BitLocker – Windows Blog by Brink

BitLocker

Change how BitLocker Unlocks OS Drive at Startup in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you’ll need a special¬†BitLocker recovery key¬†to unlock it.

BitLocker will automatically unlock a OS drive encrypted by BitLocker with TPM at startup by default in Windows 11.

You can enable the Require additional authentication at startup policy to allow BitLocker to unlock the operating system drive with a PIN or USB flash drive.

This tutorial will show you how to choose how to unlock your operating system drive at startup with a PIN, USB flash drive, or automatically with TPM in Windows 11.

Read more…

Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you’ll need a special¬†BitLocker recovery key¬†to unlock it.

BitLocker will automatically unlock a OS drive encrypted by BitLocker with TPM at startup by default in Windows 11.

You can enable the Require additional authentication at startup policy to allow BitLocker to unlock the operating system drive with a PIN or USB flash drive.

This tutorial will show you how to enable or disable BitLocker to unlock the operating system drive at startup with a PIN or USB flash drive in Windows 10 and Windows 11.

Read more…

Turn Off BitLocker for Drive in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can turn on BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

When you turn off BitLocker for a drive encrypted by BitLocker, it will completely decrypt the drive.

This tutorial will show you how to turn off BitLocker for an encrypted drive in Windows 10 and Windows 11.

Read more…

Turn On or Off Auto-unlock for BitLocker Drive in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can turn on BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

If BitLocker has been turned on for the operating system drive, you can set BitLocker to automatically unlock fixed data drives and removable data drives encrypted by BitLocker when you sign in to Windows. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any drives that use automatic unlocking.

This tutorial will show you how to turn on or off auto-unlock for a fixed or removable data drive encrypted by BitLocker for your account in Windows 10 and Windows 11.

Read more…

Add or Remove Turn on BitLocker context menu in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can turn on BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

This tutorial will show you how to add or remove the Turn on BitLocker context menu for drives for all users in Windows 10 and Windows 11.

Read more…

Add Suspend BitLocker protection to Context Menu in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can use BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

You can temporarily¬†suspend BitLocker protection¬†(pause) whenever you like for an unlocked drive encrypted by BitLocker‚ÄĒfor example, if you need to install new software that BitLocker might otherwise block‚ÄĒand then resume BitLocker protection on the drive again when you’re ready.

Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.

When you suspend BitLocker protection for an OS drive, it will remain unlocked and unprotected until you either manually resume BitLocker protection for the drive, or have it resume BitLocker protection automatically the next time you restart the PC.

When you suspend BitLocker protection for a fixed data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC.

When you suspend BitLocker protection for a removable data drive, it will remain unlocked and unprotected until you manually resume BitLocker protection for the drive. This is even after you restart the PC, or disconnect and reconnect the drive.

This tutorial will show you how to add Suspend BitLocker protection to the context menu of all unlocked drives encrypted by BitLocker for all users in Windows 10 and Windows 11.

Read more…

Add BitLocker Status for Drive Context Menu in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can use BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

The BitLocker Status context menu uses the manage-bde status command to provide information about a drive on the computer; whether or not it is BitLocker-protected, including:

  • Size
  • BitLocker version
  • Conversion status
  • Percentage encrypted
  • Encryption method
  • Protection status
  • Lock status
  • Identification field
  • Key protectors

Knowing the current BitLocker Drive Encryption status of a drive can help you to manage BitLocker settings for the drive.

This tutorial will show you how to add BitLocker Status to the context menu of all drives in Windows 10 and Windows 11.

Read more…

Add Lock Drive with BitLocker Context Menu in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can use BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

You can choose how you want to unlock an encrypted data drive: with a password or a smart card. For removable data drives encrypted with BitLocker To Go, you can set the drive to automatically unlock when you sign in to the PC. For fixed data drives, you can also set the drive to automatically unlock when you unlock the PC, if you prefer, as long as the operating system drive is BitLocker-protected.

To lock a fixed data drive encrypted by BitLocker, you could restart the computer unless you set the drive to automatically unlock when you sign in next.

To lock a removable data drive encrypted by BitLocker To Go, you could disconnect the drive or restart the computer unless you set the drive to automatically unlock when you connect the drive or sign in next.

This tutorial will show you how to add Lock Drive to the context menu of all unlocked fixed and removable drives encrypted by BitLocker to lock the drive on demand in Windows 11.

Read more…

Add Turn off BitLocker context menu in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

You can use BitLocker to encrypt the operating system drive (Windows drive), fixed data drives (internal hard drives), and removable data drives (external hard drive or USB flash drive).

When you turn off BitLocker for a drive encrypted by BitLocker, it will completely decrypt the drive.

This tutorial will show you how to add or remove a Turn off BitLocker context menu for all drives encrypted by BitLocker for all users in Windows 11.

Read more…

Turn On BitLocker for Removable Data Drive in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

You can choose to unlock BitLocker for a removable data drive with a password or a smart card. You can set the removable data drive to automatically unlock after encrypted when you sign in to Windows.

This tutorial will show you how to turn on or off BitLocker To Go to encrypt or decrypt a removable data drive in Windows 10.

Read more…

Turn On BitLocker for Fixed Data Drive in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

You can choose to unlock BitLocker for a fixed data drive automatically if BitLocker is turned on for OS drive, or with a password or smart card.

This tutorial will show you how to turn on BitLocker to encrypt a fixed data drive in Windows 11.

Read more…

Turn On BitLocker for Operating System Drive in Windows 11

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned OS drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you’ll need a special¬†BitLocker recovery key¬†to unlock it.

You can choose to unlock BitLocker at startup for the operating system drive with a PIN, with USB flash drive, or automatically with TPM.

This tutorial will show you how to turn on BitLocker Drive Encryption for an operating system drive in Windows 11.

Read more…

How to Enable or Disable Use of BitLocker on Removable Data Drives in Windows

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they’re automatically decrypted.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

If you like, you can configure the Control use of BitLocker on removable drives group policy setting that controls the use of BitLocker on removable data drives. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose “Allow users to apply BitLocker protection on removable data drives” to permit the user to run the BitLocker setup wizard on a removable data drive. Choose “Allow users to suspend and decrypt BitLocker on removable data drives” to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. If you do not configure this policy setting, users can use BitLocker on removable disk drives. If you disable this policy setting, users cannot use BitLocker on removable disk drives.

This tutorial will show you how to enable or disable the ability to configure and use BitLocker on removable data drives for all users in Windows 7, Windows 8, and Windows 10.

Read more…

How to Check if Device Encryption is Supported in Windows 10

Device encryption helps protect your data, and it’s available on a wide range of Windows devices. If you turn on device encryption, the data on your device can only be accessed by people who’ve been authorized. If device encryption isn’t available on your device, you may be able to turn on standard BitLocker encryption instead.

Device encryption is available on supported devices (ex: tablet or 2-in-1 laptop) running any Windows 10 edition. If you want to use standard BitLocker encryption instead, it is only available on supported devices running Windows 10 Pro, Enterprise, or Education. Some devices have both types of encryption. BitLocker is not available on Windows 10 Home edition.

This tutorial will show you how to check if device encryption is supported by your Windows 10 PC.

Read more…

How to Turn On or Off Device Encryption in Windows 10

Device encryption helps protect your data, and it’s available on a wide range of Windows devices. If you turn on device encryption, the data on your device can only be accessed by people who’ve been authorized. If device encryption isn’t available on your device, you may be able to turn on standard BitLocker encryption instead.

Device encryption is available on supported devices (ex: tablet or 2-in-1 laptop) running any Windows 10 edition. If you want to use standard BitLocker encryption instead, it is only available on supported devices running Windows 10 Pro, Enterprise, or Education. Some devices have both types of encryption. BitLocker is not available on Windows 10 Home edition.

This tutorial will show you how to turn on or off device encryption in Windows 10.

Read more…

How to Create BitLocker Encrypted Container File with a VHD or VHDX File in Windows

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they’re automatically decrypted.

BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).

You can also use BitLocker to encrypted a VHD or VHDX (virtual hard disk) file mounted as a drive. You can copy and move this VHD or VHDX file to any Windows computer as a portable encrypted container file. When you mount the VHD or VHDX file on a computer and try to open the encrypted drive for it, you will be prompted for your BitLocker password before it will open.

You can save files into this BitLocker drive for VHD or VHDX file when unlocked like any other drive, and lock or unmount the drive when you like to secure it.

This tutorial will show you how to create a portable BitLocker encrypted container file using a mounted VHD or VHDX file in Windows 7, Windows 8, and Windows 10.

Read more…

How to Find BitLocker Recovery Key in Windows 10

You can use BitLocker to encrypt the operating system drive (drive Windows is installed on0, fixed data drive (internal hard drive) or removable data drive (external hard drive or USB flash drive).

If you lost or don’t know your BitLocker key (ex: password, PIN, USB) but you have your BitLocker recovery key for an encrypted OS, fixed, or removable drive, you can use that recovery key to unlock your drive. The BitLocker recovery key is a 48-digit number stored in your computer.

You have the following options to select from when you back up your BitLocker recovery key:

  • Save to your Microsoft account
  • Save to a USB flash drive
  • Save to a file
  • Print the recovery key

This tutorial will show you how to find your BitLocker recovery key for a drive in Windows 10.

Read more…

Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker in Windows

You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

If you like, you can set a policy that configures whether BitLocker protection is required for a computer to be able to write data to fixed data drives. All fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

This tutorial will show you how to allow or deny write access to fixed data drives not protected by BitLocker for all users in Windows 7, Windows 8, and Windows 10.

Read more…

How to Use BitLocker Repair Tool to Recover Encrypted Drive in Windows

You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information, and can no longer unlock the OS drive, fixed drive, or removable drive normally. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.

The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid BitLocker password, recovery key, or startup key (.BEK file) is used to decrypt the data.

This tutorial will show you how to use the BitLocker Repair Tool (repair-bde) to recover the contents of a damaged drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.

Read more…

How to Copy Startup Key of OS Drive Encrypted by BitLocker in Windows

If you turn on BitLocker for an OS drive and choose to unlock the OS drive at startup with a USB flash drive, a startup key (encryption key) for this OS drive is saved to the USB flash drive.

If the USB flash drive with the startup key saved on it is not connected at startup, the user is prompted to insert the USB flash drive that holds the startup key and reboot the computer.

It is recommended to save a copy of the startup key to another USB flash drive to have as a backup.

You can save a copy of the PC’s startup key on multiple USB flash drives.

You can save BitLocker startup keys for different computers on the same USB flash drive.

This tutorial will show you how to save a copy of the BitLocker startup key for an OS drive in Windows 7, Windows 8, and Windows 10.

Read more…