domain Services. However, BitLocker does not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described previously in the question What happens if you enable BitLocker on a computer before joining a domain?, to collect data after the connection is restored.

BitLocker uses an AES encryption algorithm with a configurable key length (128 or 256 bits). By default, encryption is set to AES-128, but you can configure the settings using Group Policy.

To implement BitLocker on an operating system drive, we recommend a computer with TPM version 1.2 or 2.0 and TCG-compliant BIOS or UEFI firmware and a PIN code. Requiring a user-specified PIN in addition to TPM verification prevents an attacker who gains access to the computer from simply running it.

In its basic configuration, BitLocker on operating system drives (with a TPM but without additional authentication) provides additional protection for hibernation mode. Using optional BitLocker authentication (TPM and PIN, TPM and USB key, or TPM, PIN and USB key) provides additional protection during hibernation mode. This method is more secure because BitLocker authentication is required to return from hibernation. It is recommended that you disable sleep mode and use a TPM/PIN combination for authentication.

Most operating systems use shared memory space and the operating system is responsible for managing the physical memory. A TPM is a hardware component that uses its own firmware and internal logic to process instructions, providing protection against external software vulnerabilities. To hack the TPM, you need physical access to the computer. In addition, hacking hardware security typically requires more expensive tools and skills that are not as common as software hacking tools. Since the TPM on each computer is unique, it would take a lot of time and effort to hack multiple computers with TPMs.

All versions of BitLocker included in the operating system have passed Federal Information Standards certification and Common Criteria EAL4+ certification. These certifications have also been completed for Windows 8 and Windows Server 2012, and are in progress for Windows 8.1 and Windows Server 2012 R2.

BitLocker Network Unlocking makes it easy to manage BitLocker TPM+PIN-protected computers and servers in a domain environment. When you restart a computer connected to a wired corporate network, network unlock allows you to skip the PIN prompt. BitLocker-protected operating system volumes are automatically unlocked using a trusted key that is provided by the Windows Deployment Services server as an additional authentication method.

To use network lock, you also need to set up a PIN code for your computer. If your computer is not connected to a network, you must enter a PIN code to unlock it.

BitLocker Network Unlocking has software and hardware requirements for client computers, Windows Deployment Services, and domain controllers that must be met before you can use it. For more information about these requirements, see How BitLocker Drive Encryption Works Technical Overview.

Network unlock uses two fuses: a TPM fuse and a fuse provided by the network or PIN, while automatic unlock uses a single fuse stored in the TPM. If a computer joins a network without a key protector, you are prompted to enter a PIN code. If the PIN is not available, you will need a recovery key to unlock a computer that cannot be connected to the network. For more information about automatic and network unlocking, see How BitLocker Drive Encryption Works Technical Overview.

Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. For more information, see How it works in the BitLocker Drive Encryption technical overview.

Yes. In this case, the debugger must be enabled before BitLocker is enabled. Enabling the debugger ahead of time ensures that the sealing status in the TPM is calculated correctly, allowing the computer to start up correctly. If you need to turn debugging on or off while using BitLocker, first pause BitLocker to prevent the computer from entering recovery mode.

BitLocker contains a storage driver stack that provides encryption of memory dumps when BitLocker is enabled.

BitLocker does not support smart cards for pre-boot authentication. There is no industry standard for smart card firmware support, and most computers do not have firmware support for smart cards or only support certain types of smart cards and readers. The lack of standardization makes it too difficult to support smart cards.

Microsoft does not support third-party TPM drivers and strongly discourages their use with BitLocker. Using a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that the TPM is not present on the computer, and you will not be able to use the module with BitLocker.

We do not recommend modifying the Master Boot Record (MBR) on computers that have BitLocker-protected operating system drives for security, reliability, and product supportability reasons. Changing the Master Boot Record (MBR) can change the security environment and prevent your computer from starting normally, and can make it more difficult to repair a damaged Master Boot Record (MBR). MBR changes made outside of Windows can put your computer into recovery mode or make booting completely impossible.

A system check verifies that your computer's firmware (BIOS or UEFI) is compatible with BitLocker and that the TPM is working correctly. The system check may fail for the following reasons.

Your computer's firmware (BIOS or UEFI) does not support reading USB flash memory devices.

The computer's firmware (BIOS or UEFI) or boot menu does not enable reading from USB flash memory devices.

There are several USB flash drives inserted into the computer.

The PIN code was entered incorrectly.

Your computer's firmware (BIOS or UEFI) only supports function keys (F1–F10) for entering numbers in the preboot environment.

The startup key was removed while the computer had not yet completed rebooting.

Due to a faulty TPM, the keys could not be provided.

Some computers do not support reading USB flash drives in the preboot environment. First, check your BIOS or UEFI firmware and boot options to ensure that USB storage is enabled. Enable the use of USB storage in the BIOS or UEFI if it is not enabled, and read the recovery key from the USB flash drive again. If you still cannot read the key, you will need to connect the hard drive as a data drive to another computer running the operating system to read the recovery key from the USB flash drive. If the USB flash drive is damaged, you may need to enter a recovery password or use recovery data that is backed up in Active Directory Domain Services. Also, if the recovery key is used in a pre-boot environment, make sure the drive is an NTFS, FAT16, or FAT32 file system.

To automatically unlock fixed data drives, the operating system drive must also be protected by BitLocker. If you are using a computer where the operating system drive is not protected by BitLocker, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in File Explorer and selecting Manage BitLocker. This removable drive can be unlocked on other computers by entering the password or smart card credentials that you specified when you enabled BitLocker.

In Safe Mode, limited BitLocker functionality is available. BitLocker-protected drives can be unlocked and decrypted using the BitLocker Drive Encryption control panel item. In Safe Mode, you can't right-click the drive to open BitLocker options.

The Manage-bde command line tool and the –lock command allow you to lock removable and non-removable data drives.

Command syntax:

manage-bde -lock

In addition to using this command, data drives are locked during shutdown or reboot of the operating system. A removable data drive that is removed from the computer is also automatically locked.

Yes. but shadow copies created before BitLocker was enabled will be automatically deleted when BitLocker is enabled for software-encrypted drives. If a hardware-encrypted disk is used, shadow copies are preserved.

BitLocker is not supported for boot VHDs, but is supported for VHD data volumes, such as those used in clusters, when running on Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

How to check the sound card on Windows 10

Windows 10 and earlier versions of Windows provide file encryption using BitLocker technology. You only need to configure it once, and you can be sure that no one will gain access to your files or be able to run your programs, even if they gain physical access to the drive of your laptop or computer.

How do I enable BitLocker encryption? First of all, you need to activate security policies:

1. Press Win+R and run the command gpedit.msc.
2. Go to Administrative Templates > Windows Components BitLocker Drive Encryption > Operating System Drives.

3. Double-click on “This policy setting allows you to configure the requirement for additional authentication at startup” and select the “Enabled” option.

Now you can proceed directly to encryption:

1. Open File Explorer > My Computer and select the drive you want to encrypt.
2. Right-click the drive icon and select Enable BitLocker.

3. A dialog box will open with options for accessing encrypted data. Follow its instructions and restart your computer. The disk will be encrypted. The encryption process can be lengthy, its duration depending on the volume of data being encrypted.

During the encryption setup process, you will need to create a key or password to decrypt the data. The password must use mixed-case letters and numbers. When the drive is installed in your computer, data is encrypted and decrypted automatically, but if you remove the encrypted drive from it and connect it to another device, you will need a key to access the files.

The key recovery data can be stored on a flash drive, in a Microsoft account, in a text file, or on a printed sheet of paper. Keep in mind that this is not the key itself, but only information that will help you recover it. The key can only be obtained after entering the login and password for your Microsoft account, which makes it more difficult to crack the encryption.

If you encrypted the system logical drive, you will have to enter the password during a cold start of the device or after it reboots.

Yes, BitLocker and TPM deployment and configuration can be automated using WMI or Windows PowerShell scripts. The way the scripts are implemented depends on the environment. You can configure BitLocker locally or remotely using Manage-bde.exe. For more information about writing scripts that use BitLocker WMI providers, see BitLocker Drive Encryption Provider. To learn more about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see this article.

Can BitLocker encrypt drives other than the operating system drive?

How much does performance decrease when you enable BitLocker on your computer?

Typically the performance loss is up to ten percent.

How long does initial encryption take after enabling BitLocker?

Although BitLocker encryption occurs in the background while you continue to work and the system remains available, the encryption time depends on the drive type, size, and speed. It is recommended to schedule encryption of very large disks for times when they are not in use.

When you enable BitLocker, you can also choose whether to encrypt the entire drive or just the used space. On a new hard drive, encrypting only the used space is much faster than encrypting the entire drive. Once you select this encryption option, BitLocker automatically encrypts your data when it is saved. This method ensures that no data is stored without encryption.

What happens if you turn off your computer during encryption or decryption?

If your computer shuts down or goes into hibernation mode, the next time you start Windows, the BitLocker encryption and decryption process resumes where it left off. The same happens in the event of a power failure.

Does BitLocker encrypt and decrypt the entire drive when reading and writing data?

No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. Sectors encrypted on a BitLocker-protected drive are decrypted only when requested by system read operations. Blocks that are written to disk are encrypted before the system writes them to the physical disk. On a BitLocker-protected drive, data is never left unencrypted.

How can I prevent online users from saving data on an unencrypted drive?

You can configure Group Policy settings to require data on BitLocker-protected drives before a BitLocker-protected computer must write data to them. For more information, see BitLocker Group Policy Settings. If the appropriate policy settings are enabled, a BitLocker-protected operating system will mount non-BitLocker-protected data drives in read-only mode.

What is only used encryption disk space?

BitLocker on Windows 10 allows users to choose to only encrypt data. Although this is not the most secure way to encrypt disk, this option can reduce encryption time by more than 99 percent, depending on how much data needs to be encrypted. For more information, see Only disk space is used.

What system changes cause an error to appear when checking the integrity of the operating system disk?

The following types of system changes can cause an integrity check error: In this case, the TPM does not provide the BitLocker key to decrypt the protected operating system drive.

Moving a BitLocker-protected drive to a new computer.
Installing a new motherboard with a new TPM.
Disable, deactivate, or clear the TPM.
Change any boot configuration parameters.
Modifying BIOS or UEFI firmware, master boot record (MBR), boot sector, boot manager, option ROM, and other early boot components or boot configuration data.

When does BitLocker start in recovery mode when trying to start the operating system drive?

Because BitLocker is designed to protect your computer from numerous attacks, there are many reasons why BitLocker might start in recovery mode. Example

Changing the BIOS boot order - another device comes before the hard drive.
Adding or removing hardware, such as inserting a new card into your computer, including some wireless PCMIA cards.
Removing, inserting, or completely draining the Smart Battery in a laptop computer.

In BitLocker, recovery consists of decrypting a copy of the volume master key using the recovery key stored on a USB drive or using a cryptographic key obtained using the recovery password. The TPM is not involved in any recovery scenario. This means that recovery is possible even if an error occurs when checking boot components using this module, or if it fails or is removed.

How can I disable BitLocker from the binding for PCR 7?

This occurs if Windows does not boot before Windows, or if Secure Boot is not supported on the device because it is disabled or the hardware does not support it.

Can I change hard drives on a computer if its operating system drive has BitLocker encryption enabled?

Yes, you can change hard drives on the same computer with BitLocker encryption enabled, as long as they have BitLocker protection enabled on the same computer. BitLocker keys are unique to the TPM and operating system drive. Therefore, to prepare a backup operating system disk or data disk in case of disk failure, make sure that they use the same TPM. You can also configure different hard drives for different operating systems, and then enable BitLocker on each drive by specifying different authentication methods (for example, one drive has TPM only and another has TPM with PIN), and this will not lead to conflicts.

Can I access a BitLocker-protected hard drive if I install it on another computer?

Yes, if it is a data drive, it can be unlocked as usual by selecting the item BitLocker Drive Encryption on the control panel (using a password or smart card). If your data drive is set to auto-unlock only, you will have to use a recovery key to unlock the drive. An encrypted hard drive can be unlocked using a data recovery agent (if configured) or a recovery key.

Why is the "Enable BitLocker" command unavailable when I right-click the drive?

Some drives cannot be encrypted using BitLocker. This happens for several reasons. For example, the disk size may be too small, the file system may be incompatible, the disk may be dynamic or designated as a system partition. By default, the system disk (or system partition) is not displayed. But if the disk (or partition) was not hidden during a custom installation of the operating system, it can be displayed, but not encrypted.

What types of drive configurations are supported by BitLocker?

BitLocker protection is possible for any number of internal fixed drives. Some versions support direct-attached ATA and SATA storage devices.

Feedback

We would like to know your opinion. Please indicate what you would like to tell us about.

Our feedback system is based on the principles of working with issues on GitHub. For more information, see .

If you store confidential information on your computer, then encrypting your system hard drive will be an excellent option to ensure the safety of your data.

In this article we will tell you how to encrypt your computer's system drive using the most popular encryption tool from Microsoft, the BitLocker utility, which comes with all professional versions of Windows.

What is BitLocker and where to download it

Since the release of Windows Vista, Microsoft has offered a new data protection feature called BitLocker Drive Encryption. Windows 7 introduced BitLocker To Go, encryption for portable storage devices such as flash drives and SD cards.

There is no need to download and install Biltocker, it is already built into the operating system and is only available in Window 10 Pro and Enterprise. You can see which edition of Windows is installed on your computer in Control panels on the tab System. If you have Window 10 Home installed, which does not support BitLocker, we recommend that you pay attention to a program such as.

Why Microsoft doesn't make this feature publicly available is an open question, given that data encryption is one of the most effective ways to keep it secure.

What is encryption

Encryption is a way to enhance the security of your data by ensuring that its contents can only be read by the owner of the appropriate encryption key. Windows 10 includes various encryption technologies. For example, EFS file system encryption and BitLocker Drive Encryption, which we will talk about in this article.

What you need to know and do before using BitLocker

Encrypting your hard drive may take a long time. Before you begin, we recommend that you back up your data, as an unexpected power outage during the encryption process may damage it.
The Windows 10 November update includes a more secure encryption standard. Please note that the new encryption standard will only be compatible with Windows 10 November Update systems.
If your computer does not have a Trusted Platform Module (TPM), a chip that gives your computer additional security features, such as the ability to encrypt BitLocker drives. When you try to enable encryption, you may receive a TPM error message: "This device cannot use the Trusted Platform Module (TPM)"

To resolve this issue, use the EnableNoTPM.reg.zip file. Download, unzip and run this file, this will make the necessary changes to the registry to allow encryption without TPM.

How to Encrypt a Drive Using BitLocker

Enable BitLocker Drive Encryption in Windows 10. Click the button Start -> Explorer -> This computer. Then right-click on the Windows system drive (usually drive C), select from the drop-down menu .

Create a strong password to unlock your hard drive. Every time you turn on your computer, Windows will ask you for this password to decrypt your data.

Choose how you want to back up the recovery key. You can save it to your Microsoft account, copy it to a USB drive, or print it.

Saved?! Now you need to specify which part of the disk you want to encrypt.

You will have two options:

If you are encrypting a new drive or a new PC, you only need to encrypt the part of the drive that is currently in use. BitLocker will then automatically encrypt data as it is added.
If you enable BitLocker on a PC or drive you're already using, we recommend encrypting the entire drive. This will ensure that all data is protected.

For us, the second option is more preferable. Please note that encryption will take some time, especially if you have a large drive. Make sure your computer is connected to an uninterruptible power supply in case of power outages.

If you have the November Windows 10 updates installed, then you have access to the more secure XTS-AES encryption mode. Choose this option whenever possible.

When you are ready to start encryption, click the button "Continue"

Restart your computer when prompted.