Windows BitLocker

1. Information

Encrypt System drive.
See Troubleshoot the TPM.

See BitLocker: How to enable Network Unlock.
See Keep your BitLocker key under lock and key.

Business editions of Windows 10 (Pro, Enterprise, and Education) include BitLocker Drive Encryption as a built-in feature. You can encrypt the system drive on devices with a Trusted Platform Module (TPM) chip, and you can encrypt any removable drive using BitLocker as well. New UEFI-based devices running any edition of Windows 10 include full disk encryption, which is turned on when you sign in for the first time with a Microsoft account.

By default, the recovery keys for those drives are stored in your OneDrive account. That’s convenient, but it also makes some people nervous. If you’d prefer to keep those keys out of the cloud and manage them yourself, here’s how.

First, go to the BitLocker Recovery Keys page at https://onedrive.com/recoverykey, and sign in with your Microsoft account if necessary. Click the arrow next to the key you want to remove to expose a few extra details and, crucially, a Delete option.

Copy the key first, save it to a safe place, and then click Delete.

If you’re worried that a copy of that key might still be recoverable from OneDrive, take an extra step. From the BitLocker Control Panel, disable encryption for the device, making the saved recovery key useless. Then re-enable BitLocker encryption, but this time skip OneDrive and instead save the key locally or print it out and lock it up.

Note: BitLocker is not available on Windows 7 Professional nor Windows Home editions.

2. Preparations

Note: Make sure that the computer is configured to boot from the hard disk in the firmware boot options.
If the computer is configured to boot from the USB key then it will try to boot from the BitLocker Unlock USB key or from the BitLocker Master USB key instead of booting the Windows 10 operating system.

Note: TPM 1.2 allows legacy BIOS firmware.
Note: TPM 2.0 requires UEFI firmware. A computer with legacy BIOS firmware and TPM 2.0 won’t work as expected.
Note: TPM 2.0 requires Windows to be 64-bit?
Note: If the computer has TPM but ask for recovery key several times, make sure secure boot is enabled?

2.1. Computers with TPM chip

TPM chip activation

Open Control Panel > BitLocker Drive Encryption.
Expand Operating system drive | System64 (C:) BitLocker off.

Select Turn on BitLocker.

A configuration change was requested to enable, activate, and allow
the creation of an operator authentication value that permits the
temporary deactivation of this computer's TPM

Press [F10] to enable, activate, and allow the creation of an operator
authentication value that permits the temporary deactivation of the TPM

Press Esc to reject this change request and continue with *BitLocker Drive Encryption*.

Click Next.
Click Shutdown to turn on the TPM security hardware.
Start the computer.
Press F10.
Log on.
Click Next.
Abort action (how ???).

2.2. Computers without TPM chip

Allow BitLocker without a compatible TPM

Open Control Panel > BitLocker Drive Encryption.
Expand Operating system drive | System64 (C:) BitLocker off.

Select Turn on BitLocker.

This device can't use a trusted Platform Module. Your administrator must set
the "Allow BitLocker without a compatible TPM" option in the "Require
additional authentication at startup" policy for OS volumes.

Click Cancel.
Close BitLocker Drive Encryption.

Start Local Group Policy Editor (gpedit.msc) with administrative privileges.
Select Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Double-click Require additional authentication at startup.
Choose Enabled.

Select Configure TPM startup key: | Allow startup key with TPM.

■ Allow BitLocker without a compatible TPM
  (requires a password or a startup key on a
  USB flash drive)

Settings for computers with a TPM:

Configure TPM startup:                  Allow TPM
Configure TPM startup PIN:              Allow startup PIN with TPM
Configure TPM startup key:              Allow startup key with TPM
Configure TPM startup key and PIN:      Allow startup key and PIN with TPM

Click Apply.
Click OK.
Close Local Group Policy Editor.
Enter the following commands at a Command Prompt with administrative privileges.
```
gpupdate /force
exit
```
Note: If Computer Policy update failed, use OpenVPN to connect to SMRU domain controller then re-run gpupdate /force command again.

3. Auto-encryption

Note: Some notebooks may have turned on BitLocker automatically. When this is the case the manage-bde.exe -status command shows the Conversion Status as Used Space Only Encrypted. The only way to convert the drive from Used Space Only Encrypted to Fully Encrypted is to turn off BitLocker and then turn it on again without the -UsedSpaceOnly option.

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -status
manage-bde.exe -off C:
manage-bde.exe -status
:: Wait for the decryption to finish.
manage-bde.exe -protectors -delete C:
manage-bde.exe -protectors -get C:
manage-bde.exe -status

4. Encryption

4.1. Operating system drives

Note: When using Bitlocker Drive Encryption to encrypt the operating system drive, it shrinks the system partition and creates a recovery partition right after the system partition. Because of this the encryption is done using the manage-bde.exe tool or the Enable-BitLocker PowerShell cmdlet at the Command Prompt.
Note: Rename the C:\Windows\System32\Recovery\ReAgent.xml file to C:\Windows\System32\Recovery\ReAgent.xml.old if you get the following error message.
```
ERROR: An error occurred (code 0x80070002):
The system cannot find the file specified.
```

4.1.1. Computers with TPM chip

CLI ~ Command Prompt

Start TPM Management (tpm.msc).
Check the status.
Status: The TPM is off ???
Status: The TPM is on and ownership has not been taken ???
Status: The TPM is on and ownership has been taken
- Select Action > Initialize TPM.
- Select Automatically create the password (recommended).
- Save the password*.
- Select the O:\BitLocker folder.
  File name: SMRUWS-MKT07.tpm Save as type: TPM Owner Password File (*.tpm)
- Click Save.
- Click Initialize.
- Click Close.
Close TPM Management.

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -status
manage-bde.exe -protectors -add C: -TPM                 (1)
manage-bde.exe -protectors -add C: -RecoveryPassword
:: Copy and paste the recovery password to a save location.
manage-bde.exe -on C: -EncryptionMethod xts_aes128 -SkipHardwareTest
manage-bde.exe -status
:: Wait for the encryption to finish.
manage-bde.exe -status

1	Type `manage-bde.exe -tpm -TurnOn` when you get the following error: ERROR: The TPM cannot be used to protect this volume. The TPM is off. If you still get the above error, Type `move C:\Windows\System32\Recovery\ReAgent.xml C:\Windows\System32\Recovery\ReAgent.old`.

GUI Note: Skip this to prevent BitLocker Drive Encryption shrinking the operating system drive and creating a recovery partition.

Open Control Panel > BitLocker Drive Encryption.
Expand Operating system drive | System64 (C:) BitLocker off.

Select Turn on BitLocker.

--> Save to your Microsoft account
--> Save to a file
--> Print the recovery key

Select Save to a file.
Select the C:\Tmp folder.
Click Save.
Optional: Click Yes to save the recovery key on this PC.
Click Next.

Choose Encrypt entire drive (slower but best for PCs and drives already in use).

○ Encrypt used disk space only (faster and best for new PCs and drives)
● Encrypt entire drive (slower but best for PCs and drives already in use)

Click Next.

● New encryption mode (best for fixed drives on this device)
○ Compatible mode (best for drives that can be moved from this device)

Click Next.
Check Run BitLocker system check.
Click Continue.
Restart the computer.

Log on.
Click the Encryption of C: by BitLocker Drive Encryption is in progress icon in the Notification Area.
Wait for the encryption to finish.
Click Close.

Start File Explorer.
Delete the C:\Tmp\BitLocker Recovery Key <GUID>.TXT file.
Close File Explorer.

4.1.2. Computers without TPM chip

CLI ~ Command Prompt

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -protectors -add C: -RecoveryPassword
manage-bde.exe -on C: -EncryptionMethod xts_aes128 -Password -SkipHardwareTest
:: Type the password shown earlier.
manage-bde.exe -status
:: Wait for the encryption to finish.
manage-bde.exe -status
manage-bde.exe -protectors -get C:
:: Attach external USB device.
manage-bde.exe -protectors -add C: -RecoveryKey X:\
dir /a: X:\
:: Detach external USB device.
manage-bde.exe -protectors -get C:

GUI Note: Skip this to prevent BitLocker Drive Encryption shrinking the operating system drive and creating a recovery partition.

Open Control Panel > BitLocker Drive Encryption.
Expand Operating system drive | System64 (C:) BitLocker off.

Select Turn on BitLocker.

--> Insert a USB flash drive
--> Enter a password

Click Next.

Prepare your drive for BitLocker

An existing drive or unallocated free space on the hard drive will be used to turn on BitLocker.

Details Windows Recovery Environment will be moved to your system or recovery drive.

Click Next.

BitLocker Drive Encryption setup

You will no longer be able to use Windows Recovery Environment unless
it is manually enabled and moved to the system drive.

When you turn on BitLocker, your computer performs the following steps:

        ■ Prepare your drive for BitLocker
          Encrypt the drive

Click Next.
Select Insert a USB flash drive.
Attach the external USB device.
Select the external USB device.
Click Save.

Do no detach the external USB device yet.

--> Save to your Microsoft account
--> Save to a USB flash drive
--> Save to a file
--> Print the recovery key

Select Save to a file.
Select the C:\Tmp folder.
Click Save.
Optional: Click Yes to save the recovery key on this PC.
Click Next.

Choose Encrypt entire drive (slower but best for PCs and drives already in use).

○ Encrypt used disk space only (faster and best for new PCs and drives)
● Encrypt entire drive (slower but best for PCs and drives already in use)

Click Next.

● New encryption mode (best for fixed drives on this device)
○ Compatible mode (best for drives that can be moved from this device)

Click Next.
Check Run BitLocker system check.
Click Continue.
Restart the computer.

Log on.
Click the Encryption of C: by BitLocker Drive Encryption is in progress icon in the Notification Area.
Detach the external USB device.
Label the external USB device.
Wait for the encryption to finish.
Click Close.

Start File Explorer.
Delete the C:\Tmp\BitLocker Recovery Key <GUID>.TXT file.
Close File Explorer.

4.2. Fixed data drives

CLI ~ Command Prompt

Note: Update the SATA driver if the computer recognizes the OS disk as an external disk.

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -protectors -add D: -RecoveryPassword
manage-bde.exe -on D: -EncryptionMethod xts_aes128
manage-bde.exe -status
:: Wait for the encryption to finish.
manage-bde.exe -status
manage-bde.exe -autounlock -enable D:
manage-bde.exe -status

GUI

Open Control Panel > BitLocker Drive Encryption.
Expand Fixed data drives | Data (D:) BitLocker off.
Select Turn on BitLocker.
Note: Update the SATA driver if you don’t see the Automatically unlock this drive on this computer option.

Check Automatically unlock this drive on this computer.

□ Use a password to unlock the drive
□ Use my smart card to unlock the drive
■ Automatically unlock this drive on this computer

Click Next.

--> Save to your Microsoft account
--> Save to a USB flash drive
--> Save to a file
--> Print the recovery key

Select Save to a file.
Select the O:\BitLocker folder.
Click Save.
Click Next.
Choose Encrypt entire drive (slower but best for PCs and drives already in use).
Click Next.
Choose New encryption mode (best for fixed drives on this device).
Click Next.
Click Start encrypting.
Wait for the encryption to finish.
Click Close.
Close BitLocker Drive Encryption.

Start File Explorer.
Delete the C:\Tmp\BitLocker Recovery Key <GUID>.TXT file.
Close File Explorer.

4.3. Removable drives

Attach the external USB device.
Open Control Panel > BitLocker Drive Encryption.
Note: <Volume> is the drive volume and (X:) is the drive letter.
Expand Removable data drives | <Volume> (X:) BitLocker off.
Select Turn on BitLocker.
Check Use a password to unlock the drive.
Type the password in the Enter your password field.

Type the password in the Reenter your password field.

■ Use a password to unlock the drive
    Enter your password         ********
    Reenter your password       ********

□ Use my smart card to unlock the drive

Click Next.
Select Save to a file.
Note: Do not save the Recovery Key file in the drive that you are going to encrypt.
Note: Save the Recovery Key file in a save place like KeePass or give the file to IT and they will save it for you.
Note: If you forget the password and lose your Recovery Key file, there is no way to get into your drive except format it.
Select the O:\BitLocker folder.
Click Save.
Click Next.
Choose Encrypt entire drive (slower but best for PCs and drives already in use).
Click Next.
Choose New encryption mode (best for fixed drives on this device).
Click Next.
Click Start encrypting.
Wait for the encryption to finish.
Click Close.
Close BitLocker Drive Encryption.
Detach the external USB device.
Add a BitLocker label to the external USB device.

Start File Explorer.
Delete the C:\Tmp\BitLocker Recovery Key <GUID>.TXT file.
Close File Explorer.

5. Decryption

5.1. Operating system drives

Open Control Panel > BitLocker Drive Encryption.
Expand Operating system drive | System64 (C:) BitLocker on.
Select Turn off BitLocker.
Wait for the decryption to finish.
Click Close.
Close BitLocker Drive Encryption.

5.2. Fixed data drives

Open Control Panel > BitLocker Drive Encryption.
Expand Fixed data drives | Data (D:) BitLocker on.
Select Turn off BitLocker.
Wait for the decryption to finish.
Click Close.
Close BitLocker Drive Encryption.

5.3. Removable data drives

Open Control Panel > BitLocker Drive Encryption.
Expand Removable data drives | <Volume> (X:) BitLocker on.
Select Turn off BitLocker.
Wait for the decryption to finish.
Click Close.
Close BitLocker Drive Encryption.

6. Windows 10 Home Editions

See M3 Bitlocker Loader for Windows.
See How to upgrade from Windows 10 Home to Pro for free.

7. Master Key

7.1. Copy a specific .bek file

Log on as smru on tbhf-anc-mrm.

Enter the following commands at a Command Line.

# Attach and mount the BitLocker Master Key.
lsblk -l | grep -E "disk|part"
sudo mount /dev/sdX# /mnt

bekfile="/home/Other/Inventory/_Servers/SMRU-USB-MRM.bek"
txtfile="/home/Other/Inventory/_Servers/SMRU-USB-MRM.txt"

# Match the first "External Key File Name:" line in the inventory file.
newfile="$(grep -ir -m 1 "External Key File Name:" "${txtfile}" |
  sed -e "s/\.BEK/.bek/g" |                     # Replace ".BEK" extension with ".bek".
  sed -e "s/External Key File Name://" |        # Remove "External Key File Name:" string.
  sed -e "s/^[[:space:]]*//" |                  # Trim leading white space.
  sed -e "s/[[:space:]]*$//"                    # Trim trailing white space.
)"

# Copy and rename the .bek file from the inventory to the USB key.
sudo cp "$bekfile" "/mnt/$newfile"

# Unmount and detach the BitLocker Master Key.
sudo umount /mnt

7.2. Copy all .bek files

Enter the following commands at a Command Line.

# Attach and mount the BitLocker Master Key.
lsblk -l | grep -E "disk|part"
sudo mount /dev/sdX# /mnt

# Create shell script to copy all *.bek files to the USB key.
# 1)  Find all *.bek files in /home/Other/Inventory tree.
# 2a)  Prefix all lines with the "cp " string.
# 2b)  Prefix parent directory to filename.
find /home/Other/Inventory -iname '*.bek' -exec echo {} \; |
  sed -e "s|^\(/home/Other/Inventory/\)\(.*\)/\(.*\)$|cp \"\1\2/\3\" \"/mnt/\2_\3\"|" > /tmp/copy.sh

# Create shell script to rename all *.bek files on the USB key.
# 1)  Only match the first "External Key File Name:" line in the inventory files.
# 2)  Prefix all lines with the "mv " string.
# 3a) Replace all .txt file name extensions with ".bek".
# 3b) Remove all colons including trailing white space.
# 4)  Replace all ".BEK" extensions with ".bek".
# 5)  Remove all "External Key File Name:" strings.
# 6)  Delete all CR characters to make sure file format is unix instead of dos.
grep -ir -m 1 "External Key File Name:" /home/Other/Inventory |
  sed -e "s|^.*/\(.*\)/|mv \"/mnt/\1_|" |
  sed -re "s/\.txt:\s+/.bek\"/" |
  sed -e "s/\.BEK/.bek/g" |
  sed -e "s|External Key File Name: | /mnt/|" |
  tr -d "\r" > /tmp/rename.sh

# Copy all the .bek files from the inventory to the USB key.
sudo sh /tmp/copy.sh

# Rename all *.bek files on the USB key.
vdir /mnt
sudo sh /tmp/rename.sh
vdir /mnt

# Unmount and detach the BitLocker Master Key.
sudo umount /mnt

8. Errors

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -status
manage-bde -autounlock -clearallkeys C:
manage-bde.exe -status

Start BitLocker Drive Encryption.
Re-enable auto-unlock for all drives.
Close BitLocker Drive Encryption.

Enter the following commands at a Command Prompt with administrative privileges.
```
manage-bde.exe -status | findstr.exe /ric:"unlock:"
```

9. Backup

Open Device Encryption.
- Command Prompt: Type control.exe /name Microsoft.BitLockerDriveEncryption and press Enter.
- Legacy Windows: Select Start > Settings > Control Panel > BitLocker Device Encryption.
- Modern Windows: Select Start > Settings > Control Panel > Device Encryption.
Expand the Windows (C:) drive.
Select Back up your recovery key.
Select Save to your Entra ID account.
Click Finish.
Expand the DATA (D:) drive.
Select Back up your recovery key.
Select Save to your Entra ID account.
Click Finish.
Quit Device Encryption.

Enter the following commands at a Command Prompt with administrative privileges.
```
manage-bde.exe -protectors -get C:
manage-bde.exe -protectors -get D:
```

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

(Get-BitLockerVolume -MountPoint C:).KeyProtector.RecoveryPassword
(Get-BitLockerVolume -MountPoint D:).KeyProtector.RecoveryPassword

10. Restore

Browse to https://myaccount.microsoft.com/device-list.
Sign in with your <name>@grendelgames.onmicrosoft.com Microsoft account.
Select My Account > Devices.
Expand your device.
Select View Bitlocker Keys.
Select Show recovery key.
Sign out.