BitLocker – General FAQ
BitLocker prevents unauthorized access to data on lost or stolen devices by encrypting the entire OS volume on the hard disk. When used in conjunction with TPM versions 1.2 and above, BitLocker can validate system files and boot activity.
1. How can I configure BitLocker for Windows devices?
To configure BitLocker encryption,
- On your Hexnode UEM portal, navigate to Policies > Windows > Security > BitLocker.
- Configure the policy based on your requirements and associate it with target entities and save the policy.
2. How can I check whether my device is TPM compatible?
Not all devices have a compatible TPM. So, check whether the devices are TPM compatible before configuring the policy.
If you are using a Windows 10 device running v1803+ or Windows 11, go to Windows Defender Security Center > Device Security > Security processor details. Devices’ TPM status will be available there. If the device is running Windows 10 below v 1803, type tpm.msc in the run command and check under the Status.
3. Why do you need TPM for BitLocker?
A Trusted Platform Module or TPM is a chip on the motherboard of the Windows machine. It generates and stores the BitLocker encryption keys. Therefore, when a user signs in with their username and password, TPM automatically decrypts the drive on boot using the stored keys.
4. Can BitLocker be used on a device without TPM?
Yes, BitLocker encryption can be enabled on devices without a TPM. However, this might require some additional steps for authentication. That is, you will have to plug in the USB flash drive with the Startup key every time the device boots to decrypt it. This will work only if the BIOS or UEFI firmware can read from the USB drive in the boot environment.
5. What are the hardware and software requirements for using BitLocker?
BitLocker is supported on:
- Windows 10 Pro (v1809+), Enterprise, and Education editions.
- Windows 11 Pro, Enterprise and Education editions.
For analyzing the system integrity of a device, it must have TPM 1.2 or later. For systems that do not have a TPM, a startup key stored in a USB flash drive is required. The user will be prompted to plug in this USB key every time the system boots.
6. Can BitLocker encrypt drives other than the OS drive?
Yes, BitLocker is a full-disk built-in encryption tool for Windows 10/11 devices that enforces encryption on system drives, fixed data drives, and removable drives, including the swap files and hibernation files for data protection and access control. Nonetheless, BitLocker also checks for the integrity of the early boot components and the boot configuration data.
7. Should I leave my desktop unused while BitLocker is encrypting the drive?
No, you can continue using the device as BitLocker works in the background without disturbing the foreground tasks. However, you may have to initiate BitLocker encryption on very large drives when it is kept idle. BitLocker encryption may take several minutes to hours to completely encrypt the drive. The time taken depends on the type, size and speed of the drive.
8. I accidentally shut down the device while I was decrypting the BitLocker encrypted drive. Will I lose my data?
No, you will not lose any data. You can resume the decryption from where it was left off when the device starts. This is the same for encryption too.
9. Do I have to wait for BitLocker to decrypt the entire encrypted volume to read or write my existing data?
No, BitLocker does not decrypt the entire drive volume for the read or write operations. It will only decrypt specific sectors on the drive when requested by the system read operations. Moreover, the system will encrypt any new data that are written to the drive before writing it to the devices’ physical disk.
10. What can trigger BitLocker from blocking the BitLocker key release to decrypt the OS drive?
There are several factors that may cause the integrity check to fail, resulting in the failure of releasing the decryption key. It may be because you have moved the BitLocker protected drive to another computer, or you may have installed a new motherboard with a new TPM, or you may have cleared or disabled the TPM. It can also be because of the change in the boot configuration settings of the device or because of the change in the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
11. Can BitLocker be used to encrypt Windows virtual machines?
Yes, BitLocker can be used to encrypt non-bootable partitions of the virtual hard disk. However, BitLocker is not supported on the bootable partition.
12. Are two partitions necessary on the OS system drive for BitLocker encryption? If so, why?
Yes, the device requires two partitions for BitLocker encryption. One of the partitions of the encrypted OS drive will be used for pre-startup authentication, and the other is used to check the system integrity of the device.
13. Can BitLocker stop a user from copying the data on an unencrypted drive to a BitLocker protected drive?
BitLocker Group Policy settings enable a user to store data on an unencrypted drive to a BitLocker protected system. To enable the setting, open the run command dialog box and type “gpedit.msc”. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives. This setting ensures that the system will mount the unencrypted data drive as a read-only drive.