Bitlocker

What is Bitlocker and Data Encryption

Bitlocker requires Windows 10 Pro and works best on Modern Hardware with a Trusted Platform Module and a M.2 Boot SSD.

Large businesses such as Universities, Banks, Government organisations are worried about their data feeling into the wrong hands. One of the risks is when a Mobile Device such as a Laptop or Tablet gets misplaced or stolen. You may not want prying eyes to get a hold of the data on your drive. As a result Microsoft have included an encryption feature into Windows 10 Pro called Bitlocker. You will only be able to access the data with your Microsoft Account or Bitlocker Key and this includes third party Linux Bootable utilities such as Parted Magic and Fedora:

  • Large Businesses usually have IT Departments that manage Data Encryption and have means of Recovering Online Accounts.
    • Usually in such a scenario the IT Department has set up some means of Cloud Storage.
  • For a Windows 10 Pro Individual User, Bitlocker is tied to their Personal Microsoft Account. The End User can Recover their User Account Information from Microsoft. The User Should of set up their Microsoft Account with Security Questions.
    • Usually in such a scenario an Office 365 subscription model is made where files are saved to Cloud Storage.

Bitlocker is not included with Windows 10 Home as Microsoft have deemed Bitlocker a Business need. Probably from a Microsoft Technical Support Perspective, there is a larger likelihood of Home Users from locking themselves out from their own Devices and forgetting all the Answers to the Underlying Security Questions then Businesses.

Hardware – Enabling the Trusted Platform Module in the UEFI BIOS Setup

Only Business Models are being shipped with a Trusted Platform Module (TPM). For Dell these are mainly the Business Models such as the Latitude, OptiPlex, Precision and XPS systems manufactured after October 2015, which are listed here.

Although the TPM should be enabled by default. One can go into the UEFI BIOS setup to confirm it is both present and enabled. To do this power off your Dell and then power it up and press [F2] to get tho the UEFI BIOS Setup:

Press the [↓] key until you get to Security:

Press [Enter] to expand the Security Category:

Look for a TPM category. If it is absent, you don't have a TPM. If it is present, ensure that it is On and Enabled, i.e. has the same settings as mine:

Press Exit to Exit the UEFI BIOS Setup.

Conditions for Bitlocker to be Enabled by Default

Bitlocker will be enabled by default if your Device has a TPM which is Enabled and you are sign in with a Work or Microsoft Account during the initial setup of Windows 10 Pro e.g. using an OEM Factory Image or a Clean Install.

To check you can go to Computer. If Bitlocker is enabled you should see your OS Boot Drive marked with a PadLock. This Padlock denotes that it is encrypted with Bitlocker.

If it is not encrypted there is no encryption and hence no padlock:

Enabling Bitlocker Encryption

This OS Boot Drive doesn't have any encryption.

Right click your OS Boot Drive C:\ and select Turn Bitlocker On:

It will check your PC's Configuration:

If your hardware is not up to scratch such as this OptiPlex 790 you will get an error message:

"This Device Cannot Use a Trusted Platform Module. Your Administrator must set the "Allow Bitlocker without a compatable TPM" option in the "Require Additional Authentication at Start-Up" Policy for OS Volumes".

It will ask you how you want to backup your Recovery Key. I advise selecting Save to Your Microsoft Account (For this you need to be signed into a Microsoft Account). You can also save the key to file and then email it to yourself, if not signed in with a Microsoft Account:

It will save the Recovery Key:

Once the Key is saved select Next:

To access the Recovery Key from your Microsoft Account go to:

aka.ms/recoverykey

Select Encrypt Entire Drive:

Select the Newest Encryption Mode:

Check Run the Bitlocker System Check and Select Continue:

You will be prompted to restart:

Select Restart Now:

After the restart it will begin to encrypt the drive, this may take up to a couple of hours:

Once it's done click Close:

You will see your OS Boot Drive is now Encrypted:

Disabling Bitlocker Encryption

Right click the OS Boot Drive with Bitlocker and select Manage Bitlocker:

Select Turn Off Bitlocker:

Select Turn Off Bitlocker to confirm:

Windows will decrypt your OS Boot Drive:

Once complete, select Close:

Your OS Boot Drive no has no padlock and is hence not encrypted:

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.