First you need to check if the following items are there in your laptop/server
- TPM Chip
- Windows 7 Enterprise or Higher (Ultimate with or without N)
- Windows Server 2008 R2 Enterprise or Higher
You can achieve BitLocker encryption introduced into any number of drives, and you can do this in two ways:
- BitLocker Encryption tied to the TPM chip
- Password protected BitLocker without the integration with TPM
Enable BitLocker: This exercise is done using Windows 8.1 Enterprise N Edition. Now, you can do it in a short step. On your keyboard, press “Windows Key+E”, Select your boot drive, right click on it and click enable BitLocker on this drive. It will prompt you to save the recovery key elsewhere, other than the fixed drive, perhaps a memory stick is a good choice. Save or Print the recovery key and let the wizard start the encryption. A screenshot:
As you can see there are three options available to manage. Suspend the protection, backup again the recovery key & completely turning off BitLocker.
Now Lets run the following command:
Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. One the right pane/panel, double-click on the “Require additional authentication at startup”. Screenshot follows:
First, Enable the policy, and set the fields as shown in the picture 🙂 Press OK afterwards and close the local policy editor. DO NOT RESTART YET.
Nope, we are not done yet…haha. Now we are going to set the TPM PIN for the encrypted drive; type in the following command:
manage-bde -protectors -add c: -TPMAndPIN
Provide the PIN two times. Now run the following command:
You should get the following summary result:
As you can see key protectors are initiated with TPM And PIN. Wala you are done, restart and get ready to provide the PIN, otherwise, you are doomed. Word of advice, do keep your BitLocker keys in safe place(s)
BitLocker drive encryption was originally an integral security feature in Windows SBS 2008. You can back up a source volume that is encrypted with BitLocker. However, if you restore the backup to your server, it is restored without BitLocker encryption. You must manually enable BitLocker on the restored volume. Afterwards BitLocker ported to Vista and so on
You can do this after BitLocker has encrypted the entire drive. First you have to enable the local policy to require a PIN during startup. You could also do that centrally enterprise wide through Group Policy (GPO).
Checkout the following links as well:
- BitLocker Drive Preparation Tool: http://www.microsoft.com/en-gb/download/details.aspx?id=7806
- BitLocker Drive Encryption Step-by-Step Guide for Windows 7: https://technet.microsoft.com/en-us/library/dd835565%28v=ws.10%29.aspx
- Windows BitLocker™ Drive Encryption Step by Step Guide: http://go.microsoft.com/fwlink/?LinkId=53779
- Windows Trusted Platform Module Services Step by Step Guide: http://go.microsoft.com/fwlink/?linkid=67232