Simple procedure to follow to enable bitlocker encryption on a Desktop computer.
Microsoft Bitlocker Procedure
Microsoft Bitlocker Procedure
Procedure Notes:Check to see if Bitlocker functionality is
supported in the current BIOS configuration.Go to the Start -->
Control Panel --> Security Settings -> Enable Bitlocker
Select Turn On Bitlocker -->
Note:If this is an initial configuration you will get the error
at the bottom of the screen. You will need to 'Enable' the
integrated TPM chip.
Enable Bitlocker and Proceed with Disk EncryptionStart -->
Control Panel --> Security Settings -> Enable BitlockerYou
will be prompted for credentials in order to make this change.
Enter your power user credentials.The system will prompt you to
save or print the Bitlocker Encryption Key. (see below where to
save the key)
Recovery Key MaintenanceRename the Key to include the Laptop
name and Save the Key to the server
Note: As we move this process forward we will be automating the
above step via an Active Directory Group Policy procedure to
eliminate the need for manually renaming, saving and copying the
recovery key.Make sure you select the Run Bitlocker System
Check.
The system will check for compatibility and will reboot again to
verify the encryption key as stored in the TPM chip and to
'actually' enable and make available the Bitlocker chip
functionality.Disk EncryptionOnce the reboot is complete the
computer will prompt for login as usual and will begin the formal
encrypt process. We have selected consolidated logon and will not
be requiring an additional pin or third party encryption option.
This should simplify this process for us in the configuration phase
and the users moving forward.The Disk Encrypt process will require
approximately 2 hours to complete. Once complete you should be able
to proceed with the installation of the core software components.
It is also possible to install the core applications during the
encryption process but it could impact the estimated encryption
completion time.Bitlocker Decrypt ProcedureFor the purposes of this
procedure we will assume that this is a portable device that has
been in user for some time. Run CheckdiskThis process, technically,
can be skipped. However, for systems wherein the data is of a
sensitive or valuable nature that have been deployed for more than
a year, it is highly recommendedTo insure that the decrypt
completes without error best practices dictate that we compete a
disk verification with the following flags /r /f. Use both flags as
the flag /f doesn't check for bad sectors while /r does.Manual
steps to run Chkdsk at the command promptClick Start --> Search
programs and Files --> type CMD.
At the Command prompt type --> Chkdsk /r /fYou should receive
the warning that ChkDsk cannot run because the volume is in use by
another process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)Type Y (for Yes,
obviously ;P ) and then press ENTER to schedule the disk check, and
then restart yourcomputerto start the disk check. Depending upon
the size and age of the drive this process could complete
relatively quickly (winin 10 minutes) or it could take hours.This
process will both locate bad sectors, and recover readable
information.Decrypt ProcessStart --> Settings --> Control
Panel --> Turn Off BitlockerYou will see the below graphic
Select Decrypt Drive
