Enable BitLocker Encryption on Vista
One of the most significant security enhancements to Windows Vista was the addition of a technology called BitLocker Encryption. Unlike EFS, rather than simply encrypting a single file, BitLocker, combined with a Trusted Platform Module (TPM) chip on a PC’s motherboard, encrypts the entire hard disk or partition, thus making the system more secure. Since BitLocker encrypts the entire disk drive, the computer cannot be booted unless it can access the disk, and even removing the disk and placing it as a slave disk on a working computer cannot give you access to the disks’ contents.
BitLocker is supposed to help users and companies to protect their data, especially executives traveling around with key corporate data on their laptops. BitLocker integrates with a TPM 1.2 chip and uses a 128-bit or 256-bit AES encryption algorithm. You can optionally use BitLocker on non-TPM systems, but to do that you must supply a USB memory key or an alphanumeric password in order to access the system.
Note: BitLocker is only available on Windows Vista Enterprise and Ultimate editions.
If your computers’ motherboard is TPM complaint (meaning it has a TPM chip on the motherboard that is used hold encrypted keys), BitLocker will be enabled by default. If your motherboard is not TMP complaint then BitLocker will not be enabled by default, and you will need to enable it (that’s what this article all about).
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
With a TPM compliant motherboard your computer will do all the work for you. Without it, you will need an external USB key to store the encrypted keys on, and you will need to insert it into the USB port every time you boot your PC.
To find out if your computer has Trusted Platform Module (TPM) security hardware
Go to Control Panel and click on the Bitlocker Icon. If you don’t see a BitLocker icon there’s a high probability that your computer does NOT has a TPM compliant motherboard.
If you do see a BitLocker icon, double-click on it to open it. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
If the TPM administration link appears in the left pane, your computer has the TPM security hardware. If this link is not present, you will need a removable USB memory device to turn on BitLocker and store the BitLocker startup key that you’ll need whenever you restart your computer.
Before you can turn on BitLocker Drive Encryption you need to make sure that your computer’s hard disk has the following:
- At least two volumes. Note: If you create a new volume after you have already installed Windows, you will have to reinstall Windows before turning on BitLocker. If you do not already have two partitions, you can use the BitLocker Drive Preparation Tool to help get your system ready for BitLocker by creating the required second partition. You can get the BitLocker Drive Preparation Tool from the Windows Update site/tool. After you have installed this tool, type BitLocker into the Start menu search box, and then double-click BitLocker Drive Preparation Tool to run the tool. After the tool runs, you must restart your computer before turning on BitLocker.
- One volume is for the operating system drive (typically drive C) that BitLocker will encrypt, and one is for the active volume, which must remain unencrypted to start the computer. The size of the active volume must be at least 1.5 gigabytes (GB). Both partitions must be formatted with the NTFS file system.
To enable BitLocker without a TPM compliant motherboard please follow the proceeding steps:
- Click Start > Accessories > Run
- In the Run Dialog box type gpedit.msc and press Enter.
- In the Group Policy window navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
- In the right pane double-click on Control Panel Setup: Enable advanced startup options
- In the properties window click the radio button next to the ‘Enable’ option and then click OK
- Refresh the Group Policy by typing gpupdate /force in the Start > Accessories > Run command.
- Go to Control Panel and click on the Bitlocker Icon. If you don’t see a BitLocker icon you’re probably not in Classic View. Either switch to Classic View, or type bit in the search box on the top right corner of the Control Panel window. You should see a link now for enabling BitLocker.
- If you’re like me, then your computer’s hard disk is not set up to support the usage of BitLocker, and you’ll get a window like this one:
You will need to use the BitLocker Drive Preparation Tool to prepare your disk drive for BitLocker. I will prepare a demo on this in later articles.
Got a question? Post it on our Windows Vista Forums!