Export (0) Print
Expand All
48 out of 70 rated this helpful - Rate this topic

BitLocker Frequently Asked Questions (FAQ)

Published: February 15, 2012

Updated: October 15, 2013

Applies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2



BitLocker Drive Encryption is a data protection feature available in Windows 8 Pro, Windows 8 Enterprise, and in all editions of Windows Server 2012. This topic includes frequently asked questions about BitLocker in Windows 8.

BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

  • Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.

  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2 or 2.0, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is integrated into Windows 8 and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

How BitLocker works with fixed and removable data drives

BitLocker can also be used to protect fixed and removable data drives. When used with data drives, BitLocker encrypts the entire contents of the drive and can be configured by using Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with the following unlock methods for data drives:

  • Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where the operating system drive is encrypted. Removable data drives can be set to automatically unlock on a computer running Windows 8 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.

  • Password. When users attempt to open a drive, they are prompted to enter their password before the drive will be unlocked. This method can be used with the BitLocker To Go Reader on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as read-only.

  • Smart card. When users attempt to open a drive, they are prompted to insert their smart card before the drive will be unlocked.

  • Active Directory Account or Group. A key can be assigned to an Active Directory user, group, or computer account and when those credentials are presented the drive will be unlocked. Using this key protector requires using manage-mde or the Windows PowerShell cmdlets for BitLocker to manually add the ADAccountorGroup key protector. For more information on the cmdlet, see Add-BitLockerKeyProtector. For more information on the command-line syntax, see Manage-bde: protectors.

A drive can support multiple unlock methods. For example, a removable data drive can be configured to be automatically unlocked on your primary work computer but query you for a password if used with another computer.

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or 2.0, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a password (which can be either a personal identification number (PIN), a passphrase, or a password) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the password and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

noteNote
Use of both the USB and password along with the TPM must be configured by using the Manage-bde command-line tool. This protection method cannot be specified by using the BitLocker setup wizard.

To use all BitLocker features, your computer must meet the hardware and software requirements listed in the following table.

noteNote
Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker. For a list of supported disk configurations, see What type of disk configurations are supported by BitLocker?

BitLocker hardware and software requirements for operating system drives

Requirement Description

Hardware configuration

The computer must meet the minimum requirements for Windows 8. For more information about Windows 8 requirements, see the Windows 8 Web site.

Operating system

Windows 8 or Windows Server 2012

noteNote
BitLocker is an optional feature of Windows Server 2012. Use Server Manager to install BitLocker on a computer running Windows Server 2012.

Hardware TPM

TPM version 1.2 or 2.0

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.

BIOS configuration

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.

  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.

  • The firmware must be able to read from a USB flash drive during startup.

File system

For computers that boot natively with UEFI firmware at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.

For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.

For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.

Hardware encrypted drive prerequisites (optional)

To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.

BitLocker hardware and software requirements for data drives

Requirement Description

File system

For a fixed or removable data drive to be BitLocker-protected, it must be formatted by using the exFAT, FAT16, FAT32, or NTFS file system.

noteNote
To use the BitLocker To Go Reader to read data on a removable data drive, the drive must be formatted by using the exFAT, FAT16, or FAT32 file system. If the drive is NTFS formatted, it can only be unlocked on a computer running Windows Server 2008 R2 or Windows 7 or later. Prior versions of the Windows operating system will not recognize the drive and will prompt you to format the drive.

Drive size

The drive must be least 64 MB in size.

Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. Computer manufacturers and enterprise customers can also store system tools or other recovery tools on this drive, which will increase the required size of the system drive. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 350 MB. The system drive is hidden by default and is not assigned a drive letter. The system drive is created automatically when Windows 8 is installed.

BitLocker supports TPM version 1.2 and 2.0. BitLocker does not support previous versions of TPMs. Version 1.2 and later TPMs provide increased standardization, security enhancement, and improved functionality over previous versions. In addition, you must use a Microsoft-provided TPM driver. To check the TPM driver provider, type Windows logo key + R, type devmgmt.msc in the Open box, and then press ENTER to open Device Manager. Expand Security Devices, right-click the TPM, and click Properties. Click the Driver tab, and verify that the Driver Provider field displays Microsoft.

ImportantImportant
When using BitLocker with a TPM, it is recommended that BitLocker be turned on immediately after the computer has been restarted. If the computer has resumed from sleep prior to turning on BitLocker, the TPM may incorrectly measure the pre-boot components on the computer. In this situation, when the user subsequently attempts to unlock the computer, the TPM verification check will fail and the computer will enter BitLocker recovery mode and prompt the user to provide recovery information before unlocking the drive.

Type Windows logo key + Q to open Apps. In the Search panel, click Settings , type BitLocker, and then click Turn on BitLocker. If your computer does not have a compatible TPM or the BIOS is not compatible with the TPM, you will receive the following error message informing you that a TPM was not found.

If you receive this error message on a computer that has a TPM, check if either of the following situations applies to your computer:

  • Some computers have TPMs that do not appear in the Windows 8 TPM Microsoft Management Console snap-in (tpm.msc) due to a BIOS or UEFI setting that hides the TPM by default and does not make the TPM available unless it is first enabled in the BIOS or UEFI firmware. If your TPM might be hidden in the BIOS or UEFI, consult the manufacturer's documentation for instructions to display or enable the TPM.

  • Some computers might have an earlier version of the TPM or an earlier version of the system BIOS that is not compatible with BitLocker. Contact the computer manufacturer to verify that the computer has a TPM version 1.2 or to get a BIOS update.

Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or 2.0, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

To enable BitLocker on a computer without a TPM, you must enable the Require additional authentication at setup Group Policy setting, which is located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. You must select the Allow BitLocker without a compatible TPM check box. After this setting is applied to the local computer, the non-TPM settings appear in the BitLocker setup wizard.

Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:

  • It is compatible with Windows 8 and has passed the Windows 8 logo tests.

  • It is compliant with the TCG standards for a client computer.

  • It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.

To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. Disable the Control use of BitLocker on removable drives policy setting (located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives) to restrict standard users from turning on or turning off BitLocker on removable data drives. In Windows 8 and Windows Server 2012, standard users can also change the PIN or password on operating system drives and fixed data drives after they provide the current PIN or password.

You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

Yes. To upgrade from Windows 7 to Windows 8 without decrypting the operating system drive, open the BitLocker Drive Encryption Control Panel item in Windows 7, click Manage BitLocker, and then and click Suspend. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. Proceed with the upgrade process by using your Windows 8 DVD. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click Resume Protection. This reapplies the BitLocker authentication methods and deletes the clear key.

Decrypt completely removes BitLocker protection and fully decrypts the drive.

When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.

Operating system upgrades from Windows Anytime Upgrade require that the operating system drive be decrypted prior to installation. If you upgrade from Windows 7 to Windows 8 or install other non-Microsoft updates, you might need to disable or suspend BitLocker so that a new measurement of the system can be taken after the upgrade or update has been applied. Software and operating system updates from Microsoft Update do not require drive decryption or that you disable or suspend BitLocker.

Please refer to the following table to determine whether you must disable or suspend BitLocker or decrypt your drive before you perform an upgrade or update installation.

 

Type of update Action

Windows Anytime Upgrade

Decrypt

Upgrade from Windows 7 to Windows 8

Suspend

Non-Microsoft software updates, such as:

  • Computer manufacturer firmware updates

  • TPM firmware updates

  • Non-Microsoft application updates that modify boot components

Suspend

If you suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use the BitLocker command-line tool, Manage-bde.exe, to locally or remotely configure BitLocker. For additional information about writing scripts that use the BitLocker WMI providers, see the MSDN topic BitLocker Drive Encryption Provider. For additional information about using Windows PowerShell cmdlets with BitLocker Drive Encryption see BitLocker Cmdlets in Windows PowerShell.

Yes. In Windows Vista, BitLocker could only encrypt operating system drives. Windows Vista SP1 and Windows Server 2008 added support for encrypting fixed data drives. In Windows 8, Windows Server 2012, Windows 7, and Windows Server 2008 R2, BitLocker can encrypt operating system drives, fixed data drives, and removable data drives.

Generally it imposes a single-digit percentage performance overhead.

BitLocker encryption occurs in the background while you continue to work, and the system remains usable, but encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.

In Windows 8 and Windows Server 2012, you can choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.

If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.

In Windows 8, you can enable Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. The policy settings you use for this are:

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker

When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.

If you are concerned that your users might inadvertently store data in an unencrypted drives while using a computer that does not have BitLocker enabled, use access control lists (ACLs) and Group Policy to configure access control for the drives or hide the drive letter.

For additional information about how to hide drive letters, see article 231289 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=83219).

The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Changing any boot configuration settings.

  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.

This functionality is by design; BitLocker treats unauthorized modification of any of the early boot components as a potential attack and will place the system into recovery mode. Authorized administrators can update boot components without entering recovery mode by disabling BitLocker beforehand.

The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:

  • Changing the boot order to boot another drive in advance of the hard drive.

    noteNote
    If you have configured your computers for Wake On LAN you should verify that the BIOS option under System Configuration\Built In Device Options\Wake On LAN is set to “Follow Boot Order”.

    If the option “Boot to Network” is selected, when the computer is awoken from the LAN, it will boot to the network, potentially fail and then boot to the hard drive by following the normal boot order. This results in a different measurement on a conventional BIOS system than following the normal boot order alone.

    The different measurement results in the message from BitLocker that the system boot information has changed and BitLocker goes in recovery mode (on reboot). Configuring the setting to “Follow Boot Order” will cause the same boot sequence BitLocker used when it was turned on. This will cause BitLocker to boot normally.

  • Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.

  • Failing to boot from a network drive before booting from the hard drive.

  • Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.

  • Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.

  • Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.

  • Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.

  • Turning off, disabling, deactivating, or clearing the TPM.

  • Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.

  • Forgetting the PIN when PIN authentication has been enabled.

  • Updating option ROM firmware.

  • Upgrading TPM firmware.

  • Adding or removing hardware. For example, inserting a new card in the computer, including some PCMIA wireless cards.

  • Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.

  • Changes to the master boot record on the disk.

  • Changes to the boot manager on the disk.

  • Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.

  • Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.

  • Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.

    noteNote
    Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2]. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.

  • Moving the BitLocker-protected drive into a new computer.

  • Upgrading the motherboard to a new one with a new TPM.

  • Losing the USB flash drive containing the startup key when startup key authentication has been enabled.

  • Failing the TPM self-test.

  • Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.

  • Changing the usage authorization for the storage root key of the TPM to a non-zero value.

    noteNote
    The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.

  • Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).

  • Pressing the F8 or F10 key during the boot process.

  • Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.

  • Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.

Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7 or later, the encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.

noteNote
Mounting the hard disk on another computer running Windows 8 is a quick and straightforward way to recover information from a damaged computer that has a BitLocker-protected drive on the hard disk.

Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display in the Computer window. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.

In Windows Server 2012, Windows Server 2008, and Windows 8, any number of internal, fixed data drives can be protected with BitLocker. ATA and SATA-based, direct-attached storage devices are also supported. The following table details which disk configurations are supported and not supported by BitLocker.

 

Drive configuration Supported Not supported

Network

None

Network file system (NFS)

Distributed File System (DFS)

Optical media

None

CD file system (CDFS)

Live File System

Universal Disk Format (UDF)

Software

Basic volumes

Software-based RAID systems

Bootable and non-bootable virtual hard disks (VHDs)

Dynamic volumes

RAM disks

File system

NTFS

FAT16

FAT32

ExFAT

CD File system

Drive connection

USB

Firewire

SATA

SAS

ATA

IDE

SCSI

eSATA

iSCSI (Windows 8 and Windows Server 2012 only)

Fiber Channel (Windows 8 and Windows Server 2012 only)

Bluetooth

Device type

Solid state drives, such as USB flash drives

Hardware-based RAID systems

Hard disk drive

None

If your disk configuration is not listed in the previous question, it is a configuration that has not been fully tested by Microsoft.

There are multiple keys that can be generated and used by BitLocker. Some keys are required a nd some are optional protectors you can choose to use depending on the level of security you require.

TPM owner password

Prior to enabling BitLocker on a computer with a TPM version 1.2 or later, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout.

Recovery password and recovery key

When you set up BitLocker, you must choose how access to BitLocker-protected drives can be recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot validate the boot components, the personal identification number (PIN) is forgotten, or the password is forgotten). In these situations, you must be able to supply either the recovery key or the recovery password to unlock the encrypted data on the drive. In BitLocker user interface, the term "recovery key" is used generically to refer to both the recovery key file and the recovery password. When you supply the recovery information, you can use either of the following formats:

  • A recovery password consisting of 48 digits divided into eight groups. During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard.

  • A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device.

Password

A password can be used to protect fixed and removable data drives as well as operating system drives. When used with operating system drives, it can be used as an alternative key to the USB key for using BitLocker on computers that do not have a TPM. The password can consist of 8 to 255 characters as specified by the Configure use of passwords for operating system drives, Configure use of passwords for removable data drives and Configure use of passwords for fixed data drives Group Policy settings and is stored internally as a 256-bit hash of the entered characters. This value is never displayed to the user.

WarningWarning
Passwords cannot be used if FIPS-only compliance is enabled for computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.

Introduced in Windows Server 2012 R2 and Windows 8.1, you can use passwords when FIPS compliant algorithms are used.

The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-only compliance is enabled.

PIN and enhanced PIN

For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN) has been typed. The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation.

The PIN can consist of 4 to 20 digits as specified by the Configure minimum PIN length for startup Group Policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.

For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the Allow enhanced PINs for startup Group Policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.

noteNote
To use enhanced PINs, your computer's BIOS or UEFI firmware must support using the full keyboard in the pre-boot environment. Users can run the optional system check during the BitLocker setup process to ensure the PIN can be entered correctly in the pre-boot environment. You should verify that the computers in your organization are compatible before making the use of enhanced PINs an organizational requirement.

When setting a BitLocker PIN by using the BitLocker setup wizard, the Manage-bde command-line tool, or through Windows Management Instrumentation (WMI) remote administration, you can use the wide character set. However, system firmware, either BIOS or Unified Extensible Firmware Interface (UEFI), may only support a standard EN-US keyboard and keymap during system startup. Additionally, BIOS-based systems are limited to 7-bit ASCII input during PIN entry. Thus, the use of either non-English characters or keys that differ in position from the EN-US keymap, such as QWERTZ and AZERTY keyboards, may cause boot-time PIN entry to fail. If your computer is affected by this limitation, it should be identified during the system check run by the BitLocker setup wizard. If it is not identified during the system check and the PIN is not able to be entered, you will need to supply the recovery key to unlock the drive.

We recommend that users set their keyboard layout to EN-US during enhanced PIN entry to avoid PIN entry failure in the pre-boot environment. If you are unable to enter an enhanced PIN from your keyboard even after setting the keyboard layout to EN-US, you must use a numeric-only PIN.

The following list identifies characters that are not currently supported by system firmware:

  • Roman characters on keyboards with a non-EN-US keymap. For example, "Z" and "Y" on German keyboards and "Q" and "A" on French keyboards.

  • Characters that are not available in 7-bit ASCII. For example, characters with umlauts, grave accents, and tildes.

  • Symbols that are not available in 7-bit ASCII. For example, squared superscript, fractions, copyright, trademark, and international currency symbols.

Startup key

Configuring a startup key is another method to enable a higher level of security with the TPM. The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.

The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft account online, or printed.

For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft account online, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.

A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.

You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing <4-20 digit numeric PIN> with the numeric PIN you want to use:

manage-bde –protectors –delete %systemdrive% -type tpm

manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>

BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. Therefore, we highly recommend that you either store the recovery information in AD DS, along with your Microsoft account online, or another safe location.

While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.

Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting Manage BitLocker will provide you the options to duplicate the recovery keys as needed.

Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.

You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.

It is not possible to generate multiple PIN combinations.

Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.

The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.

This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.

The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.

When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. For more information about enhanced PINs see What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?

It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.

The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.

After you have determined your TPM's manufacturer (see How can I determine the manufacturer of my TPM?), contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.

To determine your TPM manufacturer, use the following procedure.

  1. On the Start screen, type tpm.msc.

  2. The TPM manufacturer is listed in the main pane, under TPM Manufacturer Information.

noteNote
The Manufacturer Name field in the TPM Manufacturer Information listing is information provided by the TPM and is often an abbreviation (such as ATML for Atmel, BRCM for Broadcomm, or IFX for Infineon).

The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:

  • How many failed authorization attempts can occur before lockout?

  • What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?

  • What actions can cause the failure count and lockout duration to be decreased or reset?

Yes and No. You can configure the minimum personal identification number (PIN) length by using the Configure minimum PIN length for startup Group Policy setting and allow the use of alphanumeric PINs by enabling the Allow enhanced PINs for startup Group Policy setting. However, you cannot require PIN complexity by Group Policy.

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

You can unlock removable data drives by using a password or a smart card. After you start encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements.

In most cases, Windows XP and Windows Vista will not be able to recognize a BitLocker-protected, NTFS-formatted removable drive. In many situations, the user will be prompted to format the drive. Because of this, it is recommended that removable drives be formatted by using the FAT, FAT32, or exFAT file system when using BitLocker.

Yes. Group Policy can prevent the application from being installed on the drives. The first option is to disable the policy settings that allow computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) to open BitLocker-protected data drives. These policy settings are located in the following locations:

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Allow access to BitLocker-protected removable data drives from earlier versions of Windows

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

    To allow computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 to open BitLocker-protected data drives but prevent the BitLocker To Go Reader application from being installed on the drive, enable these policy settings and select the Do not install BitLocker To Go Reader on FAT formatted removable drives and Do not install BitLocker To Go Reader on FAT formatted fixed drives check boxes on the respective policy settings.

noteNote
Before deleting the BitLocker To Go Reader from a drive, BitLocker checks that the identification field of the drive is either blank or matches the identification field for your organization.

No. The BitLocker To Go Reader provides read-only access to BitLocker-protected removable drives.

The most common reason for this situation is that the drive is not formatted by using the FAT, FAT32, or exFAT file systems. To check for this, insert the drive in a computer running Windows 7 or later, right-click the drive, and then click Properties to see the file format of the drive. Another reason could be that the system administrator has disabled access to removable drives from previous versions of Windows by using the BitLocker Group Policy settings. To check for this, attempt to access the drive from a computer running Windows XP or Windows Vista that is not joined to the domain.

ImportantImportant
You should ensure that BitLocker has finished the encryption process on your drive before attempting to view the drive by using the BitLocker To Go Reader.

This depends on the operating system and AD DS implementation.

Windows Server 2003 with Service Pack 1 (SP1)

In Windows Server 2003 with SP1, the schema must be extended to support storing BitLocker and TPM recovery and password information.

Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012

For these servers the schema already includes the required attributes.

Three primary pieces of information are stored in AD DS. The following table details this information.

 

Stored information Description

Hash of the TPM owner password

The password hash can be stored only if the TPM is owned and the ownership was taken by using Windows features, such as the BitLocker Setup Wizard or the TPM snap-in.

BitLocker recovery password

The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer.

BitLocker key package

The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.

Yes, the transmission of recovery information from a computer that is running Windows 7 or later to AD DS is protected by using the Kerberos authentication protocol. Specifically, the connection uses the authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and ADS_USE_SIGNING.

For more information about Active Directory authentication flags, see ADS_AUTHENTICATION_ENUM Enumeration (http://go.microsoft.com/fwlink/?LinkId=79643).

noteNote
After recovery information is transmitted, AD DS does not store the BitLocker and TPM recovery information in an encrypted format. However, access control permissions are set so that only domain administrators or appropriate delegates can read the stored information when the server is online. Enterprises concerned about offline attacks on branch office servers should consider enabling BitLocker on those servers. We also recommended configuring your domain controllers to support encryption sealing and that any recovery retrieval application used in your organization use sealing as well.

For more information about developing applications that exchange encrypted data over a network, see the following articles on MSDN:

For more information about configuring servers to support encryption sealing, see the following articles:

Yes, the recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators.

If an attacker gains full access to AD DS, all computers in the domain, including BitLocker-protected computers, can be compromised. For more information about securing access to AD DS, see Securing Active Directory Administrative Groups and Accounts (http://go.microsoft.com/fwlink/?LinkId=83266).

If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, in Windows 8 you can use the Choose how BitLocker-protected operating system drives can be recovered, Choose how BitLocker-protected fixed drives can be recovered and Choose how BitLocker-protected removable drives can be recovered Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.

The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The Manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: manage-bde -protectors -adbackup C:.

ImportantImportant
Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).

Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.

Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.

No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.

If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.

When an administrator selects the Require BitLocker backup to AD DS check box of the Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista) policy setting, or the equivalent Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives check box in any of the Choose how BitLocker-protected operating system drives can be recovered, Choose how BitLocker-protected fixed data drives can be recovered, Choose how BitLocker-protected removable data drives can be recovered policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.

When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in What if BitLocker is enabled on a computer before the computer has joined the domain? to capture the information after connectivity is restored.

BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or 2.0 and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.

Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.

noteNote
Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

All of the versions of BitLocker that have been included with the operating system have obtained the Federal Information Processing Standard (FIPS) 140-2 certification, and have been Common Criteria certified EAL4+. These certifications have also been completed for Windows 8, and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2 are in process.

BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.

BitLocker Network Unlock has the following software and hardware requirements that must be met before you can use it:

Client computer requirements

  • A DHCP driver that is implemented in the UEFI firmware

  • Trusted Platform Module (TPM) 1.2 or TPM 2.0

  • BitLocker enabled on the operating system volume

Windows Deployment Services server requirements

  • BitLocker Network Unlock feature installed

  • 2,048-bit RSA public/private key pair X.509 certificate present in FVENKP certificate store

Domain controller requirements

  • Copy of the BitLocker Network Unlock Certificate from the Windows Deployment Services server on the domain controller to set Group Policy settings for Network Unlock.

Automatic unlock uses a single protector, the one stored in the TPM. Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.

To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.

Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.

Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.

BitLocker has a storage driver stack that ensures emory dumps are encrypted when BitLocker is enabled.

BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.

Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.

We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.

The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:

  • The computer's BIOS or UEFI firmware cannot read USB flash drives.

  • The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.

  • There are multiple USB flash drives inserted into the computer.

  • The PIN was not entered correctly.

  • The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.

  • The startup key was removed before the computer finished rebooting.

  • The TPM has malfunctioned and fails to unseal the keys.

Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.

The Save to USB option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.

Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking Manage BitLocker. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.

Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the BitLocker Drive Encryption Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.

Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.

noteNote
Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.

The syntax of this command is:

manage-bde <driveletter> -lock

Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.

Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.

BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.