BitLocker

How to Use BitLocker Repair Tool to Recover Encrypted Drive in Windows

You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information, and can no longer unlock the OS drive, fixed drive, or removable drive normally. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.

The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid BitLocker password, recovery key, or startup key (.BEK file) is used to decrypt the data.

This tutorial will show you how to use the BitLocker Repair Tool (repair-bde) to recover the contents of a damaged drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.

Read more…

How to Copy Startup Key of OS Drive Encrypted by BitLocker in Windows

If you turn on BitLocker for an OS drive and choose to unlock the OS drive at startup with a USB flash drive, a startup key (encryption key) for this OS drive is saved to the USB flash drive.

If the USB flash drive with the startup key saved on it is not connected at startup, the user is prompted to insert the USB flash drive that holds the startup key and reboot the computer.

It is recommended to save a copy of the startup key to another USB flash drive to have as a backup.

You can save a copy of the PC’s startup key on multiple USB flash drives.

You can save BitLocker startup keys for different computers on the same USB flash drive.

This tutorial will show you how to save a copy of the BitLocker startup key for an OS drive in Windows 7, Windows 8, and Windows 10.

Read more…

How to Unlock an OS Drive Encrypted by BitLocker in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for an OS drive, you can choose to unlock the drive at startup with a password, USB flash drive, PIN (with TPM), or automatically unlock.

If you chose to unlock the OS drive with a password, PIN, or USB flash drive and forgot or lost them, then you can still unlock the OS drive with its BitLocker recovery key.

This tutorial will show you different ways on how to unlock an operating system (OS) drive encrypted by BitLocker in Windows 10.

Read more…

How to Unlock a Fixed or Removable BitLocker Drive in Windows

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for a fixed data drive, you can choose to unlock the drive using a password or smart card. If you turned on BitLocker for the OS drive, then you could also choose to automatically unlock a fixed data drive when you sign in to Windows.

When you turn on BitLocker for a removable data drive, you can choose to unlock the drive using a password, smart card, or automatically unlock when connected.

If you chose to unlock a fixed or removable drive with a password and forgot your BitLocker password, then you can unlock the drive with its BitLocker recovery key.

This tutorial will show you different ways on how to unlock a fixed or removable data drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.

Read more…

Add or Remove Unlock Drive Context Menu in Windows

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can choose how you want to unlock an encrypted data drive: with a password or a smart card. For removable data drives encrypted with BitLocker To Go, you can set the drive to automatically unlock instead when you sign in to the PC. For fixed data drives, you can also set the drive to automatically unlock when you unlock the PC, if you prefer, as long as the operating system drive is BitLocker-protected.

If you didn’t choose to automatically unlock a BitLocker encrypted fixed or removable data drive when connected, then you will see Unlock Drive in their context menu as the default action to make it easier to unlock them.

This tutorial will show you how to add or remove the Unlock Drive context menu from locked drives encrypted by BitLocker for all users in Windows 7, Windows 8, Windows 10.

Read more…

How to Lock BitLocker Encrypted Drive in Windows

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can choose how you want to unlock an encrypted data drive: with a password or a smart card. For removable data drives encrypted with BitLocker To Go, you can set the drive to automatically unlock when you sign in to the PC. For fixed data drives, you can also set the drive to automatically unlock when you unlock the PC, if you prefer, as long as the operating system drive is BitLocker-protected.

To lock a fixed data drive encrypted by BitLocker, you could restart the computer unless you set the drive to automatically unlock when you sign in next.

To lock a removable data drive encrypted by BitLocker, you could disconnect the drive or restart the computer unless you set the drive to automatically unlock when you connect the drive or sign in next.

This tutorial will show you how to manually lock a fixed or removable drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.

Read more…

Add or Remove Resume BitLocker Protection Context Menu in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can temporarily suspend (pause) BitLocker protection whenever you like for an unlocked drive encrypted by BitLocker—for example, if you need to install new software that BitLocker might otherwise block—and then resume BitLocker protection on the drive again when you’re ready.

When you suspend BitLocker protection for an OS drive, it will remain unlocked and unprotected until you either manually resume BitLocker protection for the drive, or have it resume BitLocker protection automatically the next time you restart the PC.

When you suspend BitLocker protection for a fixed data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC.

When you suspend BitLocker protection for a removable data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC, or disconnect and reconnect the drive.

This tutorial will show you how to add or remove the Resume BitLocker protection context menu from all suspended drives encrypted by BitLocker for all users in Windows 10.

Read more…

Add or Remove Change BitLocker PIN Context Menu in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for the operating system drive, you can configure it to require a PIN (with TPM) or password to unlock the drive.

This tutorial will show you how to add or remove the Change BitLocker PIN context menu from OS drives encrypted by BitLocker with TPM for all users in Windows 10.

Read more…

Add or Remove Change BitLocker Password Context Menu in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for the operating system drive, you can configure it to require a PIN (with TPM) or password to unlock the drive.

When you turn on BitLocker for a fixed or removable data drive, you can configure it to require a password to unlock the drive.

This tutorial will show you how to add or remove the Change BitLocker password context menu from all drives encrypted by BitLocker for all users in Windows 10.

Read more…

Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Windows

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

If you like, you can set a policy that configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive (ex: USB flash drive). All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

This tutorial will show you how to allow or deny write access to removable drives not protected by BitLocker in Windows 7, Windows 8, and Windows 10.

Read more…

How to Change BitLocker Password in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for the operating system drive, you can configure it to require a PIN (with TPM) or password to unlock the drive. Administrative privileges are required to configure BitLocker for operating system drives.

When you turn on BitLocker for a fixed or removable data drive, you can configure it to require a password to unlock the drive.

A BitLocker password can be 8 to 256 characters long including uppercase and lowercase letters, symbols, numbers, and spaces.

This tutorial will show you how to change the BitLocker password of an encrypted drive in Windows 10.

Read more…

Enable or Disable Standard Users from Changing BitLocker PIN or Password in Windows 10

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for the operating system drive, you can configure it to require a PIN (with TPM) or password to unlock the drive. Administrative privileges are required to configure BitLocker for operating system drives.

When you turn on BitLocker for a fixed or removable data drive, you can configure it to require a password to unlock the drive.

By default in Windows 8 and Windows 10, both administrators and standard users are allowed to change the BitLocker PIN or password for the operating system volume or the BitLocker password for fixed data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment. Requiring password complexity and PIN complexity by Group Policy is recommended to help ensure that users take appropriate care when setting passwords and PINs.

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

However, you may not want standard users to be able to change the Bitlocker PIN or password on a home PC.

This tutorial will show you how to enable or disable allowing standard users from being able to change BitLocker PINs or passwords of encrypted drives in Windows 10.

Read more…

How to Change BitLocker Startup PIN in Windows 10

When you turn on BitLocker for the operating system drive with a compatible TPM, you can choose to unlock the OS drive at startup with a PIN.

Originally, BitLocker allowed from 4 to 20 characters for a PIN. Starting with Windows 10 version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0. To help organizations with the transition, beginning with Windows 10 version 1709 and Windows 10 version 1703 with the October 2017 Fall Cumulative Update installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.

This tutorial will show you how to change the BitLocker startup PIN in Windows 10.

Read more…

How to Specify Minimum PIN Length for BitLocker Startup in Windows 10

When you turn on BitLocker for the operating system drive with a compatible TPM, you can choose to unlock the OS drive at startup with a PIN.

The Configure minimum PIN length for startup policy is used to set a minimum PIN length when you use an unlock method that includes a PIN. This policy setting is applied when you turn on BitLocker for the OS drive. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

Originally, BitLocker allowed from 4 to 20 characters for a PIN. Starting with Windows 10 version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0. To help organizations with the transition, beginning with Windows 10 version 1709 and Windows 10 version 1703 with the October 2017 Fall Cumulative Update installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.

This tutorial will show you how to specify a minimum length for a TPM startup PIN used with BitLocker in Windows 10.

Read more…

How to Enable or Disable Enhanced PINs for BitLocker Startup in Windows 10

When you turn on BitLocker for the operating system drive with a compatible TPM, you can choose to unlock the OS drive at startup with a PIN.

The Allow enhanced PINs for startup policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker for the OS drive.

If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.

This tutorial will show you how to enable or disable if enhanced startup PINs are used with BitLocker in Windows 10.

Read more…

How to Back up BitLocker Recovery Key for Drive in Windows 10

A BitLocker recovery key is a special key that you can create when you turn on Bitlocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the operating system drive (drive that Windows is installed on) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a fixed data drive (internal hard drive) or removable data drive (such as an external hard drive or USB flash drive) that is encrypted by BitLocker, if for some reason you forget the password or your computer cannot access the drive.

You can store the BitLocker recovery key for an encrypted drive by printing it, saving it to your Microsoft account, saving it to a USB flash drive, and/or saving it to a file where you like. It is recommended to store the recovery key separate from your computer, and make additional copies to be safe and have available if ever needed to recover the encrypted drive with.

If you lose the BitLocker recovery key for an encrypted drive, you will lose all your data on the drive if you get locked out of it and have to format the drive.

This tutorial will show you how to back up the recovery key of a drive encrypted by BitLocker in Windows 10.

Read more…

How to Add ‘Suspend BitLocker protection’ to Context Menu of Drives in Windows

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can temporarily suspend (pause) BitLocker protection whenever you like for an unlocked drive encrypted by BitLocker—for example, if you need to install new software that BitLocker might otherwise block—and then resume BitLocker protection on the drive again when you’re ready.

When you suspend BitLocker protection for an OS drive, it will remain unlocked and unprotected until you either manually resume BitLocker protection for the drive, or have it resume BitLocker protection automatically the next time you restart the PC.

When you suspend BitLocker protection for a fixed data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC.

When you suspend BitLocker protection for a removable data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC, or disconnect and reconnect the drive.

This tutorial will show you how to add Suspend BitLocker protection to the context menu of all unlocked drives encrypted by BitLocker for all users in Windows 7, Windows 8, and Windows 10.

Read more…

How to Add ‘Lock Drive’ to Context Menu of BitLocker Encrypted Drives in Windows 10

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can choose how you want to unlock an encrypted data drive: with a password or a smart card. For removable data drives encrypted with BitLocker To Go, you can set the drive to automatically unlock when you sign in to the PC. For fixed data drives, you can also set the drive to automatically unlock when you unlock the PC, if you prefer, as long as the operating system drive is BitLocker-protected.

To lock a fixed data drive encrypted by BitLocker, you could restart the computer unless you set the drive to automatically unlock when you sign in.

To lock a removable data drive encrypted by BitLocker, you could disconnect the drive or restart the computer unless you set the drive to automatically unlock when you connect the drive or sign in.

This tutorial will show you how to add Lock Drive to the context menu of all unlocked fixed and removable drives encrypted by BitLocker to be able to lock the drive on demand in Windows 10.

Read more…