Editor’s note: The following post was written Office Servers and Services MVP as part of our Technical Tuesday series.Windows 10 includes several security features. Perhaps one of the most important features is BitLocker Drive Encryption, which provides data protection in case of a loss or stolen device. It also provides security for decommissioned computers. BitLocker has been around for several years and can be used with Windows Vista, Windows 7 and Windows 8/8.1 operating systems. However, the focus of this article is on securing Windows 10 with BitLocker.BitLocker Drive Encryption is built into the Windows 10 operating system and uses Advanced Encryption Standard (AES) with configurable key lengths of either 128-bit (default) or 256-bit (configurable using Group Policy). The idea behind the BitLocker Drive Encryption is that once you secure your drive, only you, or someone who has your password and recovery key, will be able to get to your data. Although this kind of protection provides enhanced security on mobile devices, such as laptops, there is no reason why you shouldn’t take advantage of BitLocker encryption on your desktop computers.NOTE: BitLocker is not available on Windows 10 Home edition.
It’s available on Windows 10 Pro, Enterprise and Education editions.Unlike Encrypted File System (EFS) in previous Windows operating systems, BitLocker Drive Encryption encrypts your entire drive. This is much better than encrypting certain files or folders not only because of its ease but also because it offers a much higher level of security.
By encrypting the entire drive, you can rest assured that all the files on your encrypted partition are protected.In this article, I will share some insights into Windows 10 BitLocker Drive Encryption. I will walk you through step-by-step configuration of BitLocker on Windows 10 and also share some best practices.BitLocker RequirementsIt is important to understand the following BitLocker requirements before you implement BitLocker on your computer. These requirements are fairly minimal and an average user is likely to easily implement them on his/her computer.HardwareTPM v1.2 Chip - If you have a computer that you purchased in the last few years, chances are that it includes a Trusted Platform Module (TPM) chip. This is common on most laptops these days.
We use BitLocker on all of our Dell laptops. We had one user who told me he received a BSOD (critical process died) and brought it into me. I have the BitLocker recovery key and the user's PIN as well but even with that information, I'm unable to boot into Safe Mode. I went into BitLocker Recovery and opened a command prompt.
To properly secure your Windows computer with BitLocker, Microsoft recommends you use TPM version 1.2 or later. If you are not sure whether your computer has a TPM chip, type tpm.msc in the Windows search box to load TPM Console. It will show you the TPM if it exists, otherwise you will see a message Compatible TPM cannot be found. Support for USB – Your computer must support booting from a USB flash drive. If you don’t have a TPM chip, you can still use BitLocker Drive Encryption with a USB flash drive. For example, if you have a Windows 10 desktop computer that doesn’t have a TPM chip, you can use the USB flash drive to save the BitLocker recovery key. You will insert the flash drive when the computer is started or resumed from hibernation and it will unlock the computer for you.NOTE: BitLocker doesn’t support Dynamic Disks.
Good observation, Paul but you should be aware that BitLocker also offers ‘automatically drive unlock’ as an option; you can check it or you can choose to enter a password every time you login to unlock the data drives. Sure, I am talking about other drives than C.This means that even if someone knows your BitLocker startup key AND your Windows account password, that someone will still need the third password to unlock the data drives. Now – this is very unlikely to happenFor me is not very clear what happens when I move an encrypted drive from one computer to another.
Since “Recovery keys are computer-specific” – I assume I will be able to unlock that drive using the initially set password but I won’t be able to use the recovery key in case I forget the password. Which means – it is recommended to generate a new recovery key on the new computer. Requiring a USB if you don’t have TPM is highly annoying – especially on a laptop. Requiring a 350 MB System partition – when my computer has a 100 MB System partition – is a real showstopper. I’m not about to wipe my computer and re-partition. Also, a 10% hit on performance may not matter with a new computer, but a 5-10 year old computer is often completely usable for most people until you start adding 10% performance drops.
Something like a Truecrypt folder might be a better option – even though it’s stopped development. You also imply EFS is not part of Win 10, but it is. And if it’s important why does MS not allow Home users to have this feature? It doesn’t cost them anything – my guess is a computer running Home is too underpowered to take the 10% performance hit.
@Yah,“ Truecrypt folder might be a better option – even though it’s stopped development.”I believe that VeraCrypt has picked up the TruCrypt technology and continued the development. It looks and behave the same as TC.You can easily find its pages on Codeplex or sourceforge. I have been using it for a few years now.Now regarding this article, in general:I’d rather use something like VeraCrypt than Bitlocker. VC doesn’t cripple you with hardware or OS silly requirements.A major security problem has been ransomware.This is where some OS intelligence needs to be implemented to detect that a suspicious program is trying to encrypt the data files (documents, pictures, etc.), then it would prompt the operator for permission (before allowing that program to perform any mass action on data or system files), and with a verification code (sent to the mobile device), not Windows password because it might have already been compromised. Without discussing Intel’s Platform Trust Technology, this article is not as helpful as it could be.and from Intel’s.eu site –Intel® Platform Trust Technology (Intel® PTT) is a platform functionality for credential storage and key management used by Windows 8. and Windows® 10. Intel PTT supports BitLocker.
for hard drive encryption and supports all Microsoft requirements for firmware Trusted Platform Module (fTPM) 2.0.It’s an integrated solution in the Intel® Management Engine for 4th Generation Intel® Core™ processors with ultra-low TDP (Thermal Display Power) platforms and later. Hi Zubair and thank you for your article.I have just used bitlocker to encrypt all my internal hard drives. I would like to change the password on the operating system drive but the there is no option to do so, as shown under section 20 of your article, so how do you change the password?For clarify if I have automated the bitlocker for my internal hard drives, so I don’t have to enter the password every time I access a drive, and hence the hard drives are showing as BitLocker on, does that mean when I shut down the PC that the hard drive is not protected?Therefore, if the hard drive was taken out and connected to another PC, with the”BitLocker on” is the hard drive still encrypted?. I have a brand new Dell desktop with windows 10 pro 64 bit. I use External Hard drives for back up, all plug and play.
I have never had a problem with my external hard drives or other computers. When I plugged in my external hard drive to the new computer to load and back up files, Bitlocker comes on and says my external drive is locked and wants the 48 digit key. The drive has never been locked, I have never used bitlocker and yet I can not access my backed up files because windows 10 pro says my drive is bitlocked. How do I get rid of bitlocker? Never have and never will use it, now it is keeping me from setting up my new computer and accessing my own backed up files!!!