BitLocker is a Windows security feature that provides volume encryption, preventing data exposure or theft from misplaced, stolen, or incorrectly retired devices. Read on to learn about the usage of BitLocker technology, how to enable and disable security, and the key applications of BitLocker encryption. BitLocker protects hard drives and PCs from hackers and other potential attackers. Among the main benefits are: Encryption of the whole drive by the TPM module improves security. BitLocker can automatically save Active Directory keys.
Main BitLocker Technology Uses: It is a useful application.
Unauthorized access to data on a lost or stolen device might occur through the use of software attack tools or by transferring the hard disk to another device. BitLocker technology reduces the danger of unauthorized data access by improving file and system security and rendering data inaccessible when BitLocker-protected devices are recycled or retired.
TPM and BitLocker Security
Coupled with a Trusted Platform Module (TPM), a common piece of hardware found on Windows computers, BitLocker technology offers the highest level of safety.
Working together, the TPM and BitLocker prevent hackers from accessing a device while the system is offline.
BitLocker can lock both the regular startup procedure and the TPM until the user inputs a personal identification number (PIN) or inserts a portable device containing a startup key. These security features prevent the device from starting or waking from hibernation unless the correct PIN or startup key is entered. They also provide multi-factor authentication.
You can still use BitLocker to encrypt the operating system drive on computers that lack a TPM. With this implementation, the user has to either:
- When restarting from hibernation, use the startup key stored on a portable drive to restart the device.
- Set a password for use. This option lacks password lockout logic, leaving it vulnerable to brute force attacks. Therefore, by default, the password option is inactive and discouraged.
Both options lack the preboot system integrity assurance that BitLocker technology provides when combined with a TPM.
The BitLocker prerequisites are as follows:
- To use BitLocker technology, the device must have TPM 1.2 or later versions. If the device does not have a TPM, you must save a startup key on a portable disk to enable BitLocker.
- In addition to a TPM, a device’s BIOS or UEFI firmware must comply with the Trusted Computing Group (TCG). The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, which must use the TCG-specified Static Root of Trust Measurement. A machine without a TPM does not require TCG-compliant firmware.
- The system BIOS or UEFI firmware must support the USB mass storage device class, as well as the ability to read files from a USB drive during preboot.
Take note.
The BIOS Legacy and Compatibility Support Module (CSM) modes do not support TPM 2.0. Devices equipped with TPM 2.0 must have their BIOS mode set to native UEFI.
You need to disable the Legacy and CSM settings.
Enable secure boot for further security.
Upgrading the BIOS mode to UEFI causes an operating system installed on Legacy-style hardware to fail to boot. Before changing the BIOS mode, run mbr2gpt.exe to prepare the operating system and disk for UEFI.
You must partition the hard drive using at least two disks.
- The boot drive, often known as the operating system drive, contains the OS and its support files. It must have the NTFS file system configured.
- The system drive stores the files required to boot, decrypt, and load the operating system. This drive doesn’t have BitLocker enabled. BitLocker technology functions by using the following:
- You can’t encrypt it, and it should be separate from the operating system disk.
- On computers running BIOS firmware, the NTFS file system must be used, while on PCs using UEFI-based firmware, the FAT32 file system is necessary.
- It is recommended that the file be around 350 MB in size. After you activate BitLocker technology, it uses around 250 MB of free space.
Important
When you install BitLocker on a new device, Windows creates the necessary partitions.
If you format the drive as one continuous area, BitLocker will need you to make a new volume for the boot files.
You can create the volume using BdeHdCfg.exe.
See Bdehdcfg in the Command-Line Reference for more information on how to use the tool.
Take note.
Before installing the BitLocker optional component, the server must first have the Enhanced Storage functionality installed. This functionality supports hardware-encrypted drives.
Requirements for Windows version and license
The table below shows the Windows editions that enable BitLocker.
Windows Editions:
Yes, both pro and enterprise.
Pro Education/SE – Yes.
Windows Education – Yes
The licenses that allow BitLocker include the following:
Pro/Pro Education/SE- Yes.
Windows Enterprise E3: Yes
For additional information on how to license Windows, see the Windows licensing summary.
Enabling BitLocker requires one form of licensing, while managing BitLocker requires another. For further information, see the how-to guide: Setup BitLocker.
Encrypting the device
Device encryption is a Windows feature that allows certain devices to automatically employ BitLocker encryption. Device encryption is compatible with all versions of Windows, however the device must meet either Modern Standby or HSTI security requirements. Encrypted devices cannot have externally accessible DMA ports.
Important: Device encryption only protects the operating system and fixed devices, not USB or external disks.
Unlike a typical BitLocker setup, device encryption is activated by default, ensuring the device remains safe at all times.
After a fresh Windows installation and an out-of-the-box experience, the user can use the device for the first time. To prepare, device encryption is enabled on the computer’s OS disk and fixed data drives using a clear key, similar to how BitLocker technology works when in a regular paused state. In this state, Windows Explorer displays the drive with a warning symbol.
Once you configure the TPM guardian and back up the recovery key, remove the yellow warning icon.
- Once Microsoft Entra or Active Directory safely backs up the recovery key to Microsoft Entra ID or Active Directory Domain Services (AD DS), it removes the clear key from devices.
- To back up the restoration key, you must enable the following policy settings: Choose how to recover BitLocker-protected operating system files.
- When a user logs in with their Microsoft Entra ID, the recovery password is automatically generated. They save the recovery key to their Microsoft Entra ID, enable the TPM protector, and remove the clear key.
- When a device joins AD DS, it automatically generates the recovery password. After that, save the recovery key to AD DS, create a TPM guardian, and delete the clear key.
- In the absence of a connection to Microsoft Entra or an Active Directory domain, you’ll have to possess a Microsoft account with administrative rights.
- Every time an administrator logs in with a Microsoft account, they link the recovery key to their online Microsoft account, create a TPM defender, and remove the clear key.If the user needs the recovery key for any reason, they should use an alternate device and use their Microsoft account information to visit a recovery key access URL.
- Using solely local accounts is insecure, even if a device’s data is protected.
Very important.
For device security, the default encryption method is XTS-AES 128-bit. If you have set up a policy setting to use an alternative technique, you may utilize the Enrollment Status Page to prevent the device from starting to encrypt using the default approach.
BitLocker begins encrypting only after completing the Enrollment Status Page device configuration process at the end of OOBE.
It allows the device ample time to load the BitLocker policy choices before encrypting.
If you want to use a different encryption method or cipher strength on an already encrypted device, you must first decode it. Only then can you apply the new technique or strength. After you have unlocked the device, you can adjust the BitLocker settings.
- If you make a change to a device that makes it eligible for device encryption, such as enabling Secure Boot, and the device does not initially qualify, device encryption turns it on automatically as soon as it detects it.
- The System Information program (msinfo32.exe) checks to determine if a device matches the encryption standards. It must meet certain requirements before System Information displays a line that says:
BitLocker is not equivalent to hardware encryption.
- BitLocker technology employs device encryption and is turned on automatically for qualifying devices. Save the recovery key to either Microsoft Entra ID, AD DS, or the user’s Microsoft account.
- Device encryption adds a device encryption setting to the Settings app. Use this parameter to enable or disable device encryption.
The Settings menu does not indicate that device encryption is enabled until it completes.
Switch off device security.
Enable device encryption on any computer that supports it. You can stop your device’s normal encryption, however, by changing the following registry setting:
Data Recovery Software
BLR Bitlocker recovery software is a specialized tool designed to recover data from drives encrypted with Bitlocker. It assists users in retrieving lost or inaccessible data due to forgotten passwords, lost recovery keys, or corrupted drives. The software provides advanced recovery options, ensuring data integrity and accessibility, making it an essential solution for individuals and organizations needing reliable data recovery from Bitlocker-encrypted drives.
Also Read: How to Access Partially Encrypted BitLocker Drive Data