Windows 10 is quite an impressive operating system. It’s fast, it runs all of my old apps (even my retro games!), and it has tons of security improvements.
BitLocker Drive Encryption isn’t new to Windows 10. Encrypting files in Windows goes all the way back to the Encrypting File System (EFS) in Windows 2000. BitLocker was first shipped as part of the Operating System Who Must Not Be Named (the predecessor of Windows 7). BitLocker has always provided a great level of data confidentiality by encrypting an entire logical drive, not just files.
All modern encryption uses a key, and BitLocker is no different. The best practice is to store the BitLocker key in a Trusted Platform Module (TPM), which is a secure system component that protects cryptographic keys and prevents tampering and unauthorized access. When an attacker tries to steal or modify keys protected by a TPM, the TPM either destroys itself, wipes its own memory, or reduces functionality in a recovery mode. This is normally how BitLocker is deployed, with keys stored in the TPM.
If you are using a Professional or Enterprise version of Windows 10 you can enable BitLocker through BitLocker Drive Encryption applet in Control Panel.
You can see that my C: drive is not currently encrypted. I have the option of turning it on by clicking Turn on BitLocker.
My computer doesn’t have a TPM for BitLocker to use. The default system policy does not permit BitLocker keys on USB removable storage. So I get this error:
If you can’t see the image, the error is:
- This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes.
When a TPM is not available BitLocker can still work. Removable storage, typically a USB memory stick, must be provided for the key. BitLocker will create the key and store it on the USB stick. From that point on, the USB stick must be inserted whenever Windows 10 starts.
To enable these options, you must configure the policy. In a domain-joined computer, you will typically do that through Group Policy. In this article I’m illustrating how to do it on a standalone system.
To enable BitLocker on a system with a TPM by storing the key on a removable USB stick, follow these steps:
Press Windows + R to bring up the Run dialog, type gpedit.msc and press Enter. This launches the Local Group Policy Editor.
Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives
Double-click Require additional authentication at startup. This lets you set the configuration for using removable memory or TPM with BitLocker.
Click Enable to access the other options. Rather than paraphrasing, here’s the full description for these options:
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, select the “Allow BitLocker without a compatible TPM” check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard
That’s the hard part. Notice that the last note specifies that you’ll need to use manage-bde.exe at a command-prompt to turn on BitLocker. So that step is slightly harder than using the Control Panel wizard. But you should only need to do it once. I will cover using manage-bde.exe to enable BitLocker in a different article.
Mike Danseglio – CISSP, MCSE, and CEH
Mike Danseglio teaches IT Security Training, Windows, System Center and Windows Server 2012 classes at Interface Technical Training. His classes are available in Phoenix, AZ and online with RemoteLive™.