How to enable encryption with Microsoft BitLocker on Non TPM computers

2 comments

Microsoft’s BitLocker feature provides full-volume encryption to help mitigate data loss from lost, stolen, or otherwise misappropriated laptops and computers.  This feature is available in the Pro and Enterprise versions on Windows 8 and the Enterprise and Ultimate editions on Windows 7.  BitLocker ,by default, requires a Trusted Platform Module (TPM) chip to be both present and enabled in the Bios to encrypt hard drives.  Hard drive encryption be accomplished without TPM present.  Here are the steps to perform this properly, images are from a Windows 8 Pro machine.  I am not going to cover encrypting computers that have TPM chips in them.  This is due to the fact that other than the first few steps regarding Group Policy, the process for BitLocker setup is identical.

 

What can be encrypted?  Internal hard drives, SSD drives, External hard drives, USB memory sticks (USB memory sticks are ideal for encryption due to the fact that they are so easily lost)

 

What are the things you will need to get started?

 

  • Unique Password (ideally each system will have a unique password)
  • Admin Access to the Computer
  • Printer or USB device, these are used to print out or store the encryption key used for recovery.

 

Please be aware!  After drives are encrypted do not lose the password or recovery key.  Doing so will render the system inoperable, all data will be lost.  This is what you want if the laptop is ever stolen or lost.  Consider regular backups of user data when enabling encryption.

 

Configuring Local Policy Settings for a non-TPM system

Windows GP Editor
Windows Group Policy Editor

 

From the Metro UI or the search box, type GPEDIT.MSC and press enter

 

Open Computer Configuration => Administrative Templates => Windows Components => BitLocker Drive Encryption => Operating System Drives.

TPM add additional Authentication at startup
TPM add additional Authentication at startup

 

From the right pane double-click "Require additional authentication at startup"

 

Click the Enable radio button.

 

Leave the default configuration in the Options window.

 

Click Apply then OK.  Now close out the Group Policy Editor.

 

Setting Up BitLocker

 

Open the Control Panel, select BitLocker Drive Encryption

 

Bitlocker Control Panel
Bitlocker Control Panel

 

Click Turn on BitLocker

 

BitLocker Drive Encryption

 

BitLocker Drive Encryption Click Enter Password

 

Bitlocker Password

 

Put in a "good" password.  This is a password you will be prompted for each time that you boot the device.  It needs to have a good enough complexity to prevent someone from guessing it.  Make sure that if you are enabling BitLocker on multiple computers that each computer has a different password.  Click Next

 

Bitlocker recovery key

 

Print the recovery key, store in a safe place with a label for what computer it goes with (this is critical if you have more than one computer).  You can also save the keys, don't put them on the computer, don't put them in an easily accessible location on your network.

 

Bitlocker encrypt

 

Select the first option for new computers, the second option is best for a computer that has been in use.  Click Next

 

Bitlocker ready

 

Keep the check for the "Run BitLocker system check", this is the safest way to proceed.  click continue.   The system will perform a number of checks, then reboot.

 

Bitlocker working

 

This will be the screen that you see during boot up.  Congratulations, you are finished and everything worked as planned.

 

The option to have a password enabled device works very well:  I have tested it on USB Memory, External Hard Drives, Internal Hard Drives and on SSD.

 

Note:  I have not tested using a USB key to startup the computer.

2 Comments on “How to enable encryption with Microsoft BitLocker on Non TPM computers

  1. “Consider regular backups of user data when enabling encryption” is a bit of an understatement. User data should generally be backed up, encrypted or not.

Leave a Reply