Solved Enabling Bitlocker questions

cheaterslick · Apr 21, 2023

Hi,

My company is requiring me to enable bitlocker on my personal laptop. I really don't want to do it but I won't be able to access their company's resources if I don't. I'm wondering what the best way to approach this would be. And yes, I know how to turn bitlocker on.

Some things to consider:

I don't have a MS account attached to the OS.
I do have a MS account for Office 2021, though.
I don't want it to automatically encrypt any external drives that I attach to it. (HDDs, SSDs, thumb drives)
Best key storing practices.
What to do in case something triggers it to come on.

Any help would be most appreciated.

Thank you

echo2446 · Apr 21, 2023

If you don't have a Microsoft (MS) account linked to your operating system, you probably can't store the Bitlocker key in your account. But you can save it to a file.
Bitlocker isn't automatically enabled on all drives (not sure about group policy though), you have to enable it on each drive individually.
You can store the keys in a password manager, but I prefer encrypting the key with a password in the password manager. That way, even if the password manager is breached, they still can't access the key unless they have the file too.
If you're worried things might not go smoothly, you can keep the unencrypted key file on a USB drive for a while. When you feel comfortable, you can delete it (and keep the encrypted file).

Enabling Bitlocker for me on an individual computer is very painless. I do keep copies of the keys in multiple places, like my MS account, an encrypted 7z file, and an offline password manager. If you have a BIOS update that's not part of Windows Update, you may need to suspend Bitlocker protection. Even though my Dell BIOS update software says it would turn off Bitlocker during installation, I prefer to turn it off manually just to be sure.

I hope this helps. Good luck!

glasskuter · Apr 21, 2023

I totally agree with @echo2446 about storing the key in multiple places if one does not use a MS account. If it were me I'd go as far as keeping record of it offsite in my safety deposit box. Something else you can do that seems more feasible is, before you bitlock your drives, set up a second user account with administrative privileges on the laptop using the same account you registered MS Ofc with. Login to that account and set up bitlocker. Verify that the key is stored in MS servers by logging into the MS account online. Then you can delete that user account from the laptop afterwards.

cereberus · Apr 21, 2023

I had similar, but I refused to do it on host OS. I cloned the Host OS to a virtual hard disk and made it native boot.

I then bitlocked the C drive in the vhdx drive. I stored the Bitlocker Recovery Key on Onedrive (and on a different drive).

I boot into the clone as needed.

An alternative is to create a virtual machine.

cheaterslick · Apr 22, 2023

cheaterslick said:
I don't want it to automatically encrypt any external drives that I attach to it. (HDDs, SSDs, thumb drives)
What to do in case something triggers it to come on.

Any help would be most appreciated.

Thank you

Thanks for all the key storage information, but what about my concerns up above? Does bit locker automatically encrypt any external drives attached to it?

And in case something is triggered, what to do then? Isn't there both an encryption key and a recovery key needed?

glasskuter · Apr 22, 2023

cheaterslick said:
Does bit locker automatically encrypt any external drives attached to it

You are running Pro. It will encrypt only the drives you choose to encrypt. How to enable BitLocker on Windows 11 - Pureinfotech

cheaterslick · Apr 22, 2023

Would anything in Group Policy change this to auto encrypting?

glasskuter · Apr 22, 2023

There are a ton of BL settings in group policy. Go down to section in this article marked

BitLocker group policy settings details

In that section click on the following link

Control use of BitLocker on removable drives

Configure BitLocker

Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).

learn.microsoft.com

cheaterslick · Apr 22, 2023

glasskuter said:
There are a ton of BL settings in group policy. Go down to section in this article marked

BitLocker group policy settings details
In that section click on the following link

Control use of BitLocker on removable drives

Configure BitLocker

Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).

learn.microsoft.com

Thanks, but that all looks very complicated. Where to begin.

Control use of BitLocker on removable drives

Even under that subtopic, there's a lot of options. I wonder what the default is set to.

glasskuter · Apr 22, 2023

I don't use BL and under "control use of bitlocker on removable drives" mine is set to disabled. I'll be honest and say I really do not remember if I set that policy or if it is default. See what I have highlighted in screenshot.

cheaterslick · Apr 22, 2023

Well that screenshot at least tells me where it's located at. What settings I should use is another matter. Too many choices.

Mooly · Apr 22, 2023

I think you are probably worrying more than you need to tbh.

Each drive (or partition) you encrypt has the option to back up your key for that location. Pop a flash drive into the laptop and use that as the destination to save the keys. You can't save back to your PC, it won't let you. It has to be elsewhere. Its easy. Then print each key off and write on the back somewhere which drive (or partition) each key refers to.

File the printed keys safely away somewhere. Job done.

Will it encrypt external drives? Not by default, only if you specifically select the option to do so which you will see in control panel on the same screen I have posted here. You use 'Bitlocker to Go' option which will be available for each external drive it sees and you choose a simple normal style of password. That drive can now be used in any Bitlocker compatible PC by entering the password when it asks. Dead easy.

cheaterslick · Apr 22, 2023

Mooly said:
I think you are probably worrying more than you need to tbh.

Probably, but it looks like you told me what I needed to know.

Thanks

Solved Enabling Bitlocker questions

Well-known member

My Computers

Well-known member

My Computer

aka Mama Glass

My Computers

Well-known member

My Computer

Well-known member

My Computers

aka Mama Glass

My Computers

Well-known member

My Computers

aka Mama Glass

BitLocker group policy settings details​

Control use of BitLocker on removable drives​

My Computers

Well-known member

BitLocker group policy settings details​

Control use of BitLocker on removable drives​

Control use of BitLocker on removable drives​

My Computers

aka Mama Glass

Attachments

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Similar threads

BitLocker group policy settings details

Control use of BitLocker on removable drives

BitLocker group policy settings details

Control use of BitLocker on removable drives

Control use of BitLocker on removable drives