Home > sldds > BitLocker basic deployment – Windows security | Microsoft Docs – Using BitLocker to encrypt volumes

Looking for:

Windows 10 bitlocker enterprise deployment free.BitLocker drive encryption in Windows 10 for OEMs

Click here to Download


How you choose to implement the scripts depends on your environment. You can also use Manage-bde. Typically, there’s a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.

Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.

You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts.

This is true even if the power is suddenly unavailable. No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk.

No unencrypted data is ever stored on a BitLocker-protected drive. You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them.

For more info, see BitLocker Group Policy settings. When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.

BitLocker in Windows 10 lets users choose to encrypt just their data. Although it’s not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted.

For more information, see Used Disk Space Only encryption. The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:.

Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. For example:. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.

The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. Unlike for operating system volumes, data volumes aren’t required to pass any configuration tests for the wizard to proceed.

Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are password and smart card and automatically unlock this drive on this computer. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. After selecting the desired authentication method and choosing Next , the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.

With the recovery key saved, selecting Next in the wizard will show available options for encryption. These options are the same as for operating system volumes; used disk space only and full drive encryption. If the volume being encrypted is new or empty, it’s recommended that used space only encryption is selected. With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins.

Selecting Start encrypting begins encryption. There’s a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren’t members of a domain and that the user is using a Microsoft Account. Local accounts don’t give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren’t joined to a domain.

Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name.

The recovery key ID is appended to the end of the file name. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting Turn on BitLocker , the wizard works exactly as it does when launched using the BitLocker control panel.

The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.

Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8. Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see Manage-bde. Manage-bde offers a multitude of wider options for configuring BitLocker.

So using the command syntax may require care and possibly later customization by the user. For example, using just the manage-bde -on command on a data volume will fully encrypt the volume without any authenticating protectors.

A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.

Listed below are examples of basic valid commands for operating system volumes. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.

A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:. This command returns the volumes on the target, current encryption status, and volume type operating system or data for each volume.

Using this information, users can determine the best encryption method for their environment. To properly enable BitLocker for the operating system volume, you’ll need to use a USB flash drive as a startup key to boot in this example, the drive letter E.

You would first create the startup key needed for BitLocker using the —protectors option and save it to the USB drive on E: and then begin the encryption process. You’ll need to reboot the computer when prompted to complete the encryption process. It’s possible to encrypt the operating system volume without any defined protectors by using manage-bde.

Use this command:. This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:.

Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:. This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.

Data volumes use the same syntax for encryption as operating system volumes but they don’t require protectors for the operation to complete. We recommend that you add at least one primary protector and a recovery protector to a data volume.

A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.

Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell’s scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets. Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they’re encrypting prior to running Windows PowerShell cmdlets.

A good initial step is to determine the current state of the volume s on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.

Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you don’t see all of the protectors for a volume, you can use the Windows PowerShell pipe command to format a listing of the protectors. In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.

If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the Remove-BitLockerKeyProtector cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.

A simple script can pipe out the values of each Get-BitLockerVolume return to another variable as seen below:. Using this information, we can then remove the key protector for a specific volume using the command:. Ensure the entire GUID, with braces, is included in the command. Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility.

For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. Data volume encryption using Windows PowerShell is the same as for operating system volumes.

You should add the desired protectors prior to encrypting the volume. Last, encryption begins. This protector can be added to both operating system and data volumes, although it doesn’t unlock operating system volumes in the pre-boot environment.

The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object CNO that lets the disk properly failover and be unlocked to any member computer of the cluster.

For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. This doesn’t require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume.

The user knows the SID for the user account or group they wish to add and uses the following command:. To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We’ll look at each of the available methods in the following section. Checking BitLocker status with the control panel is the most common method used by most users.

Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include:. If a drive is pre-provisioned with BitLocker, a status of “Waiting for Activation” displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume.



BitLocker overview and requirements FAQ (Windows 10) – Windows security | Microsoft Docs

Bitlockee of contents Exit focus mode. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register PCR indices that range from 0 to



Your email address will not be published. Required fields are marked *