Solved Enabling Bitlocker questions


cheaterslick

Member
Member
Local time
4:50 PM
Posts
64
OS
Windows 11 Pro 22H2
Hi,

My company is requiring me to enable bitlocker on my personal laptop. I really don't want to do it but I won't be able to access their company's resources if I don't. I'm wondering what the best way to approach this would be. And yes, I know how to turn bitlocker on.

Some things to consider:

I don't have a MS account attached to the OS.
I do have a MS account for Office 2021, though.
I don't want it to automatically encrypt any external drives that I attach to it. (HDDs, SSDs, thumb drives)
Best key storing practices.
What to do in case something triggers it to come on.

Any help would be most appreciated.

Thank you
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB
  1. If you don't have a Microsoft (MS) account linked to your operating system, you probably can't store the Bitlocker key in your account. But you can save it to a file.
  2. Bitlocker isn't automatically enabled on all drives (not sure about group policy though), you have to enable it on each drive individually.
  3. You can store the keys in a password manager, but I prefer encrypting the key with a password in the password manager. That way, even if the password manager is breached, they still can't access the key unless they have the file too.
  4. If you're worried things might not go smoothly, you can keep the unencrypted key file on a USB drive for a while. When you feel comfortable, you can delete it (and keep the encrypted file).

Enabling Bitlocker for me on an individual computer is very painless. I do keep copies of the keys in multiple places, like my MS account, an encrypted 7z file, and an offline password manager. If you have a BIOS update that's not part of Windows Update, you may need to suspend Bitlocker protection. Even though my Dell BIOS update software says it would turn off Bitlocker during installation, I prefer to turn it off manually just to be sure.

I hope this helps. Good luck!
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex Micro 5000
    CPU
    Intel Core i5-12500T
    Memory
    2 x 8GB DDR4 SO-DIMM 3200
I totally agree with @echo2446 about storing the key in multiple places if one does not use a MS account. If it were me I'd go as far as keeping record of it offsite in my safety deposit box. Something else you can do that seems more feasible is, before you bitlock your drives, set up a second user account with administrative privileges on the laptop using the same account you registered MS Ofc with. Login to that account and set up bitlocker. Verify that the key is stored in MS servers by logging into the MS account online. Then you can delete that user account from the laptop afterwards.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
I had similar, but I refused to do it on host OS. I cloned the Host OS to a virtual hard disk and made it native boot.

I then bitlocked the C drive in the vhdx drive. I stored the Bitlocker Recovery Key on Onedrive (and on a different drive).

I boot into the clone as needed.

An alternative is to create a virtual machine.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
I don't want it to automatically encrypt any external drives that I attach to it. (HDDs, SSDs, thumb drives)
What to do in case something triggers it to come on.

Any help would be most appreciated.

Thank you

Thanks for all the key storage information, but what about my concerns up above? Does bit locker automatically encrypt any external drives attached to it?

And in case something is triggered, what to do then? Isn't there both an encryption key and a recovery key needed?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Would anything in Group Policy change this to auto encrypting?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB
There are a ton of BL settings in group policy. Go down to section in this article marked

BitLocker group policy settings details​

In that section click on the following link

Control use of BitLocker on removable drives​

 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
There are a ton of BL settings in group policy. Go down to section in this article marked

BitLocker group policy settings details​

In that section click on the following link

Control use of BitLocker on removable drives​


Thanks, but that all looks very complicated. Where to begin.

Control use of BitLocker on removable drives​


Even under that subtopic, there's a lot of options. I wonder what the default is set to.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB
I don't use BL and under "control use of bitlocker on removable drives" mine is set to disabled. I'll be honest and say I really do not remember if I set that policy or if it is default. See what I have highlighted in screenshot.
 

Attachments

  • Screenshot 2023-04-22 004415.png
    Screenshot 2023-04-22 004415.png
    123.8 KB · Views: 2

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
Well that screenshot at least tells me where it's located at. What settings I should use is another matter. Too many choices.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB
I think you are probably worrying more than you need to tbh.

Each drive (or partition) you encrypt has the option to back up your key for that location. Pop a flash drive into the laptop and use that as the destination to save the keys. You can't save back to your PC, it won't let you. It has to be elsewhere. Its easy. Then print each key off and write on the back somewhere which drive (or partition) each key refers to.

File the printed keys safely away somewhere. Job done.

Will it encrypt external drives? Not by default, only if you specifically select the option to do so which you will see in control panel on the same screen I have posted here. You use 'Bitlocker to Go' option which will be available for each external drive it sees and you choose a simple normal style of password. That drive can now be used in any Bitlocker compatible PC by entering the password when it asks. Dead easy.

Screenshot 2023-04-22 093625.png
 

My Computer

System One

  • OS
    W11 Pro x64 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Dell 7760 Mobile Precision 17"
    CPU
    Intel i5
    Motherboard
    Unknown
    Memory
    8Gb
    Graphics Card(s)
    Intel HD Graphics
    Sound Card
    Realtek
    Monitor(s) Displays
    Internal
    Hard Drives
    2 x 256Gb SSD
    PSU
    Dell 240 watt
    Mouse
    Dell Premier Bluetooth
    Internet Speed
    50Mbps
    Browser
    Edge
    Antivirus
    Default Microsoft Security
I think you are probably worrying more than you need to tbh.

Probably, but it looks like you told me what I needed to know.

Thanks
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    16GB
  • Operating System
    Windows 11 Pro 22H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS ExpertBook
    Memory
    16GB

Latest Support Threads

Back
Top Bottom