Professional Documents
Culture Documents
Work Smart: Protect Data With Windows 7 Bitlocker
Work Smart: Protect Data With Windows 7 Bitlocker
Get Started
About
Windows 7 BitLocker
Microsoft BitLocker Drive Encryption technology uses the
strongest publicly available encryption to protect your computers
data, and prevents others from accessing your disk drives without
authorization.
Additionally, the BitLocker To Go feature prevents unauthorized
data access on your portable storage devices, including Universal
Serial Bus (USB) flash drives, also known as thumb drives.
Topics in this guide include:
Prepare to Enable BitLocker
Back Up and Transfer Files
Turn On BitLocker
Suspend BitLocker Protection
Decrypt Your Drive
Encrypt a Portable Drive with BitLocker To Go
Manage BitLocker To Go
Decrypt a Portable Drive
Customization note: This document contains guidance and/or step-by-step installation instructions that can be reused, customized, or
deleted entirely if they do not apply to your organizations environment or installation scenarios. The text marked in red indicates either
customization guidance or organization-specific variables. All of the red text in this document should either be deleted or replaced prior
to distribution.
<< Insert Joining a Windows 7 System to a Domain Work Smart Guide file location or URL>>
Note
You will not be able to encrypt your drive unless you have a network connection.
Turn On BitLocker
After you connect to the corporate network, you can turn on BitLocker. BitLocker then turns on your computers Trusted Platform Module (TPM)
chip, which is a microchip that enables your computer to utilize advanced security features.
Start BitLocker
Initially, when you start BitLocker, you can create a personal identification number (PIN) that you can use each time you start your computer, or
you can designate a startup key that you must enter each time that you attempt to access a USB drive. This additional protection is optional,
but is recommended. If you are going to use DirectAccess as your remote-connectivity software solution, you must create a PIN.
To start BitLocker and create a PIN or startup key:
1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2 Ensure your computers TPM is turned on. To do this, look for a TPM Administration link in the lower-left corner of the window under See
also.
If you do not see this link, the TPM is not on. For assistance in turning it on, contact << helpdesk contact or technical support URL>>.
3 Click Turn On BitLocker.
4 On the Set BitLocker startup preferences page, click Require a PIN at every startup.
Important
<<Organization >> recommends using a PIN or startup key because it is the most secure option. You must create a PIN if you are going
to use DirectAccess as your remote-connectivity software solution.
5 On the Enter a numeric startup PIN page, in the PIN field, type a number that is between 5 and 20 digits in length. The longer your PIN
number, the more secure your computer will be.
6 In the Confirm PIN field, retype the number.
8 On the How do you want to store your recovery key? page, click one of the following options:
Save the recovery key to a file. Microsoft IT recommends this option, which enables you to save your password to a network file-
share folder, such as My Site.
Print the recovery key.
9 Click Next.
10 On the Encrypt the drive page, select the Run BitLocker System check box, and then click Continue.
11 Close and save any files that you have open. (In the next step, you will restart the computer.)
12 Click Continue.
BitLocker restarts your computer and begins the encryption process.
Notes
BitLocker will encrypt your hard-disk drive in approximately one to three hours, depending on its size. You can continue to use your
computer during the encryption process.
After BitLocker is enabled, each time that you attempt to log on to your computer, you will need to enter your BitLocker PIN before
Windows starts. If you have any issues accessing your computer, contact
<< helpdesk contact or technical support URL>>.
1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
BitLocker will decrypt your hard-disk drive in approximately 13 hours, depending on the hard-disk size. You can continue to use your
computer during the encryption process.
2 Decide whether you want to use password protection or smart card protection..
16 Insert the portable drive (USB drive, SC card, SD/MMC card, etc.) into the appropriate slot.
17 Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
18 Click Turn On BitLocker next to the portable storage device that you want to encrypt.
19 In the Choose how you want to unlock this drive dialog box, select one of the following options.
If you want to use a password to unlock the drive, select the Use a password to unlock the drive check box, enter your
password twice, and then click Next.
If you want to use a smart card to unlock the drive instead, select the Use my smart card to unlock the drive check box,
insert your smart card, and then click Next.
Important
Create a password with 812 characters. It is recommended that you use an easy-to-remember passphrase and change certain letters
to caps or obvious special characters. Entering a password is a one-time event. You will not need to change or reset it unless you want
to.
20 In the BitLocker Drive Encryption dialog box, do one of the following:
To print the recovery key, click Print the recovery key, and then click Next.
Or
a. To save the recovery key to My Site or another file share, click Save the recovery key to a file.
b. In the Save BitLocker Recovery Key as dialog box, BitLocker suggests a filename to use. You can edit this filename to
distinguish it from recovery keys that you may acquire for additional portable devices. For example, you might want to name it
c. Go to My Site or the file-share folder where you want to save the recovery key.
d. Click Save.
22 Click Close.
23 When the encryption is complete, remove the device. If you chose smart card encryption, remove your smart card. Wait a few seconds
and then reinsert the device and/or smart card.
24 Do one of the following:
If you chose password protection:
ii. If you want to have the device automatically unlocked when you use it with your computer, select the Automatically
unlock on this computer from now on check box. To use auto-unlock, BitLocker must be enabled.
If you chose smart card protection, click Unlock, enter your PIN, and then click OK.
Notes
BitLocker To Go can encrypt your drive in minutes or hours, depending on your drives size, your connection speed, and the technology
you use, such as External Serial Advanced Technology (eSATA), FireWire, USB, or USB 2.0. You can continue to use your computer
during the encryption process.
Each time you attempt to use the drive, you will need to enter the password or smart card unless you set up BitLocker To Go to unlock
the drive automatically. If you have any issues accessing your drive, contact the << helpdesk contact or technical support URL>>.
If you want to change the password for a portable drive or change the auto-unlock feature, click Start, click Control Panel, click
System and Security, and then click BitLocker Drive Encryption. In the BitLocker Drive Encryption dialog box, click Manage
BitLocker next to the portable drive information.
All recovery keys are stored in Active Directory and can be obtained << selfhelp URL, helpdesk contact, technical support URL>>.
Manage BitLocker To Go
After you encrypt a portable drive, you may want to change a password, remove a password, add a smart card to unlock the drive, save or
print a recovery key again, or turn the automatic unlock feature on or off.
To make any of these changes:
1 Click Start , click Control Panel, click System and Security, and then click BitLocker Drive Encryption.