Operating system security

How to use BitLocker in Windows 10 (with or without TPM)

Greg Belding
April 30, 2020 by
Greg Belding

Introduction

Possibly the most profound security enhancement that has become the norm for organizations in recent years is encryption. Early concepts of encryption were born in the forges of war and is most epitomized by the Navajo code talkers of World War II, where codes in the Navajo language helped the allied forces stop the threat of Nazi Germany. Fast-forward to today and organizations have turned the concept of encrypted information techniques into an information security standard that everyone should consider using. 

Not surprisingly, Microsoft has brought their BitLocker encryption feature over to Windows 10. This article will detail how to use BitLocker in Windows 10 and will explore what BitLocker is, BitLocker to go, how to use BitLocker in Windows 10 systems that have a Trusted Platform Module (TPM) and how to use BitLocker in Windows 10 systems that do not have a TPM.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

What is BitLocker?

BitLocker is a Windows 10 integrated drive encryption feature that addresses data theft and exposure threats posed by stolen, lost or inappropriately decommissioned systems. It was first introduced to Windows Operating Systems back in the short-lived Windows Vista heyday and has carried over to Windows 10 with some minor improvements. This proprietary, easy-to-use encryption feature has two basic requirements (aside from being a Vista or later Windows OS) — a system partitioned with two or more drives and a TPM version 1.2 or later. 

BitLocker is undoubtedly an interesting encryption feature, in part because of the level of user control it allows. With BitLocker, you can encrypt entire drives or, if you are short on time, you can encrypt only the parts of drives that are being used. This can shave the encryption time from about seven or eight hours to a couple hours or less. 

BitLocker to Go

A notable change made to BitLocker since Windows Vista is the addition of BitLocker To Go. With USB drives and other removable drives nearing the storage size of conventional hard drives, encrypting them has become increasingly important. 

To compensate for this, BitLocker To Go was introduced as a solution for this problem. BitLocker To Go can encrypt these removable drives; to access the files within, you will need to supply the BitLocker password that you set up when you encrypted the drive. 

How to Use BitLocker in Windows 10 Systems That Have a TPM

Before we begin, you first need to check which TPM version you have. By summer of 2016, all Windows 10 systems with TPM 2.0 have TPM enabled by default. If you have an older version, you will need to enable TPM. For brevity’s sake, I will assume you have one of these newer TPMs, but if you don’t have one and don’t know how to enable TPM, you can find out how to do so here

Below is a step-by-step guide for how to enable BitLocker on your Windows 10 Operating System Drive.

  1. Open Control Panel and navigate to BitLocker Drive Encryption
  2. Click on Turn on BitLocker next to your Windows 10 OS drive. This will begin the process of checking if your system meets the requirements for BitLocker
  3. If your system checks out as compatible, you will be presented with a window asking how you want to back up your recovery key. This key is required should you have trouble accessing your files (in cases where you cannot unlock your Windows 10 system). I chose to print my key. Choose the option that works for you and click Save
  4. You will be presented with a window asking how much of your drive you want to encrypt. You have the option of encrypting the entire drive, which will be slow (seven or more hours), or you can encrypt used disk space only which will encrypt new files as they are saved. Click Next
  5. Now you will be asked which encryption mode to use. The New encryption mode is better for systems with fixed drives and the Compatible mode is better for systems that have their drives swapped out. Click Next
  6. In the next window, you will see a box next to “run BitLocker system check.” Check the box and click Next
  7. Restart your computer when prompted
  8. When your system restarts, you can use it like normal, but it may be a bit slower than usual

How to use BitLocker in Windows 10 systems that do not have a TPM 

In rare cases you may be faced with a Windows 10 system that does not have a TPM, but these systems can also be encrypted with BitLocker. To do this, we need to make a quick change in the local group policy of the Windows 10 computer you want to encrypt. Please note that if you are joined to a domain (either school or work), the administrator will have to make this change for you at the domain level.

Within Local Group Policy Editor, navigate to Windows Components. Under Windows Components, click on BitLocker Drive Encryption and then Operating System Drives. Double-click “Require additional authentication at startup.” When the window opens, click “enabled” and then check the box for “Allow BitLocker without a compatible TPM.” From here, you can begin the steps of BitLocker encryption for systems with a TPM, where you will be asked whether you want to boot from a password or USB drive.

Conclusion

BitLocker is a drive encryption feature that is part of Windows 10 systems. The conventional system requirements to encrypt with BitLocker require a TPM. However, even Windows 10 systems can encrypt with BitLocker without this special chip making a few changes in group policy. 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

 

Sources

  1. How to use BitLocker Drive Encryption on Windows 10, Windows Central
  2. Step-by-Step Tutorial to Enable BitLocker on Windows 10 OS Drive, Password Recovery
  3. BitLocker, Microsoft
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.