Protect Data With Windows 7 BitLocker
Content
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 1 of 8
About Windows 7 BitLocker
Microsoft BitLocker Drive Encryption technology uses the strongest publicly
available encryption to protect your computer’s data, and prevents others
from accessing your disk drives without authorization.
BitLocker To Go prevents unauthorized data access to your portable
storage devices, including Universal Serial Bus (USB) flash drives.
Topics in this guide include:
• Prepare to Enable BitLocker
• Back Up and Transfer Files
• Turn BitLocker On
• Turn BitLocker On for a Secondary Fixed Data Drive
• Suspend or Resume BitLocker Protection
• Back Up or Print a Recovery Key
• Encrypt a Portable Drive with BitLocker To Go
• Manage BitLocker To Go
• Decrypt a Portable Drive
Prepare to Enable BitLocker
All new systems that Microsoft IT provides are ready for BitLocker
enablement. However, before you enable BitLocker, you need to join your
computer to a corporate domain (if it isn’t already joined) and connect to the
corporate network.
For information on joining your computer to a corporate domain, see the
Joining a Windows 7 System to a Domain Work Smart Guide:
https://microsoft.sharepoint.com/teams/Worksmart/Shared%20Documents/Joi
ning%20Your%20Computer%20to%20a%20Domain.pdf.
Back Up and Transfer Files
Microsoft IT provides several solutions for backing up your data. Before
enabling BitLocker on your computer, review the different backup options on
ITWeb.
Turn BitLocker On
When you turn on BitLocker, BitLocker then turns on your computer’s Trusted
Platform Module (TPM) chip, which is a microchip that enables your computer
to utilize advanced security features.
1 Connect to the corporate network.
2 Click Start, and then click Control Panel.
3 Click System and Security, and then click BitLocker Drive
Encryption.
4 Ensure your computer’s TPM is turned on. To do this, look for a TPM
Administration link in the lower-left corner of the window under
See also.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 2 of 8
If you do not see this link, the TPM is not on. To turn it on, go to the
following ITWeb page:
http://itweb/v7/Pages/BitLocker_HowtoEnableTPMonaMicrosoft-
ITSupportedSystem.aspx.
5 Click Turn On BitLocker.
6 In the Set BitLocker startup preferences screen, click Require a
PIN at every startup.
7 In the Enter a startup PIN page, in the PIN field, type a minimum 6-
digit PIN. The longer the PIN, the more secure your computer will be.
8 In the Confirm PIN field, retype the number.
9 Click Set PIN.
10 In the How do you want to store your recovery key? screen, click
Save the recovery key to a file, and then browse to a secure
location (e.g., a hardened file share, secure removable drive, or
OneDrive for Business) that is not on your computer.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 3 of 8
11 After saving the recovery key, click Next.
12 In the Are you ready to encrypt this drive screen? page, click
Continue.
13 Save and close any open files.
14 Click Restart now.
BitLocker restarts your computer and begins the encryption process.
Notes
• BitLocker will encrypt your hard drive in approximately one to three
hours, depending on its size. You can continue to use your computer
during the encryption process.
• After BitLocker is enabled, each time that you attempt to log on to
your computer, you will need to enter your BitLocker PIN before
Windows starts. If you have any issues accessing your computer,
contact the Microsoft IT Helpdesk.
Turn BitLocker On for a Secondary Fixed
Data Drive
1 Connect to the corporate network.
2 Click Start, and then click Control Panel.
3 In the Control Panel, click System and Security, and then click
BitLocker Drive Encryption.
4 Under BitLocker Drive Encryption – Hard Disk Drives, click Turn
On BitLocker next to the secondary drive.
5 In the Choose how you want to unlock this drive screen, select a
form of protection for the fixed data drive. At a minimum, you must
select the Automatically unlock this drive on this computer
option. Requiring a password or smart card is optional.
6 In the How do you want to store your recovery key? screen, tap or
click Save the recovery key to a file, and then browse to a secure
location (e.g, a hardened file share, secure removable drive, or
OneDrive for Business) that is not on your computer.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 4 of 8
7 After saving the recovery key, click Next.
8 In the Are you ready to encrypt this drive? screen, click Start
Encrypting. Encryption will run in the background until complete.
Suspend or Resume BitLocker Protection
You may need to suspend BitLocker. For example, you might need to do a
hardware upgrade or basic input/output system (BIOS) updates. When you
suspend BitLocker, Windows disables protection on your system. You won’t
need to enter your PIN to start your computer, but your data will be
unprotected.
You can perform all updates and system changes by suspending BitLocker
protection. You typically do not need to turn BitLocker off (decrypt your
drive) for any reason.
To suspend BitLocker:
1 Click Start, click Control Panel, click System and Security, and then
click BitLocker Drive Encryption.
2 Click Suspend Protection.
Resume BitLocker Protection
1 Click Start, click Control Panel, click System and Security, and
then click BitLocker Drive Encryption.
2 Click Resume Protection.
Decrypt Your Drive
1 Click Start, click Control Panel, click System and Security, and
then click BitLocker Drive Encryption.
2 Click Turn Off BitLocker.
BitLocker will decrypt your hard drive in approximately 1–3 hours, depending
on the size of the hard drive. You can continue to use your computer during
the decryption process.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 5 of 8
Back Up or Print a Recovery Key
After encrypting your hard drive, you may want to back up or print your
recovery key again.
1 Click Start, click Control Panel, click System and Security, and then
click BitLocker Drive Encryption.
2 Click Manage BitLocker.
3 Click Save or print recovery key again, and then follow the
on-screen instructions.
Encrypt a Portable Drive with
BitLocker To Go
When you encrypt a portable drive with BitLocker To Go, you can set it to
unlock by using a password or your smart card.
1 Connect to the corporate network.
2 Decide whether you want to use password protection or smart card
protection. To learn more, go to the About BitLocker To Go ITWeb
page:
https://microsoft.sharepoint.com/sites/itweb/Information/Pages/Bitloc
ker/BitLocker_WhatisBitLockertoGo.aspx#encytypes.
3 Insert the portable drive (USB drive, SC card, SD/MMC card, etc.) into
the appropriate slot.
4 Click Start, click Control Panel, click System and Security, and then
click BitLocker Drive Encryption.
5 Click Turn On BitLocker next to the portable storage device that you
want to encrypt.
6 In the Choose how you want to unlock this drive dialog box, select
one of the following options.
• If you want to use a password to unlock the drive, select the Use
a password to unlock the drive check box, enter your password
twice, and then click Next.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 6 of 8
Important
Create a password with 8–12 characters. Microsoft IT suggests
that you use an easy-to-remember passphrase and change
certain letters to caps or obvious special characters. Entering a
password is a one-time event. You will not need to change or
reset it unless you want to.
• If you want to use a smart card to unlock the drive instead, select
the Use my smart card to unlock the drive check box, insert
your smart card, and then click Next.
7 In the BitLocker Drive Encryption dialog box, do one of the
following:
• Click Print the recovery key, and then choose where to print it.
–Or–
• Click Save the recovery key to a file, and then browse to a
secure location (e.g, a hardened file share, secure removable
drive, or OneDrive for Business) that is not on your computer.
8 In the Are you ready to encrypt this drive? screen, click Start
Encrypting.
BitLocker To Go can encrypt your drive in minutes or hours,
depending on your drive’s size, your connection speed, and the
technology you use, such as External Serial Advanced Technology
(eSATA), FireWire, USB, or USB 2.0. You can continue to use your
computer during the encryption process.
9 Click Close.
10 When the encryption is complete, remove the device. If you chose
smart card encryption, remove your smart card. Wait a few seconds
and then reinsert the device and/or smart card.
11 Do one of the following:
If you chose password protection:
i. Enter your password.
ii. If you want to have the device automatically unlocked
when you use it with your computer, select the
Automatically unlock on this computer from now on
check box. To use auto-unlock, BitLocker must be
enabled.
iii. Click Unlock.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 7 of 8
• If you chose smart card protection, click Unlock, enter your PIN,
and then click OK.
Notes
• Each time you attempt to use the drive, you will need to enter the
password or smart card unless you set up BitLocker To Go to unlock
the drive automatically. If you have any issues accessing your drive,
contact the Microsoft IT Helpdesk.
• If you want to change the password for a portable drive or change
the auto-unlock feature, click Start, click Control Panel, click System
and Security, and then click BitLocker Drive Encryption. In the
BitLocker Drive Encryption dialog box, click Manage BitLocker
next to the portable drive information.
• All recovery keys are stored in Active Directory and can be obtained
via the self-help process in http://BDEVault. You can also print the
recovery key again. For more information, see the next section.
Manage BitLocker To Go
After you encrypt a portable drive, you may want to change a password,
remove a password, add a smart card to unlock the drive, save or print a
recovery key again, or turn the automatic unlock feature on or off.
To make any of these changes:
1 Click Start, click Control Panel, click System and Security, and then
click BitLocker Drive Encryption.
2 Click Manage BitLocker.
3 Select one of the options in the dialog box.
More Work Smart Content: http://aka.ms/worksmart
LBI─Intended for internal use only.
Work Smart: Protect Data with Windows 7 BitLocker
Get Started
Page 8 of 8
Decrypt a Portable Drive
1 Click Start, click Control Panel, click System and Security, and then
click BitLocker Drive Encryption.
2 Click Turn Off BitLocker.
3 Click Decrypt Drive.
For More Information
Windows BitLocker Drive Encryption Information on ITWeb
http://bitlocker
General Use Security Standard
https://egrc/
Information Classification and Handling Standard
https://egrc/
IT Global Helpdesk
http://fasthelp
Work Smart
http://aka.ms/worksmart
