This post in our Active Directory for BitLocker series explains how to encrypt operating system drives and hard disk data drives.
Avatar

Now that we’ve updated Active Directory and created our Group Policy Object with our BitLocker, TPM, and Sleep settings, we’re ready to encrypt our first device. To begin, you’ll first need to make sure that your computer meets the hardware/software requirements (Please note that in the screenshots and instructions below, I’ve performed the procedure in Windows 7. The process should be mostly the same in Windows Vista.)

Encrypting an operating system drive with BitLocker

  • Windows Vista Ultimate or Enterprise; Windows 7 Ultimate or Enterprise
  • Trusted Platform Module (TPM) version 1.2 or higher
  • BIOS that is compatible with the TPM
  • TPM must be enabled in the BIOS – Some manufacturers enable the TPM automatically and others leave it disabled. You may need to refer to documentation from your vendor to enable the TPM.
  • Two hard drive partitions: one drive for Windows and one as a boot volume. (A standard Windows 7 installation automatically creates the necessary partitions. Windows Vista will require use of the BitLocker Drive Preparation Tool - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7806.)
  • Drive must be formatted as NTFS

As an account with Administrator rights on the local machine, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click Turn On BitLocker.

Bitlocker Active Directory - BitLocker Control Panel

BitLocker Control Panel

Click "Next" until you get to "Restart".

Bitlocker Active Directory - BitLocker Restart

When you restart, you’ll be asked if you want to allow the system to take ownership of the Trusted Platform Module (TPM). Make sure you read this or the BitLocker setup will fail and you’ll get to start over.

Bitlocker Active Directory - TPM Ownership

Bitlocker TPM Ownership

Continue through the next few screens and you should get to the BitLocker startup preferences. Assuming you’ve set up your Group Policy and it applying to the computer correctly, you should see all the options grayed out with the exception of Require a PIN at every startup.

Bitlocker Active Directory - BitLocker startup preferences

When prompted, enter your 7 digit numeric PIN (remember setting that in Group Policy) and click Set PIN.

Bitlocker Active Directory - Enter a startup PIN

Enter a startup PIN

The last thing you’ll be asked is if you’re ready to encrypt the drive. By default, the “Run BitLocker system check” option is checked. If you leave it checked, your system will be rebooted and you will be prompted for the PIN you just entered.

Bitlocker Active Directory - Are you ready to encrypt this drive
Are you ready to encrypt this drive?

Bitlocker Active Directory - Enter the PIN for the drive

Enter the PIN for the drive

When the system boots back into Windows and you log in, you should be greeted with the BitLocker encryption status window. Just remember, your drive is not encrypted until this process completes. The whole process usually takes several hours.

Bitlocker Active Directory - BitLocker Encryption In Progress

BitLocker Encryption In Progress

Encrypting a fixed data drive with BitLocker

For the purposes of BitLocker, a fixed data drive is essentially another partition or additional physical drive in your computer. Encrypting a Fixed Data Drive is very similar to encrypting an OS Drive except that there is no TPM requirement . Thus, if you’ve got an older computer or one that just doesn’t have a TPM, you can still encrypt a secondary drive to protect the data stored on that device. As an account with Administrator rights on the local machine, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click Turn On BitLocker.

Bitlocker Active Directory - Turn on BitLocker

Turn on BitLocker

Here’s where things differ from encrypting an Operating System Drive. You’ll be prompted for a password for unlocking your Fixed Data Drive. Unfortunately, Microsoft chose not to include the minimum password length on this dialog box. You’ll definitely want to notify your users that may want to encrypt their Fixed Data Drives what the minimum length of their passwords will need to be. Also note the "Automatically unlock" this drive on this computer option. Unless this computer is dedicated to a single user, you may want to consider leaving this option unchecked.

Bitlocker Active Directory - Minimum password length required

Minimum password length required

Once you’ve typed in a password, you’re ready to encrypt your drive. Click "Start Encyrpting".

Bitlocker Active Directory - Start Encrypting

Start Encrypting

And wait for your drive to encrypt…

Bitlocker Active Directory - Encrypting

Encrypting

If on "Computer" in Windows Explorer, you’ll see that your drive is now encrypted with BitLocker.

Bitlocker Active Directory - 33 - BitLocker in Windows Explorer

BitLocker in Windows Explorer

Remember the "Automatically unlock" this drive on this computer I mentioned earlier. In the event you leave this option unchecked, your Fixed Data Drive will remain locked on reboot, as shown in the screenshot below:

Bitlocker Active Directory - Drive locked

Locked drive

To unlock the drive, you’ll need to right-click on it and choose "Unlock Drive" with an account that has Administrator rights on the local computer.

Bitlocker Active Directory - Unlock drive

Unlock Drive

Type in your password, click "Unlock", and your drive will be unlocked.

Bitlocker Active Directory - Type your password to unlock drive

Type your password to unlock drive

2 Comments
  1. Avatar
    Diego 12 years ago

    Did you work with Truecrypt?
    I would like to see your opinion… 🙂

    Thanks for your info!

  2. Avatar
    Kyle 12 years ago

    Honestly, no. BitLocker To Go coupled with Active Directory gives you automated key escrow; TrueCrypt doesn’t. A user plugs in a new USB device, encrypts the device, and the recovery key is backed up in AD. Assuming you set your Group Policy correctly… The device won’t encrypt if the user isn’t connected to AD. Should the user forget (or refuse to divulge) their password, your organization can recover the data on the device. Additionally, BitLocker To Go is built in to the OS. If you take a USB device to another Windows 7 computer, there’s nothing to install to access the data.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account