Work Smart: Protect Data with Windows 7 BitLocker

Get Started

About
Windows 7 BitLocker
Microsoft BitLocker Drive Encryption technology uses the
strongest publicly available encryption to protect your computers
data, and prevents others from accessing your disk drives without
authorization.
Additionally, the BitLocker To Go feature prevents unauthorized
data access on your portable storage devices, including Universal
Serial Bus (USB) flash drives, also known as thumb drives.
Topics in this guide include:
Prepare to Enable BitLocker
Back Up and Transfer Files
Turn On BitLocker
Suspend BitLocker Protection
Decrypt Your Drive
Encrypt a Portable Drive with BitLocker To Go
Manage BitLocker To Go
Decrypt a Portable Drive

Customization note: This document contains guidance and/or step-by-step installation instructions that can be reused, customized, or
deleted entirely if they do not apply to your organizations environment or installation scenarios. The text marked in red indicates either
customization guidance or organization-specific variables. All of the red text in this document should either be deleted or replaced prior
to distribution.

Prepare to Enable BitLocker

All new systems that <<organization >>provides are ready for BitLocker enablement. However, before you enable BitLocker, you need to join
your computer to a corporate domain (if it isnt already joined) and ensure that you are connected to the <<organization >>corporate
network. For information on joining your computer to a corporate domain, see the Joining a Windows 7 System to a Domain Work Smart Guide:

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 1 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

<< Insert Joining a Windows 7 System to a Domain Work Smart Guide file location or URL>>

Note
You will not be able to encrypt your drive unless you have a network connection.

Back Up and Transfer Files

<<Organization >> provides several solutions for backing up your data.
<<insert preferred methods here>>
<<insert preferred methods here>>

Turn On BitLocker
After you connect to the corporate network, you can turn on BitLocker. BitLocker then turns on your computers Trusted Platform Module (TPM)
chip, which is a microchip that enables your computer to utilize advanced security features.

Start BitLocker
Initially, when you start BitLocker, you can create a personal identification number (PIN) that you can use each time you start your computer, or
you can designate a startup key that you must enter each time that you attempt to access a USB drive. This additional protection is optional,
but is recommended. If you are going to use DirectAccess as your remote-connectivity software solution, you must create a PIN.
To start BitLocker and create a PIN or startup key:

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

2 Ensure your computers TPM is turned on. To do this, look for a TPM Administration link in the lower-left corner of the window under See
also.

If you do not see this link, the TPM is not on. For assistance in turning it on, contact << helpdesk contact or technical support URL>>.
3 Click Turn On BitLocker.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 2 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

4 On the Set BitLocker startup preferences page, click Require a PIN at every startup.

Important
<<Organization >> recommends using a PIN or startup key because it is the most secure option. You must create a PIN if you are going
to use DirectAccess as your remote-connectivity software solution.
5 On the Enter a numeric startup PIN page, in the PIN field, type a number that is between 5 and 20 digits in length. The longer your PIN
number, the more secure your computer will be.
6 In the Confirm PIN field, retype the number.

7 Click Set PIN.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 3 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

8 On the How do you want to store your recovery key? page, click one of the following options:
Save the recovery key to a file. Microsoft IT recommends this option, which enables you to save your password to a network file-
share folder, such as My Site.
Print the recovery key.

9 Click Next.

10 On the Encrypt the drive page, select the Run BitLocker System check box, and then click Continue.

11 Close and save any files that you have open. (In the next step, you will restart the computer.)

12 Click Continue.
BitLocker restarts your computer and begins the encryption process.

Notes
BitLocker will encrypt your hard-disk drive in approximately one to three hours, depending on its size. You can continue to use your
computer during the encryption process.
After BitLocker is enabled, each time that you attempt to log on to your computer, you will need to enter your BitLocker PIN before
Windows starts. If you have any issues accessing your computer, contact
<< helpdesk contact or technical support URL>>.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 4 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

Suspend BitLocker Protection

You may need to suspend BitLocker. For example, you might need to do a hardware upgrade or basic input/output system (BIOS) updates.
When you suspend BitLocker, Windows disables protection on your system. You wont need to enter your PIN to start your computer, but your
data will be unprotected.
You can perform all updates and system changes by suspending BitLocker protection. You typically do not need to turn BitLocker off for any
reason other than to decrypt your drive.
To suspend BitLocker:

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

13 Click Suspend Protection.

Resume BitLocker Protection

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

14 Click Resume Protection.

Decrypt Your Drive

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

15 Click Turn Off BitLocker.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 5 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

BitLocker will decrypt your hard-disk drive in approximately 13 hours, depending on the hard-disk size. You can continue to use your
computer during the encryption process.

Encrypt a Portable Drive with

BitLocker To Go
When you encrypt a portable drive with BitLocker To Go, you can set it to unlock by using a password or your smart card.
1 Connect to the corporate network.

2 Decide whether you want to use password protection or smart card protection..

16 Insert the portable drive (USB drive, SC card, SD/MMC card, etc.) into the appropriate slot.

17 Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

18 Click Turn On BitLocker next to the portable storage device that you want to encrypt.

19 In the Choose how you want to unlock this drive dialog box, select one of the following options.
If you want to use a password to unlock the drive, select the Use a password to unlock the drive check box, enter your
password twice, and then click Next.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 6 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

If you want to use a smart card to unlock the drive instead, select the Use my smart card to unlock the drive check box,
insert your smart card, and then click Next.

Important
Create a password with 812 characters. It is recommended that you use an easy-to-remember passphrase and change certain letters
to caps or obvious special characters. Entering a password is a one-time event. You will not need to change or reset it unless you want
to.
20 In the BitLocker Drive Encryption dialog box, do one of the following:
To print the recovery key, click Print the recovery key, and then click Next.
Or
a. To save the recovery key to My Site or another file share, click Save the recovery key to a file.

b. In the Save BitLocker Recovery Key as dialog box, BitLocker suggests a filename to use. You can edit this filename to
distinguish it from recovery keys that you may acquire for additional portable devices. For example, you might want to name it

BitLocker San Disk 2Gig Recovery Key DDxxxDxx.

c. Go to My Site or the file-share folder where you want to save the recovery key.

d. Click Save.

21 Click Start Encrypting.

Encryption time varies but typically takes 3 minutes per GB of data. An encryption progress dialog box will appear, followed eventually
by a completion notice.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 7 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

22 Click Close.

23 When the encryption is complete, remove the device. If you chose smart card encryption, remove your smart card. Wait a few seconds
and then reinsert the device and/or smart card.
24 Do one of the following:
If you chose password protection:

i. Enter your password.

ii. If you want to have the device automatically unlocked when you use it with your computer, select the Automatically
unlock on this computer from now on check box. To use auto-unlock, BitLocker must be enabled.

iii. Click Unlock.

If you chose smart card protection, click Unlock, enter your PIN, and then click OK.

Notes
BitLocker To Go can encrypt your drive in minutes or hours, depending on your drives size, your connection speed, and the technology
you use, such as External Serial Advanced Technology (eSATA), FireWire, USB, or USB 2.0. You can continue to use your computer
during the encryption process.
Each time you attempt to use the drive, you will need to enter the password or smart card unless you set up BitLocker To Go to unlock
the drive automatically. If you have any issues accessing your drive, contact the << helpdesk contact or technical support URL>>.
If you want to change the password for a portable drive or change the auto-unlock feature, click Start, click Control Panel, click
System and Security, and then click BitLocker Drive Encryption. In the BitLocker Drive Encryption dialog box, click Manage
BitLocker next to the portable drive information.
All recovery keys are stored in Active Directory and can be obtained << selfhelp URL, helpdesk contact, technical support URL>>.

Manage BitLocker To Go
After you encrypt a portable drive, you may want to change a password, remove a password, add a smart card to unlock the drive, save or
print a recovery key again, or turn the automatic unlock feature on or off.
To make any of these changes:

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 8 of 9
Work Smart: Protect Data with Windows 7 BitLocker
Get Started

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

25 Click Manage BitLocker.

26 Select one of the options in the dialog box.

Decrypt a Portable Drive

1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

3 Click Turn Off BitLocker.

4 Click Decrypt Drive.

For More Information

BitLocker Drive Encryption
http://windows.microsoft.com/en-US/windows7/products/features/bitlocker

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.
Page 9 of 9