- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
Now that we’ve updated Active Directory and created our Group Policy Object with our BitLocker, TPM, and Sleep settings, we’re ready to encrypt our first device. To begin, you’ll first need to make sure that your computer meets the hardware/software requirements (Please note that in the screenshots and instructions below, I’ve performed the procedure in Windows 7. The process should be mostly the same in Windows Vista.)
Encrypting an operating system drive with BitLocker
- Windows Vista Ultimate or Enterprise; Windows 7 Ultimate or Enterprise
- Trusted Platform Module (TPM) version 1.2 or higher
- BIOS that is compatible with the TPM
- TPM must be enabled in the BIOS – Some manufacturers enable the TPM automatically and others leave it disabled. You may need to refer to documentation from your vendor to enable the TPM.
- Two hard drive partitions: one drive for Windows and one as a boot volume. (A standard Windows 7 installation automatically creates the necessary partitions. Windows Vista will require use of the BitLocker Drive Preparation Tool - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7806.)
- Drive must be formatted as NTFS
As an account with Administrator rights on the local machine, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click Turn On BitLocker.
BitLocker Control Panel
Click "Next" until you get to "Restart".
When you restart, you’ll be asked if you want to allow the system to take ownership of the Trusted Platform Module (TPM). Make sure you read this or the BitLocker setup will fail and you’ll get to start over.
Bitlocker TPM Ownership
Continue through the next few screens and you should get to the BitLocker startup preferences. Assuming you’ve set up your Group Policy and it applying to the computer correctly, you should see all the options grayed out with the exception of Require a PIN at every startup.
When prompted, enter your 7 digit numeric PIN (remember setting that in Group Policy) and click Set PIN.
Enter a startup PIN
The last thing you’ll be asked is if you’re ready to encrypt the drive. By default, the “Run BitLocker system check” option is checked. If you leave it checked, your system will be rebooted and you will be prompted for the PIN you just entered.
Are you ready to encrypt this drive?
Enter the PIN for the drive
When the system boots back into Windows and you log in, you should be greeted with the BitLocker encryption status window. Just remember, your drive is not encrypted until this process completes. The whole process usually takes several hours.
BitLocker Encryption In Progress
Encrypting a fixed data drive with BitLocker
For the purposes of BitLocker, a fixed data drive is essentially another partition or additional physical drive in your computer. Encrypting a Fixed Data Drive is very similar to encrypting an OS Drive except that there is no TPM requirement . Thus, if you’ve got an older computer or one that just doesn’t have a TPM, you can still encrypt a secondary drive to protect the data stored on that device. As an account with Administrator rights on the local machine, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click Turn On BitLocker.
Turn on BitLocker
Here’s where things differ from encrypting an Operating System Drive. You’ll be prompted for a password for unlocking your Fixed Data Drive. Unfortunately, Microsoft chose not to include the minimum password length on this dialog box. You’ll definitely want to notify your users that may want to encrypt their Fixed Data Drives what the minimum length of their passwords will need to be. Also note the "Automatically unlock" this drive on this computer option. Unless this computer is dedicated to a single user, you may want to consider leaving this option unchecked.
Minimum password length required
Once you’ve typed in a password, you’re ready to encrypt your drive. Click "Start Encyrpting".
Start Encrypting
And wait for your drive to encrypt…
Encrypting
If on "Computer" in Windows Explorer, you’ll see that your drive is now encrypted with BitLocker.
BitLocker in Windows Explorer
Remember the "Automatically unlock" this drive on this computer I mentioned earlier. In the event you leave this option unchecked, your Fixed Data Drive will remain locked on reboot, as shown in the screenshot below:
Locked drive
To unlock the drive, you’ll need to right-click on it and choose "Unlock Drive" with an account that has Administrator rights on the local computer.
Unlock Drive
Type in your password, click "Unlock", and your drive will be unlocked.
Type your password to unlock drive
Did you work with Truecrypt?
I would like to see your opinion… 🙂
Thanks for your info!
Honestly, no. BitLocker To Go coupled with Active Directory gives you automated key escrow; TrueCrypt doesn’t. A user plugs in a new USB device, encrypts the device, and the recovery key is backed up in AD. Assuming you set your Group Policy correctly… The device won’t encrypt if the user isn’t connected to AD. Should the user forget (or refuse to divulge) their password, your organization can recover the data on the device. Additionally, BitLocker To Go is built in to the OS. If you take a USB device to another Windows 7 computer, there’s nothing to install to access the data.