0% found this document useful (0 votes)

428 views33 pages

BitLocker Step by Step

This document describe how to setup Bitlocker on Windows 7 with various scenario

Uploaded by

wahyuabadi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

428 views33 pages

BitLocker Step by Step

This document describe how to setup Bitlocker on Windows 7 with various scenario

Uploaded by

wahyuabadi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 33

My Collection

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2012 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)

Table Of Contents
Chapter 1
BitLocker Drive Encryption Step-by-Step Guide for Windows 7
Scenario 1: Turning On BitLocker Drive Encryption on an Operating System Drive (Windows 7)
Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)
Scenario 3: Upgrading a BitLocker-Protected Computer from Windows Vista to Windows 7 (Windows 7)
Scenario 4: Configuring How BitLocker Is Supported on Previous Versions of Windows (Windows 7)
Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)
Scenario 6: Specifying How to Unlock BitLocker-Protected Operating System Drives (Windows 7)
Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)
Scenario 8: Specifying How BitLocker-Protected Drives Can Be Recovered (Windows 7)
Scenario 9: Configuring the Encryption Method and Cipher Strength (Windows 7)
Scenario 10: Configuring the BitLocker Identification Field (Windows 7)
Scenario 11: Recovering Data Protected by BitLocker Drive Encryption (Windows 7)
Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)
Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)
Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)
Scenario 15: Using the BitLocker Active Directory Recovery Password Viewer to View Recovery Passwords
Scenario 16: Using the BitLocker Repair Tool to Recover a Drive

Chapter 1

BitLocker Drive Encryption Step-by-Step Guide for Windows 7

Updated: September 18, 2009
Applies To: Windows 7
ThisstepbystepguideprovidestheinstructionsyouneedtouseBitLockerDriveEncryptioninaWindows7testenvironment.Werecommendthat
you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows 7
operating system features without accompanying documentation and should be used with discretion as a stand-alone document.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is an integral security feature in the Windows 7 operating system that helps protect data stored on fixed and removable data
drives and the operating system drive. BitLocker helps protect against "offline attacks," which are attacks made by disabling or circumventing the
installed operating system or made by physically removing the hard drive to attack the data separately. For fixed and removable data drives, BitLocker
helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card
credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys. If your organization includes computers running
previousversionofWindows,theBitLockerToGoReadercanbeusedtoallowthosecomputerstoreadBitLockerprotectedremovabledrives.
BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal
identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using
BitLocker with a TPM provides enhanced protection for your data and helps assure early boot component integrity. This option requires that the
computer have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible BIOS must support the TPM and
the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM
Specifications section of the Trusted Computing Group Web site1 (http://go.microsoft.com/fwlink/?LinkId=72757).
The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the
user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and you will need a recovery
password or recovery key to regain access to the data.

In this guide
The purpose of this guide is to help IT professionals become familiar with the BitLocker Drive Encryption feature of Windows 7. These steps are for
testingonly.ThisguideshouldnotbetheonlyresourceyouusetodeployWindowsServer2008R2orWindows7features.Reviewthefollowing
sections to familiarize yourself with the basic information and procedures that you need to start configuring and deploying BitLocker in your organization.
Scenario 1: Turning On BitLocker Drive Encryption on an Operating System Drive (Windows 7)2
Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)3
Scenario 3: Upgrading a BitLocker-Protected Computer from Windows Vista to Windows 7 (Windows 7)4
Scenario 4: Configuring How BitLocker Is Supported on Previous Versions of Windows (Windows 7)5
Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)6
Scenario 6: Specifying How to Unlock BitLocker-Protected Operating System Drives (Windows 7)7
Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)8
Scenario 8: Specifying How BitLocker-Protected Drives Can Be Recovered (Windows 7)9
Scenario 9: Configuring the Encryption Method and Cipher Strength (Windows 7)10
Scenario 10: Configuring the BitLocker Identification Field (Windows 7)11
Scenario 11: Recovering Data Protected by BitLocker Drive Encryption (Windows 7)12
Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)13
Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)14
Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)15
Scenario 15: Using the BitLocker Active Directory Recovery Password Viewer to View Recovery Passwords16
Scenario 16: Using the BitLocker Repair Tool to Recover a Drive17

Requirements for BitLocker Drive Encryption

The hardware and software requirements for BitLocker are:
A computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.
Note
Windows Server 2008 R2 includes BitLocker Drive Encryption as an optional feature.

A computer that meets the minimum requirements for Windows 7 or Windows Server 2008 R2.
A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot components
and storage of the BitLocker master key. If the computer does not have a TPM, a USB flash drive may be used to store the BitLocker key.

A Trusted Computing Group (TCG)-compliant BIOS for use with BitLocker on operating system drives.
A BIOS setting to start up first from the hard drive, not the USB or CD drives.
Note
For any scenario that includes using a USB flash drive to provide a BitLocker key (such as a startup key or a recovery key), your BIOS must
support reading USB flash drives at startup.

Important
We strongly recommend that you do not run a kernel debugger while BitLocker is enabled, because encryption keys and other sensitive data can be
accessed with the debugger. However, you can enable kernel debugging before you enable BitLocker. If you enable kernel debugging or boot
debugging (kernel debugging with the bcdedit /debug option), after you have enabled BitLocker the system will automatically start the recovery
process every time you restart the computer.

Additional resources
For help with BitLocker Drive Encryption, choose one of the support options listed on the Microsoft Help and Support Web site18
(http://go.microsoft.com/fwlink/?LinkId=76619).
For additional documentation about BitLocker, see BitLocker Drive Encryption19 (http://go.microsoft.com/fwlink/?LinkId=76553).
For more information about User Account Control, see User Account Control20 (http://go.microsoft.com/fwlink/?LinkId=66018).

Links Table
1http://go.microsoft.com/fwlink/?LinkId=72757
2http://technet.microsoft.com/en-us/library/ee424299(v=ws.10).aspx
3http://technet.microsoft.com/en-us/library/ee424323(v=ws.10).aspx
4http://technet.microsoft.com/en-us/library/ee424325(v=ws.10).aspx
5http://technet.microsoft.com/en-us/library/ee424310(v=ws.10).aspx
6http://technet.microsoft.com/en-us/library/ee424316(v=ws.10).aspx
7http://technet.microsoft.com/en-us/library/ee424319(v=ws.10).aspx
8http://technet.microsoft.com/en-us/library/ee424320(v=ws.10).aspx
9http://technet.microsoft.com/en-us/library/ee424303(v=ws.10).aspx
10http://technet.microsoft.com/en-us/library/ee424301(v=ws.10).aspx
11http://technet.microsoft.com/en-us/library/ee424309(v=ws.10).aspx
12http://technet.microsoft.com/en-us/library/ee424308(v=ws.10).aspx
13http://technet.microsoft.com/en-us/library/ee424315(v=ws.10).aspx
14http://technet.microsoft.com/en-us/library/ee424307(v=ws.10).aspx
15http://technet.microsoft.com/en-us/library/ee424312(v=ws.10).aspx
16http://technet.microsoft.com/en-us/library/ee523220(v=ws.10).aspx
17http://technet.microsoft.com/en-us/library/ee523219(v=ws.10).aspx
18http://go.microsoft.com/fwlink/?LinkId=76619
19http://go.microsoft.com/fwlink/?LinkId=76553
20http://go.microsoft.com/fwlink/?LinkId=66018

2012Microsoft.Allrightsreserved.

Scenario 1: Turning On BitLocker Drive Encryption on an

Operating System Drive (Windows 7)
Updated: August 9, 2010
Applies To: Windows 7
This scenario provides the procedure for turning on BitLocker Drive Encryption protection on an operating system drive of a computer with a TPM. After
the drive is encrypted, the user logs on to the computer normally.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.
You must be able to configure a printer if you want to print the recovery key.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.

To turn on BitLocker Drive Encryption on an operating system drive

1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. Click Turn On BitLocker for the operating system drive. BitLocker will scan your computer to make sure that it meets the BitLocker system
requirements. If your computer meets the requirements, BitLocker will inform you of the next steps that need to be taken to turn on BitLocker,
such as drive preparation, turning on the TPM, and encrypting the drive.
If you have a single partition for your operating system drive, BitLocker will prepare the drive by shrinking the operating system drive and creating
a new system partition to use for system files that are required to start or recover the operating system and that cannot be encrypted. This drive
will not have a drive letter to help prevent the storing of data files on this drive inadvertently. After the drive is prepared, the computer must be
restarted.
If your TPM is not initialized, the BitLocker setup wizard will instruct you to remove any CDs, DVDs, or USB drives from the computer and restart
the computer to begin the process of turning on the TPM. You will either be prompted to enable the TPM before the operating system boots or in
some cases you will need to navigate to the BIOS options and enable the TPM manually. This behavior depends on the BIOS of the computer. After
you confirm that you want the TPM enabled, the operating system will start and the Initializing the TPM security hardware progress indicator
will be displayed.
If your computer does not have a TPM, you can still use BitLocker, but you will be using the Startup key only authentication method. All of the
required encryption key information is stored on a USB flash drive, which the user must insert into the computer during startup. The key stored on
the USB flash drive unlocks the computer. Using a TPM is recommended because it helps protect against attacks made against the computer's
critical startup process. Using the Startup key only method only encrypts the drive; it does not provide any validation of the early boot
components or hardware tampering. To use this method, your computer must support the reading of USB devices in the preboot environment and
you must enable this authentication method by selecting the check box Allow BitLocker without a compatible TPM in the Group Policy setting
Require additional authentication at startup, which is located in the following location in the Local Group Policy Editor: Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.
Note
IfyouhaveconfiguredtheGroupPolicysettingsinyourorganizationtobackupBitLockerandTPMrecoveryinformationtoActiveDirectory
Domain Services (AD DS), the computer must be able to connect to the domain to complete this process.

3. After the TPM is initialized, the BitLocker setup wizard prompts you to choose how to store the recovery key. You can choose from the following
options:
Save the recovery key to a USB flash drive. Saves the recovery key to a USB flash drive.
Save the recovery key to a file. Saves the recovery key to a network drive or other location.
Print the recovery key. Prints the recovery key.
Use one or more of these options to preserve the recovery key. For each option that you select, follow the wizard steps to set the location for
saving or printing the recovery key. When you have finished saving the recovery key, click Next.
Important
The recovery key is required if the encrypted drive is moved to another computer or changes are made to the system startup information. This
recovery key is so important that it is recommended that you make additional copies of the key and store the key in safe places so that you
can readily find the key if needed to recover access to the drive. You will need your recovery key to unlock the encrypted data on the drive if
BitLocker enters a locked state. This recovery key is unique to this particular drive. You cannot use it to recover encrypted data from any
other BitLocker-protected drive.
For maximum security, you should store recovery keys apart from the computer.

4. The BitLocker setup wizard asks if you are ready to encrypt the drive. Confirm that the Run BitLocker system check check box is selected, and
then click Continue.
5. Confirm that you want to restart the computer by clicking Restart now. The computer restarts, and BitLocker checks if the computer meets
BitLocker requirements and is ready for encryption. If it is not, you will see an error message alerting you to the problem after you have logged on.
Warning

One of the items that BitLocker checks is the configuration of the system partition. BitLocker requires a minimum system partition size of 100
MB, and the Windows Recovery Environment requires 200 MB. When the operating system is installed, the system partition is automatically
created by the setup process with a default size of 300 MB. However, this default partition size can be changed by computer manufacturers or
system administrators when they install the operating system. If the system partition is exactly 100 MB, BitLocker setup assumes that you have
a Windows Recovery DVD for use with your computer and the system check is completed without any errors. However, if you have a system
partition size between 101 MB and 299 MB, the following error message will be displayed: "You will no longer be able to use Windows Recovery
Environment unless it is manually enabled and moved to the system drive." If you have a Windows 7 DVD that contains the Windows Recovery
Environment or you have another system recovery process in place, you may disregard this message and continue with BitLocker setup.
Otherwise, you should check your system partition and verify that you have at least 200 MB of free space on your system partition so that the
Windows Recovery Environment can be retained on the system drive along with the BitLocker Recovery Environment and other files that
BitLocker requires to unlock the operating system drive. For more information about the Windows Recovery Environment, see Windows Recovery
Environment2.

6. If it is ready for encryption, the Encrypting status bar is displayed, which shows the progress of the drive encryption. You can monitor the
ongoing completion status of the disk drive encryption by moving the mouse pointer over the BitLocker Drive Encryption icon in the notification
area, at the far right of the taskbar. Encrypting the drive will take some time. You can use your computer during encryption, but performance
might be slower. A completion message is displayed when encryption is finished,
By completing this procedure, you have encrypted the operating system drive and created a recovery key that is unique to this drive. The next time you
log on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the
computer from a disk to circumvent the operating system, the computer will switch to recovery mode and prevent Windows from starting.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
2http://technet.microsoft.com/en-us/library/dd744536(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or

Removable Data Drive (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario provides the procedure for turning on BitLocker Drive Encryption protection on a fixed or removable data drive on a computer.
Caution
When encrypting a removable drive, do not suddenly remove the drive. If you need to remove a drive before encryption is complete, pause the
encryption process and then use either the Safely Remove Hardware icon from the notification area or the Eject command from Windows Explorer
to remove the drive. Removing the drive during the encryption process without pausing and intentionally removing the device can cause the data on
the drive to be corrupted.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials to turn on BitLocker for fixed data drives. Standard user accounts can turn on BitLocker To
Go on removable data drives.
You must be able to configure a printer if you want to print the recovery key.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.

To turn on BitLocker Drive Encryption on a fixed or removable data drive

1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. Click Turn On BitLocker for the fixed or removable data drive that you want to encrypt.
Note
If you have configured the Group Policy settings in your organization to back up BitLocker recovery information to Active Directory Domain
Services (AD DS), the computer must be able to connect to the domain to complete this process.

3. The BitLocker setup wizard will ask you how you want to unlock this drive. Fixed data drives can be configured to automatically unlock when the
operating system drive is encrypted, to unlock after a password is supplied, or to unlock after a smart card is inserted. Removable data drives can
be configured to unlock after a password is supplied or to unlock after a smart card is inserted. If you want the removable data drive to
automatically unlock, you can specify that option after encryption has occurred by clicking Manage BitLocker from the BitLocker Drive
Encryption Control Panel item or by selecting the Automatically unlock on this computer from now on check box when you unlock the drive.
4. Before BitLocker encrypts the drive, the BitLocker setup wizard prompts you to choose how to store the recovery key. You can choose from the
following options:
Save the recovery key to a USB flash drive. Saves the recovery key to a USB flash drive. This option cannot be used with removable
drives.
Save the recovery key to a file. Saves the recovery key to a network drive or other location.
Print the recovery key. Prints the recovery key.
Use one or more of these options to preserve the recovery key. For each option that you select, follow the wizard steps to set the location for
saving or printing the recovery key. When you have finished saving the recovery key, click Next.
Important
The recovery key is required when a BitLocker-protected fixed data drive configured for automatic unlocking is moved to another computer, or
the password or smart card associated with unlocking the fixed or removable drive is not available, such as when a password is forgotten or a
smart card is lost. You will need your recovery key to unlock the encrypted data on the drive if BitLocker enters a locked state. This recovery
key is unique to this particular drive. You cannot use it to recover encrypted data from any other BitLocker-protected drive.
For maximum security, you should store recovery keys apart from the drives they are associated with.

5. The BitLocker setup wizard asks if you are ready to encrypt the drive. Click Start Encrypting.
6. The Encrypting status bar is displayed. You can monitor the ongoing completion status of the drive encryption by moving the mouse pointer over
the BitLocker Drive Encryption icon in the notification area, at the far right of the taskbar.
By completing this procedure, you have encrypted a fixed or removable data drive, associated a key protector with an unlock method for the drive, and
created a recovery key that is unique to this drive.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 3: Upgrading a BitLocker-Protected Computer from

Windows Vista to Windows 7 (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario describes the process of upgrading a BitLocker-protected computer from Windows Vista to Windows 7.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.
The operating system drive must be BitLocker-protected.

To manually upgrade BitLocker Drive Encryption

1. On a computer running Windows Vista, click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
2. Click Turn Off BitLocker, and then select the Disable BitLocker check box. Do not decrypt the drive.
3. Install Windows 7 on the same drive.
4. After Windows 7 is installed, click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
Click Resume Protection. Your operating system drive is now protected with BitLocker. If you want to use the new recovery key protection
optiondatarecoveryagentsyoumustalsoupgradetheBitLockerversioninformationstoredintheBitLockermetadatatotheWindows7version.
This is accomplished by using the Manage-bde.exe command-line tool.
5. To upgrade the BitLocker metadata so that you can use the new Windows 7 BitLocker features, click Start, click All Programs, click
Accessories, right-click Command Prompt, and click Run as administrator. If the User Account Control dialog box appears, confirm that the
action it displays is what you want, and then click Yes. At the command prompt, type the following command, replacing Volume with the
appropriate drive letter:
managebde.exeupgradeVolume :
By completing this procedure, you have upgraded BitLocker from the Windows Vista version to the Windows 7 version.

2012Microsoft.Allrightsreserved.

Scenario 4: Configuring How BitLocker Is Supported on Previous

Versions of Windows (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario provides procedures to use the Windows 7 Group Policy settings to control the use of BitLocker on computers running Windows Vista or
Windows Server 2008.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.
Your computer must be part of a domain.

To configure how BitLocker is supported on previous versions of Windows

1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Operating System Drives.
4. To use multifactor authentication methods or to allow BitLocker to be used on computers without a TPM, in the details pane, double-click Require
additional authentication at startup (Windows Server 2008 and Windows Vista) to open the policy setting.
5. Click Enabled, and then select the startup authentication methods that you want to support on computers running Windows Vista and Windows
Server 2008 in your organization. This policy setting provides the following authentication methods:
Allow BitLocker without a compatible TPM. This check box enables BitLocker to be used on computers that do not have a TPM hardware
chip. In this situation, a USB flash drive must be used that will store the encryption key for the drive.
Configure TPM startup key. This option can be used to require that a USB key be used in addition to the TPM to protect the drive. To
unlock the drive, the USB key must be present. The BIOS of the computer needs to be able to read data from a USB drive before starting the
operating system. If you do not want users to be able to use USB keys with BitLocker or if you will require that users type a PIN to unlock
BitLocker-protected operating system drives, select Do not allow startup key with TPM.
Configure TPM startup PIN. This option can be used to require that a PIN be used in addition to the TPM to protect the drive. To unlock
the drive, the PIN must be entered by the user. If you do not want users to be able to use PINs with BitLocker or if you will require that
users insert USB keys to unlock BitLocker-protected operating system drives, select Do not allow startup PIN with TPM.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
6. To configure Active Directory recovery options for computers running Windows Vista or Windows Server 2008 in your organization, in the console
tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click BitLocker Drive
Encryption to show the global policy settings.
7. To store recovery information in Active Directory Domain Services (AD DS), in the details pane, double-click the Store BitLocker recovery
information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting, click Enabled, and then select
the Require BitLocker backup to AD DS check box. When this check box is selected, BitLocker will verify the presence of a domain controller
before encrypting the drive. If the domain controller cannot be found, the user will not be able to turn on BitLocker.
After making this selection, you must choose the recovery information to back up. You can choose to back up only recovery passwords or you can
choose to back up recovery passwords and key packages. Key packages are necessary if you need to recover a drive that has been damaged in
such a way that the encryption key is no longer readable by BitLocker recovery.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
8. To configure local computer recovery options for computers running Windows Vista or Windows Server 2008 in your organization, double-click the
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) policy setting, and then click
Enabled.
You can then configure whether the user is allowed to select the BitLocker-generated 48-digit recovery password or select the 256-bit recovery
key as the recovery method when they turn on BitLocker. By default, both options are allowed when this setting is disabled or not configured. The
BitLocker recovery key is saved as a key when written to a USB drive or is saved as a password when saved to a file or printed. This policy setting
should be enabled if you want to require the use of one recovery method and prevent the use of another method. If you want recovery to occur
only by administrators who can read the recovery password from AD DS, you can disallow the use of both of these methods after you have
configured the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
policy setting.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.
9. To control whether computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service
Pack 2 (SP2) can access removable drives protected by the Windows 7 version of BitLocker, in the console tree under Local Computer
Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data
Drives, and then in the details pane, double-click the Allow access to BitLocker-protected removable data drives from earlier versions of
Windows policy setting.
By default when a removable drive is protected with BitLocker, the BitLocker To Go Reader is copied to the drive, providing read-only access when
the drive is accessed from computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, if the user
has the required password to unlock the drive. To require that the computer that opens the drive be running either Windows 7 or have the
BitLocker To Go Reader installed, click Enabled, and select the Do not install BitLocker To Go Reader on FAT formatted removable drives
check box. If you do not want computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 to be used
to read BitLocker-protected, FAT-formatted removable drives, click Disabled.
After you have made your choices, click Apply to apply the settings, and then close the dialog box.

Note
A similar policy setting is available for use with fixed data drives.

10. Close the Local Group Policy Editor.

11. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
By completing this procedure, you have set policy to control the use of BitLocker on computers running Windows Vista or Windows Server 2008 in your
organization.

2012Microsoft.Allrightsreserved.

Scenario 5: Requiring BitLocker Protection on Data Drives

(Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario describes how to configure Windows 7 Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To
Go be used with removable data drives before data can be written to the drive.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.

To require BitLocker protection on data drives before permitting data to be saved on them
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Fixed Data Drives.
4. To require BitLocker protection on fixed data drives before allowing users to save data to them, in the details pane, double-click Deny write
access to fixed drives not protected by BitLocker to open the policy setting.
5. Click Enabled, click Apply to apply the setting, and then close the dialog box.
6. Restart the computer.
7. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
8. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
9. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Removable Data Drives.
10. To require the use of BitLocker To Go on removable data drives before allowing users to save data to them, in the details pane, double-click Deny
write access to removable drives not protected by BitLocker to open the policy setting.
11. Click Enabled, click Apply to apply the setting, and then close the dialog box.
Note
Enabling this policy setting means that you cannot support the use of startup keys, recovery keys, or BitLocker protection of operating system
drives without a TPM because these features require an unencrypted removable data drive on which to store the BitLocker key.

12. Close the Local Group Policy Editor.

13. If any removable drives are inserted in the computer when this policy setting is enabled, they must be removed and reinserted before this policy
setting is applied to them.
By completing this procedure, you have specified Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Go
be used with removable data drives before data can be written to the drive. If users attempt to write data to a drive that is not protected by BitLocker,
they will be prompted to turn on BitLocker.

2012Microsoft.Allrightsreserved.

Scenario 6: Specifying How to Unlock BitLocker-Protected

Operating System Drives (Windows 7)
Updated: August 26, 2008
Applies To: Windows 7
This scenario describes how you can use Group Policy settings to control which unlock methods can be used with operating system drives in your
organization. By default, a TPM is required to turn on BitLocker and no additional unlock methods are required. If you want to use BitLocker without a
TPM or to require an additional authentication method with the TPM, use the steps in this scenario to configure the settings to support those unlock
methods.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.

To specify how to unlock BitLocker-protected operating system drives

Note
If you require removable drives to be BitLocker-protected, you cannot use a startup key with your operating system drive.
If you require the use of a TPM, a startup key, and a PIN to unlock the operating system drive, you must use the Manage-bde.exe commandline tool to choose that authentication method and enable BitLocker. Use the following command to add the TPM, PIN, and startup key
authentication method, replacing VolumeName with the drive letter of the operating system drive and RemovableDriveLetter with the letter of
the removable drive where you will be storing the startup key:
manage-bde -protectors -add -tpsk VolumeName: -tsk RemovableDriveLetter:
Use the following command to turn on BitLocker and encrypt the drive, replacing VolumeName with the drive letter of the operating system
drive:
manage-bde -on VolumeName:

7. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
8. If you are using PINs for authentication along with the TPM, you may want to enable the use of enhanced PINs to allow for increased complexity of
PINs. Enhanced PINs support the use of characters, including uppercase and lowercase letters, symbols, numbers, and spaces. Not all computers
support these characters before the operating system starts, so we recommend that users perform a system check during BitLocker setup to verify
that their computer will support the BitLocker settings they have selected before encrypting the drive. Double-click the Allow enhanced PINs for
startup policy setting, and click Enabled to provide the option of using enhanced PINs with BitLocker-protected operating system drives. If this
policy setting is disabled or not configured, enhanced PINs cannot be used.
9. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
10. Close the Local Group Policy Editor.
11. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
By completing this procedure, you have configured Group Policy settings to control which unlock methods can be used with operating system drives in
your organization.

2012Microsoft.Allrightsreserved.

Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed

or Removable Data Drives (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
In this scenario, you will determine which unlock methods for fixed and removable drives can be used by configuring the appropriate Group Policy
settings.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your test computer must be part of a domain if you want to test password complexity requirements.
You must have separate fixed data drives and removable drives available.
You must boot from a BitLocker-protected operating system drive to use the automatic unlock method with fixed data drives.
You must have deployed a public key infrastructure (PKI) architecture for use with smart cards.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.

Note
If BitLocker is enabled on the operating system drive, when you turn on BitLocker for a fixed data drive, you will have the option of allowing the drive
to be automatically unlocked when the operating system drive is unlocked. The following procedure assumes that the fixed data drive was BitLockerprotected previously and the automatic unlock method was not selected. Removable data drives must have either a password or a smart card unlock
method in addition to the automatic unlock method. Automatic unlocking cannot be directly specified by policy settings.

To configure a BitLocker-protected fixed or removable data drive to automatically unlock

1. Click Start, click Computer, and then right-click the BitLocker-protected fixed or removable data drive that you want to automatically unlock.
2. Click Manage BitLocker, click Automatically unlock this drive on this computer.
To specify password usage for BitLocker-protected fixed or removable data drives
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Fixed Data Drives.
4. By default, passwords can be used with BitLocker to protect fixed data drives. The default settings do not enforce any password complexity
requirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configure
use of passwords for fixed data drives to open the policy setting.
5. Click Disabled to prevent the use of passwords with fixed data drives, or click Enabled, and configure the following settings:
Select the Require password for fixed data drive check box if you want to require the user to enter a password to turn on BitLocker on a
fixed data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.
Under Configure password complexity for fixed data drives, you can choose to allow, require, or not allow password complexity rule
enforcement with BitLocker fixed data drive passwords.
If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policy
setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. In addition, the
computer must be connected to the domain when the BitLocker password is set for the drive (such as when BitLocker is turned on or when a
password is changed) so that the domain controller can validate that the password specified for the drive meets the complexity rules.
If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if a
connection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password is
compliant with the complexity rules defined by the password policy.
If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is a
complex password.
Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the password
specified for the drive must be. Passwords must always be at least 8 characters.
6. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
7. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Removable Data Drives.
8. By default, passwords can be used with BitLocker to protect removable data drives. The default settings do not enforce any password complexity
requirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configure
use of passwords for removable data drives to open the policy setting.
9. Click Disabled to prevent the use of passwords with removable data drives, or click Enabled, and configure the following settings:
Select the Require password for removable data drive check box if you want to require the user to enter a password to turn on BitLocker

on a removable data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock the
drive.
Under Configure password complexity for removable data drives, you can choose to allow, require, or not allow password complexity
rule enforcement with BitLocker removable data drive passwords.
If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policy
setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, and the
computer must be connected to the domain when BitLocker is turned on so that the domain controller can validate that the password
specified for the drive meets the complexity rules.
If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if a
connection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password is
compliant with the complexity rules defined by the password policy.
If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is a
complex password.
Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the password
specified for the drive must be. Passwords must always be at least 8 characters.
10. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
11. Close the Local Group Policy Editor.
12. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
To specify smart card usage for BitLocker-protected fixed or removable data drives
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Fixed Data Drives.
4. By default, smart cards can be used with BitLocker to protect fixed data drives. To require or prevent the use of smart cards, in the details pane,
double-click Configure use of smart cards on fixed data drives to open the policy setting.
5. Click Disabled to prevent the use of smart cards with fixed data drives.
6. Click Enabled, and select the Require use of smart cards on fixed data drives check box if you want to require the user to insert a smart card
to turn on BitLocker.
If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.
7. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
8. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click
BitLocker Drive Encryption
9. If you have multiple smart card certificates, you can specify which smart card certificates can be used with BitLocker. To do this, in the details
pane, double-click the Validate smart card certificate usage rule compliance policy setting.
By default, BitLocker uses smart card certificates that have the enhanced key usage (EKU) attribute equal to the BitLocker object identifier of
1.3.6.1.4.1.311.67.1.1, but BitLocker does not require the EKU attribute to be present for the certificate to be used with BitLocker. However,
you can set this policy to Enabled and type a value in Object identifier to require that a certificate have a certain EKU attribute before it is used
with BitLocker. If you set this policy to Disabled or Not Configured, the default object identifier is used.
10. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
11. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Removable Data Drives.
12. By default, smart cards can be used with BitLocker to protect removable data drives. To require or prevent the use of smart cards, in the details
pane, double-click Configure use of smart cards on removable data drives to open the policy setting.
13. Click Disabled to prevent the use of smart cards with removable data drives.
14. Click Enabled, and select the Require smart card for removable data drive check box if you want to require the user to insert a smart card to
turn on BitLocker.
15. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
16. Close the Local Group Policy Editor.
17. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
By completing the procedures in this scenario, you have specified which methods users can use to unlock BitLocker-protected drives. These policies are
enforced on drives when BitLocker is turned on.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 8: Specifying How BitLocker-Protected Drives Can Be

Recovered (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
If an unlock method fails, such as if the TPM detects a change in boot components or a password is forgotten, users will need to use a recovery method
to access their data. Before going through the recovery process, you should verify that the drive was not tampered with and isolate the computer from
the network until any risk presented by the system is determined. This scenario includes procedures for setting the recovery options available for
operating system drives, fixed data drives, and removable data drives. The procedures in this scenario describe how to configure the appropriate Group
Policy settings to support the recovery options available to users in your enterprise. You can require that users save recovery keys or recovery files,
enable the use of a data recovery agent, or require that all recovery information be backed up to Active Directory Domain Services (AD DS) and prevent
users from creating and saving recovery passwords and keys.
Note
If access to an operating system drive is recovered by using the recovery console after a change in the computer configuration, suspend and then
resume BitLocker protection before shutting down or putting the computer in hibernation. Otherwise, the conditions that caused BitLocker to start
the operating system drive in recovery mode will be detected again and the recovery information will be required to start the operating system.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your test computer must be part of a domain.
Complete the following procedures to specify the recovery methods for each type of drive.
To specify how BitLocker-protected operating system drives can be recovered
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Operating System Drives.
4. To configure recovery options for operating system drives, in the details pane, double-click Choose how BitLocker-protected operating system
drives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported
for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when
they turn on BitLocker, and recovery information is not backed up to AD DS.
5. To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a
data recovery agent, the account must be configured and added to the following location in Group Policy: Computer
Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about
setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the check box if you do not want to allow data
recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not
allowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker. If one user storage option is required,
the other must be disallowed. If you want to provide users the option of using either a recovery password or a recovery key, you should
select both Allow 48-digit recovery password and Allow 256-bit recovery key. If you do not want users to be able to store or print
recovery information, select both Do not allow 48-digit recovery password and Do not allow 256-bit recovery key
Select the Save BitLocker recovery information to AD DS for operating system drives check box, and then select whether you want to
Store recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows
system administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery
password or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key
file cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde
command-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the
drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box to ensure
that the recovery information for all BitLocker-protected operating system drives in your organization is stored in AD DS. Recovery
information is generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this
check box is selected, users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled
by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the
administrative recovery settings Save BitLocker recovery information to AD DS for operating system drives or Allow data recovery
agent to ensure that the BitLocker-protected drive can be recovered.
6. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
7. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
To specify how BitLocker-protected fixed data drives can be recovered
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Fixed Data Drives.
4. To configure recovery options for fixed data drives, in the details pane, double-click Choose how BitLocker-protected fixed drives can be
recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker
recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn on
BitLocker, and recovery information is not backed up to AD DS.
5. To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a
data recovery agent, the account must be configured and added to the following location in Group Policy: Computer
Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about
setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the Allow data recovery agent check box if you
do not want to allow data recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not
allowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker.
Select the Save BitLocker recovery information to AD DS for fixed data drives check box, and then select whether you want to Store
recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows system
administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery password or
recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key file cannot be
accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde command-line tool
to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box to ensure that the
recovery information for all BitLocker-protected fixed data drives in your organization is stored in AD DS. Recovery information is generated
when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is selected,
users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled
by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the
administrative recovery settings Save BitLocker recovery information to AD DS for fixed data drives or Allow data recovery agent to
ensure that the BitLocker-protected drive can be recovered.
6. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
7. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
To specify how BitLocker-protected removable data drives can be recovered
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker
Drive Encryption, click Removable Data Drives.
4. To configure recovery options for removable data drives, in the details pane, double-click Choose how BitLocker-protected removable data
drives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported
for BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when
they turn on BitLocker, and recovery information is not backed up to AD DS.
5. To specify different recovery options, click Enabled, and then configure the following settings as appropriate:
Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use a
data recovery agent, the account must be configured and added to the following location in Group Policy: Computer
Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about
setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the check box if you do not want to allow data
recovery agents to be used with BitLocker.
Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or not
allowed to create a 48-digit recovery password or 256-bit recovery key when they turn-on BitLocker. By default, recovery keys are not used
with removable data drives.
Select the Save BitLocker recovery information to AD DS for removable data drives check box, and then select whether you want to
Store recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows
system administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery
password or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key
file cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde
command-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the
drive is not possible.
Select the Do not enable BitLocker until recovery information is stored to AD DS for removable data drives check box to ensure that
the recovery information for all BitLocker-protected removable data drives in your organization is stored in AD DS. Recovery information is
generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is
selected, users must be connected to the domain when they turn on BitLocker.
Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlled
by this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of the
administrative recovery settings Save BitLocker recovery information to AD DS for removable data drives or Allow data recovery
agent to ensure that the BitLocker-protected drive can be recovered.
6. After you have made your choices, click Apply to apply the settings, and then close the dialog box.
7. Close the Local Group Policy Editor.
8. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,
and then press ENTER. Wait for the process to finish.
By completing the procedures in this scenario, you have configured the Group Policy settings establishing the recovery options available for operating
system drives, fixed data drives, and removable data drives.

Links Table
1http://technet.microsoft.com/en-us/library/dd875560(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 9: Configuring the Encryption Method and Cipher

Strength (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario describes how to modify the encryption method and cipher strength used by BitLocker Drive Encryption to encrypt operating system drives,
fixed data drives, and removable data drives. BitLocker supports 128-bit and 256-bit encryption keys. Longer encryption keys provide a more enhanced
level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption
and decryption of data. In addition, BitLocker supports a Diffuser algorithm to help protect the system against ciphertext manipulation attacks, a class of
attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses.
This Group Policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if
encryption is currently in progress. The encryption method must be changed before you encrypt the drive with BitLocker for the method you selected
can be used on the drive.
By default, BitLocker uses Advanced Encryption Standard (AES) encryption with 128-bit encryption keys and Diffuser. Most organizations do not need to
modifythissetting,butinsomesituationsforexample,ifyourorganizationisFederalInformationProcessingStandard(FIPS)compliantyouwould
need to modify the encryption method to not use Diffuser. If you are in a highly secure environment, you may need to use the 256-bit encryption
algorithm with Diffuser to provide a higher level of encryption.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.

To configure the BitLocker encryption method and cipher strength

2012Microsoft.Allrightsreserved.

Scenario 10: Configuring the BitLocker Identification Field

(Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
BitLocker in Windows 7 can use identification fields to determine whether or not a BitLocker-protected drive belongs to your organization and can use a
secondary identification field to determine if the drive belongs to a trusted external organization. Identification fields are validated when data recovery
agents are enabled and when BitLocker To Go is turned on.
Data recovery agents will be updated as necessary to ensure that the drive can be recovered by authorized individuals and the BitLocker To Go Reader
application will be updated as necessary on a removable drive. If the identification field is not configured, the drive is treated as if it belongs to your
organization. If the identification field is configured on a drive, it must match the identification field or allowed identification field specified in this policy
before BitLocker can update data recovery agent information or the BitLocker To Go Reader on the drive.

Before you start

To complete the procedure in this scenario:
You must be able to provide administrative credentials.

To configure the BitLocker identification field

By completing this procedure, you have configured the identification field that will be applied to drives in your organization when BitLocker is turned on.

2012Microsoft.Allrightsreserved.

Scenario 11: Recovering Data Protected by BitLocker Drive

Encryption (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario describes the process for recovering your data after BitLocker has entered recovery mode. BitLocker locks the computer when a disk
encryption key is not available. The following is a list of likely causes:
An error related to TPM validation occurs on an operating system drive.
The password for a BitLocker-protected fixed data drive is forgotten.
The smart card used to lock a removable data drive is lost.
When recovery of a drive is necessary, you must use the recovery key from a USB flash drive, type a recovery password, or have a data recovery agent
recover the drive. When the operating system drive needs to be recovered, you will use a recovery console session running from the BIOS to enter
recovery information. Some systems use the function keys to enter digits in this environment. In this case, F1 through F9 represent the digits 1 through
9, and F10 represents 0.
Caution
When in the operating system drive recovery console session, the accessibility features of Windows are not available. If you require accessibility
features, consider what you will do in the event of recovery. For example, you might consider data recovery agents to support drive recovery or
designate a trusted person who can store the recovery key and provide it if necessary.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
You must have a USB flash drive with the recovery key.
You must have the recovery password.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.

To test data recovery on a operating system drive

1. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account
Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
2. Type bcdedit /debug on to enable kernel debugging for the operating system drive.
3. Close all open windows.
4. If the USB flash drive that contains your recovery key is inserted into the computer, use the Safely Remove Hardware icon in the notification
area to remove it from the computer.
5. Click Start, and then click Shut Down to turn off your computer.
When you restart the computer, you will be prompted for the recovery password, because the startup configuration has changed since you
encrypted the drive.
6. Turn on your computer.
7. The BitLocker Drive Encryption Recovery Console will appear.
8. You will be prompted to insert the USB flash drive that contains the recovery key.
If you have the USB flash drive with the recovery key, insert it, and then press ESC. Your computer will restart automatically. You do not
need to enter the recovery password manually.
If you do not have the USB flash drive with the recovery key, press ENTER. You will be prompted to enter the recovery password. Type the
48-digit recovery password, and then press ENTER.
9. After the drive has been unlocked, the operating system will start. To restore your computer to its normal operating profile, click Start, type cmd
in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog box
appears, confirm that the action it displays is what you want, and then click Yes. Type bcdedit /debug off to disable kernel debugging for the
operating system drive.
To test data recovery on a password-protected fixed data drive
1. Click Start, and then click Computer to display the drives on the computer.
2. Double-click a BitLocker-protected data drive. The BitLocker Drive Encryption dialog box is displayed, prompting you to type your password to
unlock the drive.
3. Click I forgot my password. You are prompted to Unlock this drive using your recovery key. Select either Type the recovery key or Get the
key from the USB flash drive, depending on which recovery method was configured for the drive.
4. After providing the recovery key, the drive is unlocked. You can then click Manage BitLocker, and reconfigure the unlock method as necessary.
You will be able to use the new unlock method to unlock the drive the next time the drive is locked.

By completing the procedures in this scenario, you have used data recovery to reestablish access to a BitLocker-protected drive.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)

Updated: August 26, 2009
Applies To: Windows 7
This scenario describes how to either suspend BitLocker Drive Encryption or turn off BitLocker Drive Encryption and decrypt the drive.
When you have encrypted an operating system drive, you can choose to either suspend BitLocker temporarily or turn off BitLocker on an operating
system drive and decrypt the drive. You can suspend BitLocker on an operating system drive to make TPM changes and operating system upgrades. On a
data drive, you simply decrypt the drive. Decrypting the drive means that the drive will once again be readable and that all the keys are discarded. After
a drive is decrypted, you must generate new keys by completing the encryption process again.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
The drive must be BitLocker-protected.
Complete one of the following procedures.
To suspend BitLocker Drive Encryption on an operating system drive
1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. Click Suspend Protection for the operating system drive.
3. A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend
BitLocker Drive Encryption. Click Yes to continue and suspend BitLocker on the drive.
By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption key to a clear key. To read data from
the drive, the clear key is used to access the files. When BitLocker is suspended, TPM validation does not occur and other authentication methods, such
as the use of a PIN or USB key to unlock the operating system drive, are not enforced. This allows you to make system changes such as updating the
BIOS or replacing a data drive. When you are finished making changes to the computer, click Resume Protection from the BitLocker Drive Encryption
Control Panel item to start using BitLocker Drive Encryption again.
To turn off BitLocker Drive Encryption
1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive to
continue and turn off BitLocker on the drive.
By completing this procedure, you have decrypted the drive and removed BitLocker protection.

2012Microsoft.Allrightsreserved.

Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)

Updated: November 11, 2009
Applies To: Windows 7
This scenario describes how to use smart cards with a self-signed certificate to encrypt a data drive by using BitLocker Drive Encryption. When deploying
BitLocker along with smart cards, we recommend that a certification authority be used. As a best practice, self-signed certificates should only be used
for limited testing scenarios. By default, BitLocker cannot be used with self-signed certificates.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.
Complete the following procedures in order.
To enable BitLocker to use self-signed certificates
1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the User
Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.
3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.
4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.
5. Right-click SelfSignedCertificates, and then click Modify.
6. In Value data, type 1.
BitLocker can now use self-signed certificates.
To obtain a self-signed certificate to test BitLocker and smart cards
1. Open a text editor such as Notepad, and paste the following information into a new file:
[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec = "AT_KEYEXCHANGE
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

2. Save the file with the name blcert.txt.

3. Insert a smart card into the smart card reader of the computer.
4. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account
Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreqnewblcert.txt to request a new
certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be prompted to
enter your smart card PIN.
6. When prompted to save the request file, type a file name, and click Save.
You now have a smart card certificate that is appropriate for use with BitLocker.
To use BitLocker with a smart card to protect a data drive
1. If you want to protect a removable drive, insert it into the computer.
2. Click Start, and then click Computer to display the drives on your computer.
3. Right-click the drive you want to protect, and then click Turn on BitLocker to start the BitLocker setup wizard.
4. On the Choose how you want to unlock this drive wizard page, click Use my smart card to unlock the drive.
5. Insert your smart card into the smart card reader, and click Next.
6. On the Save the recovery key wizard page, select either Save the key to a file to save your recovery key to a network drive or other location
or select Print the recovery key to print the 48-digit recovery password, and then click Next.
7. On the Are you ready to encrypt this drive page, confirm that you want to use a smart card to encrypt the drive, and click Start Encrypting.
8. When the drive is ready for encryption, the Encryption in Progress status bar is displayed. When you are notified that encryption is complete,
click Close.

By completing the procedures in this scenario, you have a drive that is now protected by BitLocker and ready to use. Whenever the drive is inserted into
a computer running Windows 7, a dialog box will prompt users to insert their smart card to unlock the drive.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 14: Using a Data Recovery Agent to Recover BitLockerProtected Drives (Windows 7)
Updated: August 26, 2009
Applies To: Windows 7
This scenario describes how to use a data recovery agent to recover data from a BitLocker-protected drive. Data recovery agents are individuals whose
public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock
BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable
data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive
for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after
encryption occurs.

Before you start

To complete the procedures in this scenario:
You must be able to provide administrative credentials.
Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive
Encryption Step-by-Step Guide for Windows 71.
Complete the following procedures in order.
To enable BitLocker to use self-signed certificates
1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the User
Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.
3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.
4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.
5. Right-click SelfSignedCertificates, and then click Modify.
6. In Value data, type 1.
BitLocker can now use self-signed certificates.
To obtain a self-signed certificate to test BitLocker and data recovery agents
1. Open a text editor such as Notepad, and paste the following information into a new file:
[NewRequest]
Subject = "CN=BitLockerDRA"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec="AT_KEYEXCHANGE
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.2

2. Save the file with the name bldracert.txt.

3. Insert a smart card into the smart card reader of the computer.
4. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account
Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreqnewbldracert.txt to request a
new certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be
prompted to insert your smart card and type your PIN.
6. When prompted to save the request file, type a file name, and click Save.
You now have a data recovery agent smart card certificate that is appropriate for use with BitLocker.
To export a BitLocker DRA certificate
1. Click Start, and then type certmgr.msc to open the Certificates snap-in.
2. In the console tree, expand Personal, and then click Certificates.
3. Double-click the BitLockerDRA certificate to display the certificate properties sheet.
4. Click the Details tab, and then click Copy to File to start the Certificate Export Wizard.
5. On the Welcome to the Certificate Export Wizard page, click Next.
6. On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next.

7. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.
8. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLockerDRA. In Save as type, verify that
DER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page. The File name box on the wizard page
should now display the path to the BitLockerDRA.cer file in your document library. Click Next.
9. On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.
10. When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export was
successful. Click Close to close the dialog and the wizard.
To add a BitLocker data recovery agent and unlock a drive
1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
3. In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies, rightclick BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.
4. On the Select Recovery Agents page, click Browse Folder to select the BitLockerDRA.cer file you exported in the previous procedure. If you
did not need to export a certificate because you already had deployed a PKI with the necessary certificates, click Browse directory to choose a
certificate from Active Directory Domain Services.
5. If you are prompted to install the certificate, click Yes. You can repeat this process as necessary to add multiple data recovery agents. After all
data recovery agent certificates you want to use have been specified, click Next.
6. On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent.
7. If you have not configured the Group Policy setting to specify the BitLocker identification field, complete Scenario 10: Configuring the BitLocker
Identification Field (Windows 7)2 before continuing with this scenario.
8. Encrypt a data drive as described in Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)3. For a
data recovery agent to be able to unlock a drive, the BitLocker identification field must be present and match the identification field defined for
your organization.
9. To put the drive into a locked state so that you can test the data recovery agent, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Yes. Type the following command, replacing Volume with the drive letter of the BitLocker-protected
drive you want to lock:
ManagebdelockVolume :
Do not close the Command Prompt window.
10. Now that the drive is locked, you can unlock it by using the data recovery agent. First, you need the certificate thumbprint of the data recovery
agent. To find this, at the command prompt, type the following command, replacing Volume with the drive letter of the BitLocker-protected drive
you want to unlock:
ManagebdeprotectorsgetVolume :
The key protectors identified for the drive are displayed. Find the key protector identified as Data Recovery Agent (Certificate Based), and
record the certificate thumbprint.
11. To unlock the drive, type the following command, replacing CertificateThumbprint with the actual certificate thumbprint of the data recovery
agent recorded in the previous step:
ManagebdeunlockVolume : certctCertificateThumbprint -PIN
12. Enter your smart card PIN when prompted. The drive is unlocked.
By completing the procedures in this scenario, you have assigned data recovery agents to BitLocker and used a data recovery agent to unlock a
BitLocker-protected drive.

Links Table
1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
2http://technet.microsoft.com/en-us/library/ee424309(v=ws.10).aspx
3http://technet.microsoft.com/en-us/library/ee424323(v=ws.10).aspx

2012Microsoft.Allrightsreserved.

Scenario 15: Using the BitLocker Active Directory Recovery

Password Viewer to View Recovery Passwords
Updated: September 18, 2009
Applies To: Windows 7
The BitLocker Active Directory Recovery Password Viewer tool is an optional feature included with the Remote Server Administration Tools (RSAT) for
Windows Server 2008 R2 that you can install by using the Add Feature wizard in the RSAT management console. This tool lets you locate and view
BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a
drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory
Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's Properties dialog box to view
the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password
across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).

Before you start

To complete the procedures in this scenario:
You must have domain administrator credentials.
Your test computers must be joined to the domain.
On the test computers, BitLocker must have been turned on after joining the domain.
The following procedures describe the most common tasks performed by using the BitLocker Active Directory Recovery Password Viewer.
To view the recovery passwords for a computer
1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active
Directory Users and Computers. In Active Directory Users and Computers, locate and then click the container in which the computer is located.
2. Right-click the computer object, and then click Properties.
3. In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the computer.
To copy the recovery passwords for a computer
1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.
2. On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then click
Copy Details.
3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
To locate a recovery password by using a password ID
1. In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.
2. In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8
characters) box, and then click Search.
By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a
recovery password.

2012Microsoft.Allrightsreserved.

Scenario 16: Using the BitLocker Repair Tool to Recover a Drive

Updated: September 18, 2009
Applies To: Windows 7
The BitLocker Repair Tool (Repair-bde) is a command-line tool included with Windows 7 and Windows Server 2008 R2. This tool can be used to access
encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker Drive Encryption. Repair-bde can reconstruct critical parts
of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. The Repair-bde commandline tool is intended for use when the operating system does not start, or when you cannot start the BitLocker Recovery Console. If a drive has been
physically damaged, it may not be recoverable.

Before you start

To complete the procedure in this scenario:
Your test computer must have a BitLocker-protected drive.
You must be able to provide administrative credentials.
You must have at least one of the following:
Recovery password
Recovery key file location
Recovery package file location and the corresponding recovery password
Recovery package file location and the corresponding recovery key file location
You must have an empty output volume of equal or larger size than the BitLocker-protected drive (whose contents will be completely overwritten
after the repair operation).
The following procedure provides the command-line syntax for using each type of recovery information with the Repair-bde tool. For this procedure, we
recover access to the data stored on drive C: and write the recovered data to an output volume on Z: by using the parameters in the following table.

Recovery information

Value

Recovery password

062612-026103-175593-225830-027357-086526-362263-513414

Recovery key file location

F:\RecoveryKey.bek

Recovery package file location F:\ExportedKeyPackage

Replace these parameters as appropriate for your test environment.
To repair a BitLocker-protected drive by using Repair-bde
1. Open a Command Prompt window as an administrator.
a. To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.
b. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
2. At the command prompt, type one of the following commands, depending on which recovery information you want to use:
a. To repair using a recovery password:
repair-bde C: Z: -rp 062612-026103-175593-225830-027357-086526-362263-513414
b. To repair using a recovery key:
repair-bde C: Z: -rk F:\RecoveryKey.bek
c. To repair using a recovery package and the corresponding recovery password:
repair-bde C: Z: -kp F:\ExportedKeyPackage -rp 062612-026103-175593-225830-027357-086526-362263-513414
d. To repair using a recovery package and the corresponding recovery key:
repair-bde C: Z: -kp F:\ExportedKeyPackage -rk F:\RecoveryKey.bek
Note
If the path to the key package is not specified, Repair-bde will search the drive for a key package. However, if the hard drive has been
damaged, the tool may not be able to find the package and will prompt you to provide the path. We recommend that you include the key
package in the Active Directory key storage so that you can export the key package if needed.

By completing this procedure, you have used the Repair-bde command-line tool to repair a damaged BitLocker-protected drive.

2012Microsoft.Allrightsreserved.

Security Operations2
No ratings yet
Security Operations2
238 pages
Windows Server Manage Windows Admin Center
No ratings yet
Windows Server Manage Windows Admin Center
437 pages
FortiManager 7.2.4 Administration Guide
No ratings yet
FortiManager 7.2.4 Administration Guide
916 pages
Steel Detailing
100% (3)
Steel Detailing
55 pages
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
No ratings yet
Infoblox Whitepaper Data Exfiltration and Dns Closing The Back Door
9 pages
Veeam Backup 12 User Guide Hyperv
No ratings yet
Veeam Backup 12 User Guide Hyperv
2,244 pages
Firepower 1010
No ratings yet
Firepower 1010
190 pages
AD (Active Directory Deployment) Step by Step
No ratings yet
AD (Active Directory Deployment) Step by Step
17 pages
Granular Recovery Active Directory Objects
No ratings yet
Granular Recovery Active Directory Objects
26 pages
NetWorker 19.3 VMware Integration Guide
No ratings yet
NetWorker 19.3 VMware Integration Guide
184 pages
12 Questions To Ask A DDoS Mitigation Provider Technical Series Prolexic White Paper A4 082412
No ratings yet
12 Questions To Ask A DDoS Mitigation Provider Technical Series Prolexic White Paper A4 082412
8 pages
Microsoft Defender For Identity Domain Dominance Playbook - Microsoft Defender For Identity - Microsoft Learn
No ratings yet
Microsoft Defender For Identity Domain Dominance Playbook - Microsoft Defender For Identity - Microsoft Learn
14 pages
Microsoft Official Course: Maintaining Active Directory® Domain Services
No ratings yet
Microsoft Official Course: Maintaining Active Directory® Domain Services
39 pages
Secure Access 6.0 Study Guide-Online PDF
No ratings yet
Secure Access 6.0 Study Guide-Online PDF
428 pages
Eu 19 Grafnetter Exploiting Windows Hello For Business 2
No ratings yet
Eu 19 Grafnetter Exploiting Windows Hello For Business 2
63 pages
(Win2k12R2) Securing Public Key Infrastructure (PKI)
No ratings yet
(Win2k12R2) Securing Public Key Infrastructure (PKI)
125 pages
Windows Server 2016
No ratings yet
Windows Server 2016
17 pages
Cli Fortigate
No ratings yet
Cli Fortigate
18 pages
LAB 01-Manage Azure AD Identities
100% (1)
LAB 01-Manage Azure AD Identities
6 pages
Microsoft Official Course: Implementing A Group Policy Infrastructure
No ratings yet
Microsoft Official Course: Implementing A Group Policy Infrastructure
42 pages
The ENow Active Directory Security Playbook 2023
No ratings yet
The ENow Active Directory Security Playbook 2023
34 pages
6822 Protecting Your Data With Windows 10 BitLocker
No ratings yet
6822 Protecting Your Data With Windows 10 BitLocker
6 pages
FortiToken 5.4 Comprehensive - Guide
No ratings yet
FortiToken 5.4 Comprehensive - Guide
31 pages
Microsoft Official Course: Designing and Implementing A Server Infrastructure
No ratings yet
Microsoft Official Course: Designing and Implementing A Server Infrastructure
19 pages
Kerberos & KRBTGT Active Directory's Domain Kerberos Service Account - Active Directory Security
No ratings yet
Kerberos & KRBTGT Active Directory's Domain Kerberos Service Account - Active Directory Security
9 pages
W2K16 RemoteDesktopServicesFarm v2
No ratings yet
W2K16 RemoteDesktopServicesFarm v2
52 pages
Turn On BitLocker On Windows 10 Devices
No ratings yet
Turn On BitLocker On Windows 10 Devices
18 pages
Sophos XG Firewall v16 - 5 RN - v3.2
No ratings yet
Sophos XG Firewall v16 - 5 RN - v3.2
10 pages
McAfee Solidcore Reviewers Guide
No ratings yet
McAfee Solidcore Reviewers Guide
70 pages
8 Steps To A DDoS Mitigation Plan - GD 1
No ratings yet
8 Steps To A DDoS Mitigation Plan - GD 1
2 pages
Making Macros in SOLIDWORKS - Engineers Rule PDF
No ratings yet
Making Macros in SOLIDWORKS - Engineers Rule PDF
15 pages
Mcafee NSP Guide 9.1
No ratings yet
Mcafee NSP Guide 9.1
457 pages
Updating Firmware For Dell EqualLogic PS Series Storage Arrays and FS Series Appliances
100% (1)
Updating Firmware For Dell EqualLogic PS Series Storage Arrays and FS Series Appliances
46 pages
gopas-goc-166-01-ADFS A WAP PDF
No ratings yet
gopas-goc-166-01-ADFS A WAP PDF
99 pages
Windows Hardening Checklist
No ratings yet
Windows Hardening Checklist
4 pages
Hyper-V Security Guide
No ratings yet
Hyper-V Security Guide
42 pages
Microsoft PKI
No ratings yet
Microsoft PKI
16 pages
D2 1 PDF
No ratings yet
D2 1 PDF
148 pages
FortiMail 03 Email Setup
No ratings yet
FortiMail 03 Email Setup
12 pages
Deployment Guide: Forcepoint DLP
No ratings yet
Deployment Guide: Forcepoint DLP
46 pages
DMVPN Tutorial
No ratings yet
DMVPN Tutorial
10 pages
Fortisiem Esx Installation Guide
No ratings yet
Fortisiem Esx Installation Guide
13 pages
Ebook For Gemalto Aws
No ratings yet
Ebook For Gemalto Aws
40 pages
Network Attacks - A Deeper Look
No ratings yet
Network Attacks - A Deeper Look
35 pages
How To Install, Setup and Configure Microsoft Exchange Server 2010
No ratings yet
How To Install, Setup and Configure Microsoft Exchange Server 2010
43 pages
Enterprise Vault HowTo Migrating Archived Enterprise Vault Content To Veritas NetBackup (January 2016)
No ratings yet
Enterprise Vault HowTo Migrating Archived Enterprise Vault Content To Veritas NetBackup (January 2016)
17 pages
Module 6: Configuring User Environments Using Group Policy
No ratings yet
Module 6: Configuring User Environments Using Group Policy
36 pages
TenableCOre Nessus
No ratings yet
TenableCOre Nessus
84 pages
M365 Application Security Data Governance Shadow IT Report
No ratings yet
M365 Application Security Data Governance Shadow IT Report
6 pages
Fortigate - VM System Guide 40 mr2 PDF
No ratings yet
Fortigate - VM System Guide 40 mr2 PDF
20 pages
Symantec Lab Exercise
100% (1)
Symantec Lab Exercise
136 pages
DNSSEC - What Is It and Why Is It Important?
No ratings yet
DNSSEC - What Is It and Why Is It Important?
5 pages
Integrated Sensing and Communications Toward Dual-Functional Wireless Networks For 6G and Beyond
No ratings yet
Integrated Sensing and Communications Toward Dual-Functional Wireless Networks For 6G and Beyond
40 pages
Step by Step Radius Windows
100% (1)
Step by Step Radius Windows
55 pages
OSPF LSA Types
No ratings yet
OSPF LSA Types
6 pages
Motorola Innovation Success and Failure
22% (9)
Motorola Innovation Success and Failure
50 pages
Audit Windows Server
No ratings yet
Audit Windows Server
19 pages
Troubleshooting Guide For SEP
No ratings yet
Troubleshooting Guide For SEP
16 pages
Riverbed Setup
No ratings yet
Riverbed Setup
84 pages
Compsci Topic 7 Assessment Test
No ratings yet
Compsci Topic 7 Assessment Test
8 pages
Best Practices For Department Server and Enterprise System Checklist Instructions
No ratings yet
Best Practices For Department Server and Enterprise System Checklist Instructions
8 pages
TechNet Group Policy Tips and Tricks
No ratings yet
TechNet Group Policy Tips and Tricks
30 pages
Wireshark Lab Exercise1
100% (1)
Wireshark Lab Exercise1
3 pages
2023 Credit Card Loading
91% (35)
2023 Credit Card Loading
16 pages
DIGITAL LIBRARIES DEFINITIONS, ISSUES AND CHALLENGES - Udt-Op8
No ratings yet
DIGITAL LIBRARIES DEFINITIONS, ISSUES AND CHALLENGES - Udt-Op8
10 pages
Server Connection - (Fibre Channel) - Fujitsu
No ratings yet
Server Connection - (Fibre Channel) - Fujitsu
58 pages
Ruckus Wireless Zoneflex 7762 Dual Band 802.11N Outdoor Access Point Getting Started Guide
No ratings yet
Ruckus Wireless Zoneflex 7762 Dual Band 802.11N Outdoor Access Point Getting Started Guide
60 pages
Bitlocker: Microsoft Encryption Solution
No ratings yet
Bitlocker: Microsoft Encryption Solution
18 pages
UPS Liebert ITA
No ratings yet
UPS Liebert ITA
4 pages
CCNA New Interview Questions and Answers
No ratings yet
CCNA New Interview Questions and Answers
4 pages
Guide For Capacitor Recharging in Delta AC Motor Drives
No ratings yet
Guide For Capacitor Recharging in Delta AC Motor Drives
3 pages
Session Initiation Protocol
No ratings yet
Session Initiation Protocol
9 pages
Figures For Chapter 4: Electroacoustic Performance
No ratings yet
Figures For Chapter 4: Electroacoustic Performance
23 pages
Design and Implementation of Early-Late Gate Bit Synchronizer For Satellite Communication
No ratings yet
Design and Implementation of Early-Late Gate Bit Synchronizer For Satellite Communication
4 pages
Dell Blade Server Solutions Dbsstt0409wbtt
No ratings yet
Dell Blade Server Solutions Dbsstt0409wbtt
2 pages
2021 Master of Entrepreneurship Innovation
No ratings yet
2021 Master of Entrepreneurship Innovation
2 pages
No. 126 Record of Approved GMDSS Radio Installation No. 126: (Cont) To Meet The Provisions of The (Nov 2015)
No ratings yet
No. 126 Record of Approved GMDSS Radio Installation No. 126: (Cont) To Meet The Provisions of The (Nov 2015)
8 pages
TMS - Equipment
No ratings yet
TMS - Equipment
41 pages
Ost 5marks Ocr
No ratings yet
Ost 5marks Ocr
9 pages
Lesson 13:: ICT Project Publication and Statistics
No ratings yet
Lesson 13:: ICT Project Publication and Statistics
8 pages
All About DVB
No ratings yet
All About DVB
3 pages
How To Install Jitsi Meet On Debian or Ubuntu
No ratings yet
How To Install Jitsi Meet On Debian or Ubuntu
11 pages
HAII R2 7 21 2021 Arvix Stamp
No ratings yet
HAII R2 7 21 2021 Arvix Stamp
73 pages
Mobile Asset Quick Start Guide PDF
No ratings yet
Mobile Asset Quick Start Guide PDF
21 pages
6SL3210-1KE15-8AF2 Datasheet en
No ratings yet
6SL3210-1KE15-8AF2 Datasheet en
2 pages
Part-C-Chapter-7-MANAGEMENT-INFORMATION SYSTEMS
No ratings yet
Part-C-Chapter-7-MANAGEMENT-INFORMATION SYSTEMS
30 pages
APAC Spectrum Programme - 3.4
No ratings yet
APAC Spectrum Programme - 3.4
10 pages
How To Create A Bootable Installer For MacOS - Apple Support
No ratings yet
How To Create A Bootable Installer For MacOS - Apple Support
3 pages
Ultraprolink Best Sellers: Sing-Along
No ratings yet
Ultraprolink Best Sellers: Sing-Along
4 pages
MCQ Questions
No ratings yet
MCQ Questions
8 pages
Basic Setup of FortiGate Firewall
From Everand
Basic Setup of FortiGate Firewall
Dr. Hidaia Mahmood Alassoulii
No ratings yet
Catastrophe
From Everand
Catastrophe
Warren Beatty
No ratings yet
Active Directory Rights Management Services A Clear and Concise Reference
From Everand
Active Directory Rights Management Services A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
A Comprehensive Guide About Computers and Technology
From Everand
A Comprehensive Guide About Computers and Technology
Dale Carnegie
No ratings yet

BitLocker Step by Step

Uploaded by

BitLocker Step by Step

Uploaded by

My Collection

BitLocker Drive Encryption Step-by-Step Guide for Windows 7

What is BitLocker Drive Encryption?

Requirements for BitLocker Drive Encryption

Scenario 1: Turning On BitLocker Drive Encryption on an

Before you start

To turn on BitLocker Drive Encryption on an operating system drive

Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or

Before you start

To turn on BitLocker Drive Encryption on a fixed or removable data drive

Scenario 3: Upgrading a BitLocker-Protected Computer from

Before you start

To manually upgrade BitLocker Drive Encryption

Scenario 4: Configuring How BitLocker Is Supported on Previous

Before you start

To configure how BitLocker is supported on previous versions of Windows

10. Close the Local Group Policy Editor.

Scenario 5: Requiring BitLocker Protection on Data Drives

Before you start

12. Close the Local Group Policy Editor.

Scenario 6: Specifying How to Unlock BitLocker-Protected

Before you start

To specify how to unlock BitLocker-protected operating system drives

Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed

Before you start

To configure a BitLocker-protected fixed or removable data drive to automatically unlock

Scenario 8: Specifying How BitLocker-Protected Drives Can Be

Before you start

Scenario 9: Configuring the Encryption Method and Cipher

Before you start

To configure the BitLocker encryption method and cipher strength

Scenario 10: Configuring the BitLocker Identification Field

Before you start

To configure the BitLocker identification field

Scenario 11: Recovering Data Protected by BitLocker Drive

Before you start

To test data recovery on a operating system drive

Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)

Before you start

Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)

Before you start

2. Save the file with the name blcert.txt.

Before you start

2. Save the file with the name bldracert.txt.

Scenario 15: Using the BitLocker Active Directory Recovery

Before you start

Scenario 16: Using the BitLocker Repair Tool to Recover a Drive

Before you start

Recovery key file location

Recovery package file location F:\ExportedKeyPackage

You might also like