Enabling BitLocker in Windows 7

BitLocker provides full disk encryption. With mounting concerns around identity theft and corporate data security it is more important than ever that everyone take steps to ensure the data stored on their personal computers is kept secure.

The following step by step instructions can be used to enable BitLocker drive encryption on a machine running Windows 7.

Disclaimer: These instructions are provided AS IS without implied warranty of any kind. USE AT YOUR OWN RISK. I will not provide support and by reading this post or using these instructions you agree that I am in no way responsible for loss of data or any other losses that result from your usage of the information contained in this post.

Step 1 – Configure Local Group Policy
BitLocker uses local group policy settings to configure its behavior. These settings must be initialized prior to running BitLocker.

Step 1.1 – Open the Local Group Policy Snapin
Click Start and in the run box type gpedit.msc

clip_image001


Step 1.2 – Navigate to the correct node in the group policy editor
Navigate to:
Local Group Policy –> Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives

clip_image002

There are four settings groups that need to be configured here. Open each window in turn as specified in the following four steps. To open a settings group double-click the setting in the list.


Step 1.3 – Require additional authentication at startup
Configure BitLocker to require a startup PIN with TPM (Trusted Platform Module). This setting means that BitLocker will require the user to enter a PIN when the computer is first powered on.

clip_image003

Click Apply and OK to close the settings window.


Step 1.4 – Allow enhanced PINs for startup
Enhanced PINs allow for the use of a more diverse set of characters. Select "Enabled"

clip_image004

Click Apply and OK to close the settings window.


Step 1.5 – Configure minimum PIN length for startup
The next settings group provides a minimum PIN length to be specified.

clip_image005

Click Apply and OK to close the settings window.


Step 1.6 – Chose how BitLocker-protected operating system drives can be recovered
Specify the mechanisms through which a BitLocker protected drive can be recovered.

clip_image006

Click Apply and OK to close the settings window.


Step 1.7 – Verify that all four settings groups are shown as Enabled
THIS IS IMPORTANT! Ensure that the settings groups are enabled correctly. Once the BitLocker process begins these settings will be used without further confirmation.

clip_image007

Close the Local Group Policy Editor window


Step 2 – Enable BitLocker Drive Encryption
Now that the local group policy has been configured the system is ready for BitLocker drive encryption.

This set of steps proceeds through a series of dialogs, each of which are explained below.

Step 2.1 – Turn on BitLocker
Turn on BitLocker by right-clicking your operating system drive and select Turn on Bitlocker…

clip_image008


Step 2.2 – BitLocker initializes the drive
Wait until the initialization is complete.

clip_image009


Step 2.3 – Prepare your drive for BitLocker
clip_image010

Click the Next button to prepare your drive.


Step 2.4 – Continue preparing your drive
clip_image011

Click the Next button again to continue


Step 2.5 – Encrypt the drive
clip_image012

Click Next to initiate the drive encryption process.


Step 2.6 – Require a PIN at every startup
clip_image013

Click on the Require a PIN at every startup option.


Step 2.7 – Enter a startup PIN
Choose a PIN that will be required at every startup. It is recommended that this is a mixture of characters and numbers that is easy to remember and is different from your username and domain password. This PIN should not be a number of phrase that is printed on the case of the computer. Service tags are not appropriate PINs.

clip_image014

Click the Set PIN button to proceed.


Step 2.8 – Insert a USB thumb-drive into your laptop
This will be used to store your recovery key.

clip_image016


Step 2.9 – Save the recovery key to a USB flash drive
clip_image017

Click the Save the recovery key to a USB flash drive option.


Step 2.10 – Save the recovery key to the thumb drive
A dialog is shown listing the USB devices connected to the system. The thumb drive inserted in step 2.8 should be listed and selected.

clip_image018

Click the Save button to save the recovery key.


Step 2.11 – Proceed to next step
Click the Next button to proceed.

clip_image019


Step 2.12 – Run BitLocker system check
Ensure that the Run BitLocker system check box is checked.

clip_image020

Click the Continue button to proceed.


Step 2.13 – Restart computer
BitLocker will now perform a system check prior to encrypting drive contents.

Part of this check involves restarting the computer to ensure that the user enters their PIN correctly and that the TPM key can be unsealed using that PIN.

clip_image021

Click the Restart now button to proceed.


Step 2.14 – Enter PIN
Enter the PIN used for this computer.

clip_image023


Step 2.15 – Encryption in progress
After the machine is booted up, note that drive encryption is in progress.

clip_image025


Step 2.16 – Wait for Drive Encryption to Complete
clip_image026

clip_image027

Click Close to finish.


Congratulations! Your drive is now encrypted with BitLocker using a TPM and PIN.

Disclaimer: These instructions are provided AS IS without implied warranty of any kind. USE AT YOUR OWN RISK. I will not provide support and by reading this post or using these instructions you agree that I am in no way responsible for loss of data or any other losses that result from your usage of the information contained in this post.

This entry was posted in Tools, Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *