bitlocker drive encryption step-by-step
TRANSCRIPT
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
1/18
Page 1of 18 11/4/2013
BitLocker Drive Encryption Step-by-Step Guide
Introduction
This step-by-step guide provides the instructions that you need to set up Windows BitLockerDrive Encryption in a test lab environment. We recommend that you do not use this guide in aproduction environment. Step-by-step guides are not necessarily meant to be used to deploy
Windows Server 2008 operating system features without additional documentation (as listed in
theAdditional Resourcessection) and should be used with discretion as a stand-alone document.
BitLocker is a data protection feature available in the Windows Vista Enterprise andWindows Vista Ultimate operating systems for client computers and in the Windows
Server 2008 operating system. BitLocker provides enhanced protection against data theft or
exposure on computers that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned.
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a
software attack tool against it or by transferring the computers hard disk to a different computer.BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining two
major data-protection procedures:
Encrypting the entire Windows operating system volume and data volumes on the
hard disk.BitLocker encrypts all user files and system files in the operating systemvolume, including the swap and hibernation files, and can also encrypt data volumes.
Checking the integrity of early boot components and boot configuration data.Oncomputers that have a Trusted Platform Module (TPM) version 1.2, BitLocker leverages
the enhanced security capabilities of the TPM to help ensure that your data is accessible
only if the computers boot components appear unaltered and the encrypted disk islocated in the original computer.
BitLocker is tightly integrated into Windows Vista and Windows Server 2008 and provides
enterprises with enhanced data protection that is easy to manage and configure. For example,
BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to
remotely store BitLocker recovery keys. BitLocker also provides a recovery console that enables
data retrieval for non-domain-joined computers or computers that are unable to connect to thedomain (for example, computers in the field).
This guide is intended for the following audiences:
IT planners and analysts who are evaluating the product
http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addres -
8/10/2019 BitLocker Drive Encryption Step-By-Step
2/18
BitLocker Drive Encryption Step-by-Step Guide
Page 2of 18 11/4/2013
Security architects
The purpose of this guide is to help administrators become familiar with the BitLocker DriveEncryption feature of Windows Server 2008. The sections below provide basic information and
procedures that administrators need to start configuring and deploying BitLocker within theirnetworks.
Scenario 1 provides instructions for creating the two partitions required for BitLocker Drive
Encryption. Scenario 2 describes how to install BitLocker on a server. Scenario 3 explains how
to encrypt a hard disk by using BitLocker and a TPM. Scenario 4 describes using BitLocker to
encrypt data volumes on a server. Scenario 5 describes using BitLocker on a computer without aTPM. Scenario 6 describes how to access encrypted data after lockdown, and how to test
BitLocker by generating a lockdown. Scenario 7 guides you through turning off BitLocker.
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
3/18
BitLocker Drive Encryption Step-by-Step Guide
Page 3of 18 11/4/2013
Online References
Requirements for BitLocker Drive Encryption
Scenario 1: Partitioning a Hard Disk for BitLocker Drive Encryption
Scenario 2: Installing BitLocker Drive Encryption
Scenario 3: Turning on basic BitLocker Drive Encryption
Scenario 4: Turning on BitLocker Drive Encryption for Server Data Volumes
Scenario 5: Turning on BitLocker Drive Encryption on a computer without a compatible
TPM
Scenario 6: Recovering Data Protected by BitLocker Drive Encryption
Scenario 7: Turning off BitLocker Drive Encryption
Additional Resources
http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_requirehttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_requirehttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S1http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S1http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S2http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S2http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S3http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S3http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S4http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S4http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S6http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S6http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S7http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S7http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_addreshttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S7http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S6http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S4http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S3http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S2http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S1http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_require -
8/10/2019 BitLocker Drive Encryption Step-By-Step
4/18
BitLocker Drive Encryption Step-by-Step Guide
Page 4of 18 11/4/2013
Hardware and software requirements
A computer that meets the minimum requirements for Windows Server 2008.
A TPM version 1.2, turned on. (Scenarios 3 and 4).
A Trusted Computing Group (TCG)-compliant BIOS (Scenarios 3 and 4).
Two NTFS disk partitions, one for the system volume and one for the operating system
volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the
active partition (Scenario 1).
A BIOS setting to start up first from the hard disk drive, not the USB or CD drives.
We strongly recommend that you do not run a kernel debugger while BitLocker isenabled, because encryption keys and other sensitive data can be accessed with the
debugger. However, you can enable kernel debugging before you enable BitLocker. If
you enable kernel debugging after you have enabled BitLocker, the system will
automatically start the recovery process every time you restart the computer. If youenable boot debugging (kernel debugging with the "-bootdebug" option), the system will
automatically start the recovery process every time you restart the computer.
http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
5/18
BitLocker Drive Encryption Step-by-Step Guide
Page 5of 18 11/4/2013
Scenario 1: Partitioning a Hard Disk for BitLocker Drive
Encryption
For BitLocker to work, you must have at least two partitions on your hard disk. The firstpartition is the system volume; the system volume is labeled S in this document. This volume
contains the boot information in an unencrypted space. The second partition is the operating
system volume; the operating system volume is labeled C in this document. This volume isencrypted and contains the operating system and user data.
Scenario 1 describes how to create the two partitions required for BitLocker. This procedure
assumes that you have backed up any data on the disk.
If you have an unused disk with a single partition, follow the steps inPartition a disk with no
operating system for BitLocker.
If you have an unused disk with a single partition, follow the steps inPartition a disk withno operating system for BitLocker.
In this procedure you start the computer from the product DVD and then enter a series of
commands to do the following:
Create a new 1.5 GB primary partition.
Set this partition as active.
Create a second primary partition using the rest of the space on the disk.
Format both new partitions so they can be used as Windows volumes.
Install Windows Server 2008 on the larger volume (drive C).
Your drive letters might not correspond to those in this example. In this example, the operatingsystem volume is labeled C, and the system volume is labeled S (for system volume). In this
example, we also assume that the system has only one physical hard disk drive.
1. Start the computer from the Windows product DVD.
http://void%280%29/http://void%280%29/http://void%280%29/http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_PartNoOShttp://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
6/18
BitLocker Drive Encryption Step-by-Step Guide
Page 6of 18 11/4/2013
2. In the initial Install Windowsscreen, choose your Installation language, Time andcurrency format, and Keyboard layout, and then click Next.
3. In the next Install Windowsscreen, click Repair your computer, located in the lower
left of the screen.
4.
In the System Recovery Optionsdialog box, make sure no operating system is selected.To do this, click in the empty area of the Operating Systemlist, below any listed entries.Then click Next.
5. In the next System Recovery Optionsdialog box, click Command Prompt.
6. Use Diskpart to create the partition for the operating system volume. At the command
prompt, type diskpart, and then press ENTER.
7. Type list diskto obtain summary information about each disk partition on thecomputer. For this procedure, disk 0 is the disk partition used for the system volume.
Your computer may have different numbers assigned to the disk partitions, so verify thatthe partition you select in the next step is one that does not contain any valuable data that
you need to retain.
8.
Type select disk 0.9. Type cleanto erase the existing partition table.
10.Type create partition primary size=1500to set the partition you are creating as aprimary partition.
11.Type assign letter=Sto give this partition the S designator.
12.Type activeto set the new partition as the active partition.
13.Type create partition primaryto create another primary partition. You will installWindows on this larger partition.
14.Type assign letter=Cto give this partition the C designator.
15.Type list volumeto see a display of all the volumes on this disk. You will see a listingof each volume, volume numbers, letters, labels, file systems, types, sizes, status, and
information. Check that you have one DVD installation volume and two disk volumesand that you know the label used for each volume.
16.Type exitto leave the Diskpart application.
17.Type format c: /y /q /fs:NTFSto properly format the C volume.
18.Type format s: /y /q /fs:NTFSto properly format the S volume.
19.Type exitto leave the command prompt.20.In the System Recovery Optionswindow, use the close window icon in the upper right
(or press ALT+F4) to close the window to return to the main installation screen. (Do not
click Shut Downor Restart.)
21.Click Install nowand proceed with the Windows Server 2008 installation process. InstallWindows Server 2008 on the larger volume C (the operating system volume).
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
7/18
BitLocker Drive Encryption Step-by-Step Guide
Page 7of 18 11/4/2013
Scenario 2: Installing BitLocker Drive Encryption
You must be logged on as an administrator.
1. When you install Windows Server 2008, the Initial Configuration Taskswindowappears.
2. Choose Add features, and then install BitLocker Drive Encryption.
3. Restart your server.
You can also install BitLocker by using Server Manager.
1. Click Start, click Server Manager, click Add Features, and then click BitLocker
Drive Encryption.2. Restart your server.
You can also install BitLocker at a command prompt.
1.
Open a command prompt window as an administrator. To do this, click the Startbutton,
click All Programs, and then click Accessories.2. Right-click Command Prompt, and then click Run as administrator.
3. If the User Account Controldialog box appears, confirm that the action it displays is
what you want, and then click Continue.
4. At the command prompt, type the following:
ServerManagerCmd -install BitLocker -restart
This installs BitLocker if you have not already installed it.
5.
Restart your server.
http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
8/18
BitLocker Drive Encryption Step-by-Step Guide
Page 8of 18 11/4/2013
Scenario 3: Turning on basic BitLocker Drive Encryption
Scenario 3 outlines the procedures for turning on BitLocker Drive Encryption protection on asystem with a TPM. After the volume is encrypted, the user logs onto the computer normally.
You must be logged on as an administrator.
BitLocker must be installed on this server.
You can configure a printer to print recovery passwords.
1. Click Start, click Control Panel, click Security, and then click BitLocker Drive
Encryption.2. If the User Account Controldialog box appears, confirm that the action it displays is
what you want, and then click Continue.
3. On the BitLocker Drive Encryptionpage, click Turn On BitLockeron the operatingsystem volume. A message appears, warning you that BitLocker encryption might have a
performance impact on your server.
If your TPM is not initialized, you will see the Initialize TPM Security Hardwarewizard. Follow the directions to initialize the TPM and restart or shut down yourcomputer.
4. On the Save the recovery passwordpage, you will see the following options:
o Save the password on a USB drive. Saves the password to a USB flash drive.
o Save the password in a folder. Saves the password to a folder on a network drive
or other location.
o Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each option,
select the option and follow the wizard steps to set the location for saving or printing therecovery password.
When you have finished saving the recovery password, click Next.
Important
http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
9/18
BitLocker Drive Encryption Step-by-Step Guide
Page 9of 18 11/4/2013
The recovery password will be required in the event the encrypted disk must be moved to
another computer, or changes are made to the system startup information. This password
is so important that we recommend that you make additional copies of the password andstore it in safe places to assure you access to your data. You will need your recovery
password to unlock the encrypted data on the volume if BitLocker enters a locked state(seeScenario 5: Turning on BitLocker Drive Encryption on a computer without a
compatible TPM). This recovery password is unique to this particular BitLockerencryption. You cannot use it to recover encrypted data from any other BitLocker
encryption session.
Important
Store recovery passwords apart from the computer for maximum security.
5. On the Encrypt the selected disk volumepage, confirm that the Run BitLocker SystemCheckcheck box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computerrestarts and BitLocker verifies whether the computer is BitLocker-compatible and ready
for encryption. If it is not, you will see an error message alerting you to the problem.
6. If it is ready for encryption, the Encryption in Progressstatus bar is displayed. You can
monitor the ongoing completion status of the disk volume encryption by dragging yourmouse cursor over the BitLocker Drive Encryption icon in the notification area at the
bottom of your screen.
By completing this procedure, you have encrypted the operating system volume and
created a recovery password unique to this volume. The next time you log on, you willsee no change. If the TPM ever changes or cannot be accessed, if there are changes to key
system files, or if someone tries to start the computer from a product CD or DVD to
circumvent the operating system, the computer will switch to recovery mode until the
recovery password is supplied.
http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5 -
8/10/2019 BitLocker Drive Encryption Step-By-Step
10/18
BitLocker Drive Encryption Step-by-Step Guide
Page 10of 18 11/4/2013
Scenario 4: Turning on BitLocker Drive Encryption for
Server Data Volumes
For servers stored in an environment that is shared or not secure, such as a branch officelocation, BitLocker can ensure the same level of data protection as it offers client computers by
encrypting data volumes and the operating system volume.
The operating system mounts a BitLocker-protected data volume as normal.
The keys for protecting a data volume are independent of the keys protecting the operating
system volume. To allow the system to automatically mount these volumes, the key chainprotecting the data volume is also stored encrypted on the currently-booted volume. If the
operating system enters recovery mode, the data volumes are not unlocked until the operating
system is out of recovery mode.
Recovery of a data volume is similar to recovery for an operating system volume. If the datavolume becomes corrupt, is moved to a new platform, or the operating system volume cannot
retrieve the key for the data volume to automatically unlock it, then the user inserts the media
containing a copy of the data volume recovery key.
Important
Your drive letters might not correspond to those in this example. In this example, the operatingsystem volume is labeled C, and the system volume is labeled S (for system volume). In thisexample, we also assume that the system has only one physical hard disk drive.
You must be logged on as an administrator.
BitLocker must be installed on this server.
You must have a USB flash drive to save the recovery password for the data volume(s).
1.
Open a command prompt window as an administrator. To do this, click the Startbutton,
click All Programs, and then click Accessories.
2. Right-click Command Prompt, and then click Run as administrator.
3. If the User Account Controldialog box appears, confirm that the action it displays is
what you want, and then click Continue.4. At the command prompt, type the following:
http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
11/18
BitLocker Drive Encryption Step-by-Step Guide
Page 11of 18 11/4/2013
start /w pkgmgr /iu:BitLocker
This installs BitLocker if you have not already installed it.
5.
Restart your server. You have now installed BitLocker, but it is not yet enabled.6. From an elevated command prompt, type the following:
manage-bde on : -rp rk U:\
7. This command encrypts the named volume, generates a recovery password, and stores arecovery key under U:\ (the USB drive, for example). Record the recovery password and
the recovery key filename displayed on the console. The data volume will have to be
unlocked after each restart by using either the recovery password or the recovery key as
follows:o manage-bde unlock : -rp
o
manage-bdeunlock : -rk U:\
8. To enable automatic unlocking of data volume, type the following:
manage-bde autounlock enable :
9. This command generates a recovery key and stores it on the operating system volume.
The operating system volume must be fully encrypted before this command is issued.Once automatic unlocking is enabled, the data volume is automatically unlocked on each
restart.
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
12/18
BitLocker Drive Encryption Step-by-Step Guide
Page 12of 18 11/4/2013
Scenario 5: Turning on BitLocker Drive Encryption on a
computer without a compatible TPM
Use the following procedure to change your computer's Group Policy settings so that you canturn on BitLocker Drive Encryption without a TPM. Instead of a TPM, you will use a startup key
to authenticate yourself. The startup key is located on a USB flash drive inserted into the
computer before the computer is turned on. For this scenario, you must have a BIOS that willread USB flash drives in the pre-operating system environment (at startup). Your BIOS can be
checked by the System Check in the final step of the BitLocker wizard.
You must be logged on as an administrator.
BitLocker must be installed on this server.
You must have a USB flash drive to save the recovery password.
We recommended that you use a second USB flash drive to store the startup key separatefrom the recovery password.
1. Click Start, type gpedit.mscin the Start Searchbox, and then press ENTER.
2. If the User Account Controldialog box appears, confirm that the action it displays is
what you want, and then click Continue.3.
In the Local Group Policy Editor console tree, click Local Computer Policy, click
Administrative Templates, click Windows Components, and then click BitLockerDrive Encryption.
4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.5. Select the Enabledoption, select the Allow BitLocker without a compatible TPM
check box, and then click OK.
You have changed the policy setting so that you can use a startup key instead of a TPM.
6. Close the Local Group Policy Editor.
7. To force Group Policy to apply immediately, you can click Start, type gpupdate.exe
/forcein the Start Searchbox, and then press ENTER.
8. Click Start, click Control Panel, click Security, and then click BitLocker Drive
Encryption.
http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
13/18
BitLocker Drive Encryption Step-by-Step Guide
Page 13of 18 11/4/2013
9. If the User Account Controldialog box appears, confirm that the action it displays is
what you want, and then click Continue.10.On the BitLocker Drive Encryptionpage, click Turn On BitLocker. This will only
appear with the operating system volume.
11.
On the Set BitLocker Startup Preferencespage, select the Require Startup USB Keyat every startup option. This is the only option available for non-TPM configurations.This key must be inserted each time before you start the computer.
12.Insert your USB flash drive in the computer, if it is not already there.
13.On the Save your Startup Keypage, choose the location of your USB flash drive, and
then click Save.14.On the Save the recovery passwordpage, you will see the following options:
o Save the password on a USB drive. Saves the password to a USB flash drive.
o Save the password in a folder. Saves the password to a folder on a network drive
or other location.
o Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each option,
select the option and follow the wizard steps to set the location for saving or printing therecovery password. You should not store the recovery password and the startup key on
the same media.
When you have finished saving the recovery password, click Next.
Important
The recovery password will be required in the event the encrypted disk must be moved toanother computer, or changes are made to the system startup information. This passwordis so important that we recommend that you make additional copies of the password and
store it in safe places to assure you access to your data. You will need your recovery
password to unlock the encrypted data on the volume if BitLocker enters a locked state
(seeScenario 5: Turning on BitLocker Drive Encryption on a computer without acompatible TPM). This recovery password is unique to this particular BitLocker
encryption. You cannot use it to recover encrypted data from any other BitLocker
encryption session.
Important
Store recovery passwords apart from the computer for maximum security.
15.On the Encrypt the selected disk volumepage, confirm that the Run BitLocker System
Checkcheck box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer
restarts and BitLocker verifies whether the computer is BitLocker-compatible and ready
http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5http://technet.microsoft.com/en-us/library/cc732725%28d=printer,v=ws.10%29.aspx#BKMK_S5 -
8/10/2019 BitLocker Drive Encryption Step-By-Step
14/18
BitLocker Drive Encryption Step-by-Step Guide
Page 14of 18 11/4/2013
for encryption. If it is not, you will see an error message alerting you to the problem
before encryption starts.
16.If it is ready for encryption, the Encryption in Progressstatus bar is displayed. You can
monitor the ongoing completion status of the disk volume encryption by dragging yourmouse cursor over the BitLocker Drive Encryption icon in the notification area at the
bottom of your screen or clicking on the Encryption icon.
By completing this procedure, you have encrypted the operating system volume andcreated a recovery password unique to that volume. The next time you turn your
computer on, the USB flash drive with the startup key must be plugged into a USB port
on the computer. If it is not, you will not be able to access data on your encrypted
volume.
If you do not have the USB flash drive containing your startup key, then to access the
data, you will need to use recovery mode and supply the recovery password.
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
15/18
BitLocker Drive Encryption Step-by-Step Guide
Page 15of 18 11/4/2013
Scenario6: Recovering Data Protected by BitLocker
Drive Encryption
Scenario 5 describes the process for recovering your data after BitLocker has entered recoverymode. BitLocker locks the computer when a disk encryption key is not available. The following
is a list of likely causes:
An error related to TPM occurs.
One of the early boot files is modified.
The TPM is inadvertently turned off and the computer is turned off.
The TPM is inadvertently cleared and the computer is turned off.
When a computer is locked, the startup process is interrupted very early, before the operating
system starts. You must use the recovery password from a USB flash drive, or use the function
keys to enter the recovery password. F1 through F9 represent the digits 1 through 9, and F10
represents 0.
Because recovery happens so early in the startup process, the accessibility features of Windows
are not available. If you require accessibility features, consider what you will do in the event of
recovery.
This scenario includes two steps:
Testing data recovery
Recovering data
1. Click Start, point to All Programs, click Accessories, and then click Run.
2.
Type tpm.mscin the Opentext box, and then click OK. The TPM ManagementConsoleis displayed.
3. Under Actions, click Turn TPM Off.
4. Provide the TPM owner password, if required.
5. When the Statuspanel in the TPM Management on Local Computertask panel reads"Your TPM is off and ownership of the TPM has been taken," close that task panel.
6. Close all open windows.
http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
16/18
BitLocker Drive Encryption Step-by-Step Guide
Page 16of 18 11/4/2013
7. If the USB flash drive that contains your recovery password is plugged into the system,
use the Safely Remove Hardwareicon in the notification area to remove it from thesystem.
8. Click the Startbutton, and then click the Shutdownbutton to restart your computer.
When you restart the computer, you will be prompted for the recovery password, becausethe startup configuration has changed since you encrypted the volume.
1. Turn on your computer.
2. If the computer is locked, the BitLocker Drive Encryption Recovery Consolewill
appear.
3. You will be prompted to insert the USB flash drive that contains the recovery password.o If you have the USB flash drive with the recovery password, insert it, and then
press ESC. Your computer will restart automatically. You do not need to enter the
recovery password manually.
o If you do not have the USB flash drive with the recovery password, press
ENTER. You will be prompted to enter the recovery password.
If you know the recovery password, type it, and then press ENTER.
If you do not know the recovery password, press ENTER twice and turn off yourcomputer.
Note
If you saved your recovery password in a file in a folder away from this computer,or on removable media, you can use another computer to open the file that
contains the password. To locate the correct file, find Password IDon the
recovery console display on the locked computer, and record this number. The filecontaining the recovery password uses this Password ID as the file name. Open
the file and locate the recovery password in the file.
-
8/10/2019 BitLocker Drive Encryption Step-By-Step
17/18
BitLocker Drive Encryption Step-by-Step Guide
Page 17of 18 11/4/2013
Scenario7: Turning off BitLocker Drive Encryption
Scenario 6 describes how to turn off BitLocker Drive Encryption and decrypt the volume. The
procedure is the same for all BitLocker Drive Encryption configurations on TPM-equippedcomputers and computers without a compatible TPM. Data volumes can only be decrypted, not
disabled.
When you turn off BitLocker, you can choose to either disable BitLocker temporarily, or to
decrypt the volume. Disabling BitLocker allows TPM changes and other minor changes to the
system. Decrypting the volume means that the volume will be entirely decrypted, and that all thekeys are discarded. You must decrypt a computer before upgrading the operating system. Once a
volume is decrypted, you must generate new keys by going through the encryption process again,if you want to enable BitLocker.
You must be logged on as an administrator.
The volume must be encrypted.
1. Click Start, click Control Panel, click Security, and then click BitLocker Drive
Encryption.
2. From the BitLocker Drive Encryptionpage, find the volume on which you want
BitLocker Drive Encryption turned off, and click Turn Off BitLocker DriveEncryption.
3. From the What level of decryption do you wantdialog box, click either Disable
BitLocker Drive Encryptionor Decrypt the volumeas needed.
By completing this procedure, you have either disabled BitLocker or decrypted the
operating system volume.
The following resources provide additional information about BitLocker Drive Encryption:
For help with BitLocker Drive Encryption, as with any Microsoft Windows component,
please choose one of the support options listed on the Microsoft Help and Support Web
site (http://go.microsoft.com/fwlink/?LinkId=76619).
http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://go.microsoft.com/fwlink/?LinkId=76619http://go.microsoft.com/fwlink/?LinkId=76619http://go.microsoft.com/fwlink/?LinkId=76619http://go.microsoft.com/fwlink/?LinkId=76619http://void%280%29/ -
8/10/2019 BitLocker Drive Encryption Step-By-Step
18/18
BitLocker Drive Encryption Step-by-Step Guide
Page 18 of 18 11/4/2013
Additional documentation about BitLocker is available in Windows Server 2008 and
Windows Vista. For more information, seehttp://go.microsoft.com/fwlink/?LinkId=76553.
For more information about the User Account Control feature, see User Account Control(http://go.microsoft.com/fwlink/?LinkId=66018).
http://go.microsoft.com/fwlink/?LinkId=76553http://go.microsoft.com/fwlink/?LinkId=76553http://go.microsoft.com/fwlink/?LinkId=66018http://go.microsoft.com/fwlink/?LinkId=66018http://go.microsoft.com/fwlink/?LinkId=66018http://go.microsoft.com/fwlink/?LinkId=66018http://go.microsoft.com/fwlink/?LinkId=76553