This site requires JavaScript to be enabled

Encryption: Windows OS Bitlocker Drive Encryption

682 views

This document describes how to encrypt a drive on a Windows OS. The document is good for HP desktops, Dell desktops, and Dell laptops. The process might vary with other models.

Encryption on Windows OS

 

What is BitLocker?

 
BitLocker is Microsoft’s easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive. It can also help protect against unauthorized changes to your system such as firmware-level malware.
BitLocker is available to anyone who has a machine running Windows 8.1 Pro, Windows 8.1 Enterprise, Windows 10 Pro, Windows 10 Enterprise, Windows 11 Pro and Windows 11 Enterprise. Here at USU if you are running an OS older than Windows 8 you need to upgrade to Windows 10 or 11.  Older systems are no longer supported by Microsoft or USU.
 

What is TPM?

 
A TPM is a special chip that runs an authentication check on your hardware, software, and firmware. If the TPM detects an unauthorized change, your PC will boot in a restricted mode to deter potential attackers.
 
TPM is enabled by default on new machines designed for Windows 10 or 11. Skip to "Turn on Bitlocker" unless necessary.
 

Turning on TPM on older hardware

HP Machines

To run BitLocker you’ll need a Windows PC running one of the OS systems mentioned above, plus a storage drive with at least two partitions and a Trusted Platform Module (TPM).

1. Reboot or boot the machine.  On bootup press F10 to into the BIOS
2. Go into the Security Tab and select "Device Security"
 
 
3. Make available the "Embedded Security Device"
 
 
4. Save and exit.
 

Dell Machines

Enable the TPM Security Feature in the System Setup

To enable TPM security features in the System Setup (BIOS), perform the following steps:

  1. Reboot the system.
  2. When the message "Press <F2> to enter Setup" appears, press the <F2> key.
  3. When the System Setup appears, navigate to the Security group using the Down arrow key.
  4. Press the <+> key to expand the group.
  5. Verify that TPM Security is listed under Security
  6. Check the TPM checkbox and hit "apply"

7. Leave the defaults and move the button from "deactivate" to "activate" and hit "apply" again and exit

 

Turn On BitLocker

When the computer boots up, login with a domain account with admin rights over the computer's OU such as Admin Firstname for example Admin.Connor or Admin.Justin, etc. A built-in local admin account may not have sufficient permissions. 

If your computer meets the Windows version and TPM requirements, the process for enabling BitLocker is as follows:

  1. Click Start , click Control Panel, click System and Security (if the control panel items are listed by category), and then click BitLocker Drive Encryption.
  2. Click Turn on BitLocker.
 
3. A window will load and you select "next" to turn on TPM
 
 
4. The system will ask for a reboot. Please remove all CDs, DVDs, and USBs. 
 
 
5. Upon restarting the computer, follow the instructions in the message to continue initializing the TPM. (The message varies, depending on the computer manufacturer).
 
 
6. If your computer shuts down again, turn it back on.
 
 
7. After it is initialized click "next" to start encrypting 
 
 
8. Choose how you want to unlock the drive. It is recommended to use a PIN for all laptops or mobile PC's. If  entering a PIN you will need to enter the PIN each time you start your computer.  For desktops you can "Let Bitlocker automatically unlock the drive" not requiring a pin.
 
 
9. Next you will be prompted to save the recovery key either to a flash drive, a file, or to print it. Save the recovery key to a file temporarily saving it to a USB stick. Then take the USB stick out after the file as been saved. Upload the files to secure location (not on PC) for retrieval later if needed. We suggest naming the file the computer name and location of the PC. Example: DPPERS-5T43JK1 (Bryce Nelson Room 108)
Keep in mind that the recovery keys will also be sent to ADUC. Not everyone has access to everyone else's OUs so this is necessary and frankly quicker.
 
 
 
 
10. Next make sure the "Run BitLocker system check" box is checked.  Click Continue.
 
 
 
11. After a reboot the PC will begin encrypting
 
 
 

Hardware Changes with BitLocker

If a hardware change is going to be made on a computer such as a fan replacement, graphics card replacement, memory addition, a BitLocker suspend is necessary. Otherwise you will draw the recovery key every time you reboot.
 
Suspend BitLocker protection
1. Click Start , click Control Panel, click System and Security (if the control panel items are listed by category), and then click BitLocker Drive Encryption.
2. Click on Suspend protection  If the recovery key is drawn on accident. It is necessary to go in and suspend protection and resume protection so that TPM can see the new changes.
 
 
 

Resume BitLocker protection

1. Click Start , click Control Panel, click System and Security (if the control panel items are listed by category), and then click BitLocker Drive Encryption.
2. Click on Resume Protection
 

 

Other BitLocker Need to Know

If a computer's motherboard dies and is replaced. A re-image is necessary because the TPM chip was replaced.
If an encrypted drive needs to be slaved to extract data, the recovery key is necessary and will need to be entered in order to unlock the drive.
 
On newer machines that have UEFI BIOS, TPM 1.2 is used. If a machine is used in legacy mode, TPM 1.1 will work. Legacy mode will not work with TPM 1.2.

 

Related Articles

Encryption Requirements

 
 
Authored by Madonna Bortle
Last modified 9 months ago