How to Configure BitLocker Drive Encryption – Part 1
Being working in IT field and supporting premium customer there are situations when we have very confidential Data which should not in wrong hand else your entire business will be jeopardize. In order to secure your data in the event of your computer being lost or stolen, one of the best method you can think of will be BitLocker Drive Encryption.
CAUTION: Always take back up of your data before proceeding to any new experiment with your computer.
- You must have administrative rights before proceeding.
- Windows 7 Ultimate.
- TPM [Trusted Platform Module], hardware module must be embedded in the computer.
In-depth information and troubleshooting regarding BitLocker, you may visit official blog site of Microsoft at BitLocker Drive Encryption Team Blog.
I do hope by the time we start and you go through the document, you may have taken the complete backup of your data if you are already working on Windows 7 ultimate version.
Verify Windows 7 Ultimate is installed [msinfo32 command will show you the description] and TPM is enabled from BIOS.
For those who is starting a fresh, you should first disable TPM [Trusted Platform Module] and install Windows 7 Ultimate and then Enable TPM back from the BIOS.
You can find TPM in BIOS generally in Advance option, it varies for different hardware vendor.
Also make it sure that your USB/Flash drive should not be the first device of boot once TPM is enabled in BIOS.
Login to the Windows either as an administrator or a user with administrative rights.
Go to: Start -> Control Panel -> BitLocker Encryption
Find the hard drive on which you want to Encrypt and Select “Turn BitLocker On”.
If you get an error as “A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. ”
It means either TPM is not present on your computer, or it’s not enabled from BIOS or your computer has FLASH/USB disk as a first Boot Device.
If this is the case then please enable TPM from BIOS and select HDD as your first Boot device.
You have correct the previous error if any then on clicking back again to “Turn On BitLocker” on your selected device will give you the second screen.
Click on “Continue” it should give you 3 (three) option for saving Key, 1st in USB/Flash drive , 2nd Print and 3rd to a different location on the network.
I would personally suggest Check “Run BitLocker system check ” as this will guarantee things will work fine after you are done with the configuration otherwise you may face error after complete configuration.
Once done and click on Next , and then it will ask permission for reboot . Once rebooted and after login it will start Encryption automatically. Make it sure that the USB/Flash drive is inserted in the machine.
However there are chance that you might get and error :-
In the case of you receive error when you start with Checked “Run BitLocker system check” which happens because of TPM not allowing the BitLocker Access Control which can be allowed through group policy.
- Goto : Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components ->BitLocker Drive Encryption -> Operating System Drives
- Select Edit for the policy “Configure TPM platform validation profile” ,enable it and
- Under Options Disable all PCR by unchecking all Except PCR 11
- Start–>CMD with administrative privilge
- GPUpdate /force
Restart the computer to start TPM configuration from Start.
Encryption process may take few to many hours depending upon the size of the drive however you may continue working as the encryption will be continued in background.
All document mention not to reboot or shutdown the computer however at some occasion I found that on reboot it starts encryption again from where it had left.
How to Configure the machine policy to require a pre boot PIN + TPM .
Since TPM safe guard by encrypting the entire drive and saving the key on the hardware , you may need to put a pre-boot PIN with TPM to put an additional security which can be achieved in following steps.
Goto: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives and right click the option “Require additional authentication at startup” and select “Edit”.
Select “Enabled” and then select “Require startup PIN with TPM” under the “Configure TPM startup PIN:” dropdown. Click “Apply, “OK”
To configure the pin we need to use the manage-bde.exe tool [In-built in Windows 7]. Open Command prompt with administrative privilege and run the following command :
manage-bde -protectors -add %systemdrive% -tpmandpin
Enter your desired PIN twice. And reboot your computer and test the PIN.
Note : Since we have directly tried encryption on the Boot drive now if you want to Encrypt another drive and it gives you an error try to change the above policy from "Require additional authentication at startup" to "Allow additional authentication at startup" and check
Hope you enjoyed as much as I in doing the configuration.