In it, press Computer Configuration=> WindowsComponent=> BitLocker Drive Encryption=> Operating System Drivers. To use the BitLocker Drive Encryption tools in the Control Panel instead of using the manage-bde command, just click the “Turn off BitLocker” option next to the drive you want to decrypt. Schedule a Task to Enable Bitlocker via PowerShell. BitLocker will scan your computer to make sure that it meets the BitLocker system requirements. BitLocker scans your computer to verify that it meets the system requirements. I don’t know of anything in Active Directory which gives me a definitive answer as to the state of protection of a given machine. Head to Control Panel > System and Security > BitLocker Drive Encryption and click “Turn on BitLocker” to enable it for a drive. Type gpedit. In order to ease the manageability effort required by BitLocker, we want to leverage a traditional System Management platform, such as System Center Configuration Manager, as well as the IDaaS (Identity as a service) feature offered by Azure Active Directory and the automation capabilities provided by Azure Automation, so as to allow the end. How to check Group Policy. Reboot your computer for the policy changes made above to take effect. As for how to do that, please refer to the following steps: Step 1: Press "Windows + R" keys and type "gpedit. Also, you do not need to wait for FullyEncrypted state before calling Enable-BitLockerAutoUnlock. I have even configured the recovery key to be stored against the machine name in ADUC. 2 In the left-hand navigation bar, expand (by clicking on the arrow to each item’s left, if necessary), in turn:. If you're an advanced user, you can turn off BitLocker by using Command Prompt. These settings are pretty safe and have no adverse effects if applied to all machines. In the search bar on the taskbar, type bitlocker. Download and install Hasleo BitLocker Anywhere. Using BitLocker without a TPM requires a Group Policy change, which is possible by a non-administrator if you’re using a stand-alone PC not joined to a domain and are willing to edit local. If you're using a newer Macbook Pro (i'm using the 2018 model) then it's pretty easy actually. Unlock the drive. Advanced Group Policy BitLocker Administration Management (AGPM) and Monitoring (MBAM) Enhances governance and control over Makes BitLocker easier and more cost-effective Group Policy through robust change to manage by simplifying deployment and management, versioning, and role- provisioning, improving compliance, and based administration. HKLM\Software\Policies\Microsoft\FVE Group Policy Settings for BitLocker Drive Encryption. BitLocker GPOs are computer scope, meaning the computer has to restart for them to fully take effect. "…BitLocker is reliant on a technology called TPM…or Trusted Platform Module, and basically what that does,…it stores the encryption key someplace. Open the Windows “Run” dialog box (the easiest shortcut is Windows Key + “R”), enter “gpedit. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. To do it, open the GPO management console (gpmc. turn on suggested results. The TPM is a hardware component…. Create a new GPO and navigate to Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks. msc” into the Run dialog, and press Enter. Hardware encryption in the drive may be buggy. and use the wizard. BitLocker Password or Pin - Prevent Users from Changing This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8. Intro: Bitlocker on Windows supports hardware-drive-encryption called eDrive. Configure Pre-boot Recovery Message and URL. Turn on TPM backup to Active Directory Domain Services: Enabled; Configuration for testing environment. To use BitLocker First, head to search bar here type BitLocker. msc” into the Run dialog, and press Enter. Open an elevated Command Prompt window with administrator rights. To go into how the backend is setup refer to the link provided. It is rather simple to disable BitLocker service and this operation can also help to turn off BitLocker. Hi Alan, I'm trying to get the Windows 7 BitLocker GPO options in a Windows Server 2003 domain but am only seeing the Vista option. Go to Group policy management, In the console tree under Computer Configuration\Policies\Administrative Templates\Windows Components, click BitLocker Drive Encryption ; Click on “”Choose default folder for recovery password” and enable it. If someone leaves a USB plugged in, they will be presented with Bitlocker recovery. Like Group Policy in Active Directory, Local Policy allows a user to make system-wide or account-specific changes to settings on a local PC. The DRA certificate’s thumbprint is distributed to all BitLocker-protected devices using GPO settings to ensure that only the administrator with a matching DRA certificate and private key can recover the information. I don't have the very top one about forced password complexity, but that is coming from another GPO so is still in the mix. At the left side in Group Policy Editor you can find a option as Computer Configuration. Enter a password and save a recovery. Once you’re there, click on Require additional authentication at startup. Next, configure Group Policy to backup the TPM owner information; open Computer Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services; Double-click Turn on TPM backup to Active Directory, check Enabled, and click OK. Click the Search icon in the taskbar and type “group policy“. For details of DE supported environments, see KB-79422. NOTE: You can ensure if the BitLocker encryption is removed by checking if the Bitlocker lock icon is removed in the particular drive and by accessing the particular drive. BitLocker Registry Keys I wrote a UI that enables me to easily manage all of my BitLocker encrypted drives. Step 2: Turn off BitLocker. BitLocker won't apply the new encryption method to drives that are already encrypted. msc” into the Run dialog, and press Enter. A big part of this is to encrypt the disks of their devices using BitLocker. Click Yes to continue and pause BitLocker on the player. The MSFT Windows 10 RS3 – BitLocker GPO contains a setting to Disable new DMA devices, that broke some computer. Turn on BitLocker Drive Encryption Feature on Windows 10. Overzealous TPM protection. msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here. To Enable and configure BitLocker Feature First Open Control Panel > System And Security > Here you will see the option BitLocker Drive Encryption Click on it. 2 In the left-hand navigation bar, expand (by clicking on the arrow to each item’s left, if necessary), in turn:. Microsoft recommends using the TPM with a BitLocker PIN or startup key loaded on a USB to uplift security. To configure BitLocker, a group policy must be created. Click on BitLocker Drive Encryption. From Control Panel, open BitLocker Drive Encryption. In order to turn off the Bitlocker protection, you must have the Bitlocker password or the bitlocker recovery key in order to unlock the drive first and then to decrypt the drive. 0 module or software-based Intel Platform Trust Technology), enabling BitLocker on your computer can be as easy as opening the Control Panel and launching. This article does not discuss the utilization of a USB as a TPM replacement and does not discuss Group Policy changes for advanced features. Local Computer Policy > >Bitlocker Drive Encryption > Operating Systems Drives. Encryption operations. BitLocker is an encryption feature available in Windows 10 Professional and Enterprise editions. To enable Bitlocker for a drive, click Turn on Bitlocker. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. After inserting the drive, open File Explorer, right-click the drive's entry, and click Turn On BitLocker. This policy setting is applied when you turn on BitLocker. so strange. From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest. Each BitLocker recovery object has unique name and contains a globally unique identifier for the recovery password and optionally a package containing the key. This requires administrator rights. Mention that this is stored in (Active Directory® Domain Services (AD DS) because of the Group Policy settings that were enabled as part of the demonstration. With the GPO settings at the customer, BitLocker To Go detects when a removable disk is plugged in to the machine, and prompts the user to either encrypt the drive or mount it read-only. In this post, I’ll walk you through the steps to enable BitLocker encryption on Windows 10 without TPM. BitLocker scans your computer to verify that it meets the system requirements. BitLocker is pretty transparent once it’s set up. I did some testing on a new GPO with those extra fixed and removeable options enabled. For more information about data recovery agents, see the Microsoft article, BitLocker Group Policy settings. Bitlocker , and select Edit. or you can simply Right click on the encrypted Drive and select Manage BitLocker. To configure BitLocker, a group policy must be created. To do it, open the GPO management console (gpmc. Excluding the quotation marks, enter the command "manage-bde -protectors -add c: -TPMAndPIN". At the bare minimum, you need: "Choose drive encryption method and cipher strength" "Store BitLocker recovery information in Active Directory Domain Services". Go to Settings > Update & Security > Device. These settings must be applied prior to enabling BitLocker. Let's start with some facts around BitLocker to understand the technology more precisely. BitLocker is a tool in Windows that can be used to encrypt fixed drives, but also operating systems as well to protect your core data from outside intrusion. The setting Computer/Administrative Templates/Windows Components/BitLocker Drive Encryption/Disable new DMA devices when this computer is locked , should be. Turn on BitLocker Without TPM on Windows 10. If you want two protectors, then you should use Add-BitLockerKeyProtector before of after Enable-BitLocker. Launch the Virtualbox application on your computer, and start creating a new virtual machine. If, on the other hand, the hardware does not have TPM support a warning message is displayed stating. It is an interface to report the results of security-related self-tests. Select Enter a password. Choosing things such as 128-bit vs 256-bit and XTS vs CBC for Windows 10. Next we had to configure Bitlocker and this was done via GPO. Script 3: Takes ownership of TPM, Turns on bitlocker, removes autologin. Thus, no (official) Group Policy setting exists that would allow admins to prevent users from encrypting fixed drives with BitLocker. Create a GPO with these settings and put it in an OU containing the target PCs. Select Enter a password. On the Windows computer that you wish to enable BitLocker, open "This PC" and simply right click the drive that you wish to encrypt and click Turn on BitLocker. In simple terms, BitLocker is a lock which secures (encrypts) your data in the drives and is only accessible to people who have its keys, i. BitLocker System Requirements. The so-called software encryption refers to the use of BitLocker built-in algorithm to encrypt the hard disk, that is, directly ignore the hardware encryption that comes with the SSD. Open the BitLocker control panel, and Click Enable BitLocker for your system Drive At the next window select the only available option (require a startup key at every startup): then at the next window select the mounted USB drive (it should be the only option) and click Save. BitLocker Group Policy Settings("Enable use of BitLocker authentication requiring preboot keyboard input on sl. The cursor will not. By default, BitLocker uses AES 128 bit encryption, but you are able to change it to 256 bit encryption in Group Policy. Double-click the setting Control Panel Setup: Enable Advanced Startup Options. This happened to me once, and I had to fiddle around half the day to get BitLocker to working again. Like Group Policy in Active Directory, Local Policy allows a user to make system-wide or account-specific changes to settings on a local PC. exe to enable Bitlocker on the systems, which in turn will use the. – Default encryption algorithm: AES-128bit + Diffuser. How to Manage BitLocker with Group Policy. In order for BitLocker to be enabled on workstations a few steps must be taken to ensure proper deployment. A perfect example is BitLocker full disk encryption. Windows Components\BitLocker Drive Encryption\Operating System Drives. To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. Run BitLocker from within Control Panel, and turn it on. Here Click Turn on BitLocker Bellow to Operating System Drive. Once this is done, you're ready to configure BitLocker in the OS. Click OK to close the dialog and then close the Local Group Policy Editor window as well. Use TPM chip : this is a dedicated chip that needs to be fixed or additionally installed on the motherboard to store all the keys & other information needed in the encryption and. Enter administrative credentials if. Hello, Thank you for posting in this thread. the recovery key or the right encryption key. Prevent users from specifying recovery options when they turn on BitLocker on a drive. How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Welcome back Stephane van Gulick for the final part of his two-part series. I don’t know of anything in Active Directory which gives me a definitive answer as to the state of protection of a given machine. The BitLocker GUI in the Windows 7 Control Panel supports TPM + PIN and TPM + USB StartupKey but not TPM + PIN + USB StartupKey. This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer. Set your group policy to automatically backup the recovery key to active directory, and to not encrypt the computer if the recovery key isn't stored in AD. You can buy a TPM header from Amazon at a low cost. Select Enter a password. You can only add one protector per call. The E5450 task sequence appears to be going through fine now after making a couple of minor changes. Be sure you read PowerShell and BitLocker: Part 1 first. I have even configured the recovery key to be stored against the machine name in ADUC. Edit the Group policy by right click on the object and select ‘Edit’. You’ll first be asked how you want to unlock your drive when your PC boots up. For more, see the Explain tab for the policy "Turn on BitLocker backup to Active Directory Domain Services" within gpedit. Step 5: Click Turn off Bitlocker in the window. Modify Local Group Policy to not require TPM for Bitlocker. Now in the left pane of Group Policy Management, right-click your AD domain and select “Create a GPO in this domain, and Link it here…” from the. 100% Online Study Web & Video Lectures Earn Diploma Certificate Access to Job Openings Access to CV Builder. Next we had to configure Bitlocker and this was done via GPO. Turn on BitLocker To Go to Encrypt Files; Connect your removable storage device to your computer. BitLocker is an encryption feature available in Windows 10 Professional and Enterprise editions. ; Open Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Office – Force Add-ins activation by GPO Posted on April 3, 2017 by Alexandre VIOT When you install plugins / Add-in for Microsoft Office, this add-in could be automatically disabled by Office depends on the ressouces needed, time to load, etc. How to Turn off BitLocker Encryption in Windows 10 Home & Pro BitLocker is a security feature inbuilt in Windows which protects your data from thefts. How to Enable Bitlocker for Windows 7 Ultimate & Enterprise. msc" into the Run box. Access Bitlocker recovery information; Overview. Now in that type gpedit. At the left side in Group Policy Editor you can find a option as Computer Configuration. Then right-click your system drive where Windows 10 is installed, then click Turn on BitLocker. To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required. exe /name Microsoft. I did download GPEdit Enabler for Windows 10 Home Edition but it does not work. Turn off BitLocker (manage-bde -off C:) ---- However, the decryption took hours. Enable and enforce the Bit-Locker startup PIN. Configure Pre-boot Recovery Message and URL. To reset PRAM, turn off your mac. Click OK to close the dialog and then close the Local Group Policy Editor window as well. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN. This will open the Local group policy editor. Use the Windows key + X keyboard shortcut to open the Power User menu and select. Providing GPO access to Bitlocker for encryption (No TPM) Hold Start Menu key + R button from the keyboard to launch the Run box. The script can be changed from multiple items to a single computer by using the code between the if statement. Instructions: Start by enabling BitLocker from Control Panel. In Control Panel, select System and Security, and then under BitLocker Drive Encryption, select Manage BitLocker. Tpm device not detected. We know how to set GPOs etc. Use Action: Update. Leave Allow = Read. How to Enable Bitlocker Encryption. Click on the Start Menu. Note: For more information on configuring Windows Vista Group Policy Objects (GPO) on the domain please see the following article series from windowsecurity. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. In order to store Bitlocker recovery information into AD: Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it. Using the same GPO for windows 7 machines and its working completely fine and also Bitlcoker_to_go is working fine with both OS's. Unfortunately based on when the last response was made, I have closed this thread to help keep comments current and up to date. see the bitlocker manipulation using powershell link below # if bitlocker is disabled, then. We recommend starting a new thread for your issue. BitlockerGPO2. BitLocker Group Policy settings are found in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\ • Turn on BitLocker backup to Active Directory Domain Services • Control Panel Setup: Configure recovery folder • Control Panel Setup: Configure recovery options • Control Panel Setup: Enable. After we enable BitLocker and choose the mode, we will be asked to do a system check, which can take a while. Note: If you are on Server 2008 R2, make sure you select Require TPM backup. Improvements to BitLocker. How to Enable Bitlocker for Windows 7 Ultimate & Enterprise. So keep the REG file. Type gpedit. First of all a little background on HSTI. Causes of BitLocker Recovery Mode. Create a GPO with these settings and put it in an OU containing the target PCs. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives should be selected. Now go back and turn on the bitlocker on the system drive. Enter, then reenter your password (at least eight characters or more is recommended). You can also add a virtual TPM chip to your virtual machine. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. Turn on BitLocker Drive Encryption in Windows 10 Click Start > File Explorer > This PC. Open Computer from the Desktop, right-click on your local drive and select Turn on BitLocker. How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune. Enable and enforce the Bit-Locker startup PIN. Enter administrative credentials if prompted. Unlock the drive. If you don't have a chip that supports TPM, then you can still use BitLocker, but you'll have to store the encryption key on a USB stick. One can turn on Bitlocker without TPM but has to modify the registry in order to allow this, as this isn't what Microsoft originally planned as the drive won't be bound to the computer any longer. With the GPO settings at the customer, BitLocker To Go detects when a removable disk is plugged in to the machine, and prompts the user to either encrypt the drive or mount it read-only. Group policies (GPO) allows you to configure BitLocker so that backups of BitLocker keys and recovery keys are stored in computer object in the Active Directory. Introduction. Turn on BitLocker Drive Encryption Feature on Windows 10. Open the start menu and type "gpedit. Group Policy Conflict When Trying To Turn On Bitlocker After It Has Been Previously Turned Off. Domain level Group Policy changes and network managed BitLocker setups are Best. This guide is intended for a sophisticated audience. One can turn on Bitlocker without TPM but has to modify the registry in order to allow this, as this isn't what Microsoft originally planned as the drive won't be bound to the computer any longer. We don't support your browser. If this step is skipped you may receive the following error: "The group policy settings for bitlocker are in conflict and cannot be applied. Click OK and close the policy editor. Access Bitlocker recovery information; Overview. In this post, I'll walk you through the steps to enable BitLocker encryption on Windows 10 without TPM. 2019-10-01: with the 2019 September update KB4516045 BitLocker uses software instead of hardware encryption by default. End of Document. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. In order to store Bitlocker recovery information into AD: Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it. Click Next. BitLocker GPOs are computer scope, meaning the computer has to restart for them to fully take effect. You're now ready to modify the necessary Group Policy settings for both BitLocker and the TPM chip (if your computer supports this feature). Up until now that's been a manual experience but with the steps below, it's semi-automated. I had to piece together bits from a few sources online to accomplish this, so I will bring together in this one post all of the steps I ended up using. The problems comes when I try to encrypt the data drive and I get the dreaded "Group Policy settings for Bitlocker are in conflict and cannot be applied. More information about setting up AD DS backup for BitLocker is available on Microsoft TechNet. Show more Show less. Many organizations do not consider Bitlocker for servers as they are not in general as portable as desktop operating systems such as Windows 7, 8 or 10 especially when it comes to laptops. Here Click Turn on BitLocker Bellow to Operating System Drive. From your forest ,domain—>Group policy Objects ,create New ,give it name ‘MBAM 2. Open the start menu and type "gpedit. We can use PowerShell to enable Bitlocker on domain joined Windows 10 machines. Secure boot is annoying. This is done by enabling the "Allow enhanced PINs for startup" setting in the Local Group Policy Editor (gpedit. For details of DE supported environments, see KB-79422. Create a GPO with these settings and put it in an OU containing the target PCs. Launch Hasleo BitLocker Anywhere, right-click the drive letter you want to encrypt, then click "Turn On BitLocker". Open Computer from the Desktop, right-click on your local drive and select Turn on BitLocker. BitLocker Password or Pin - Prevent Users from Changing This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8. If you're using a newer Macbook Pro (i'm using the 2018 model) then it's pretty easy actually. Head to Control Panel > System and Security > BitLocker Drive Encryption and click “Turn on BitLocker” to enable it for a drive. Reboot your computer for the policy changes made above to take effect. Microsoft BitLocker encryption is available for Windows 10 along with the ability to encrypt removable media and to authenticate with a password-only option. My C drive is not compatible with BitLocker,…so I should receive an error…when I click on Turn on BitLocker,…and in fact it does say,…"Your device does not use a Trusted Platform Module. How to Configure GPO to Automatically Save BitLocker Recovery Key to AD. Now, when you turn on BitLocker on a domain computer, the keys will be stored in Active Directory. Open the Group Policy Editor by using the "Run…" executable, typing in "gpedit. To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. Obviously we want to be able to use all the characters. Because it's designed by a large, for-profit company, and because the U. Please upgrade your browser or download modern browsers from here!. In my case the BitLocker recovery key was available after this simple steps. This was previously set when we started deploying Windows 10 1507 to turn off the default Microsoft Hero Wallpaper at the login prompt. BitLocker is a tool in Windows that can be used to encrypt fixed drives, but also operating systems as well to protect your core data from outside intrusion. WinMagic can manage your BitLocker deployment, leverage your existing investment and layer additional security functionality to fully realize the benefits of FDE on all platforms. This guide will demonstrate how to enable the BitLocker startup PIN for pre-boot authentication on Windows 10 with Microsoft Intune. How to Turn off BitLocker Encryption in Windows 10 Home & Pro BitLocker is a security feature inbuilt in Windows which protects your data from thefts. Options for encrypting removable flash drives using BitLocker-To-Go can also be found in this window. Read through this article to know how to remove BitLocker encryption from USB drive. It doesn't automatically start encryption, you'll need to do that manually, with a script, at deployment, or with a tool. ) Once that Group Policy setting is made, you can go to Control Panel to turn on Bitlocker on the system drive. If you want two protectors, then you should use Add-BitLockerKeyProtector before of after Enable-BitLocker. Turn it on for the C: disk: Windows will now generate a recovery key. If someone leaves a USB plugged in, they will be presented with Bitlocker recovery. Open Group policy Editor (GPMC) and navigate to: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption b. After doing that, BitLocker should be permanently disabled on for the selected drive. This feature can be enabled or disabled based on your preferences by tweaking the Local group policy Editor. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives should be selected. Verify that BitLocker is turned on. 2) Launch the File Explorer, right-click the drive of the operating system that you want to encrypt, and then click Enable bitlocker. To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. Turn on BitLocker Drive Encryption in Windows 10 Click Start > File Explorer > This PC. Activate the TPM in the BIOS Setup utility, or allow the BitLocker wizard to do so. Set BitLocker PIN. In the Reference section below the table, it says: In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. Next we had to configure Bitlocker and this was done via GPO. Early concepts of encryption were born in the forges of war and is most epitomized by the Navajo code talkers of World War II, where codes in the Navajo language helped the allied forces stop the threat of Nazi Germany. In the Intune portal in https://portal. Click OK and close the policy editor. Microsoft BitLocker encryption is available for Windows 10 along with the ability to encrypt removable media and to authenticate with a password-only option. msc and all works successfully. From here, select System and Security and click on Bitlocker Drive Encryption. Please upgrade your browser or download modern browsers from here!. Note: If you are on Server 2008 R2, make sure you select Require TPM backup. msc and press Enter. BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed "Cornerstone" and was designed to protect information on devices, particularly if a device was lost or stolen; another feature, titled "Code Integrity Rooting", was designed to validate the integrity of Microsoft Windows boot and system files. In the Reference section below the table, it says: In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. I don’t know of anything in Active Directory which gives me a definitive answer as to the state of protection of a given machine. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the left pane. BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. Bitlocker Accidentally Turn Off Computer Nov 16, 2009. This requires a Group Policy settings change. This can easily be done during OS installation for all new computers but it might be troublesome to enable bitlocker on existing devices. The policy to allow BitLocker drive encryption without TPM is only needed for boot drives. Having separate sections within the GPO for each drive type gives you the flexibility to meet the security needs of your organization. Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. 2) Launch the File Explorer, right-click the drive of the operating system that you want to encrypt, and then click Enable bitlocker. Click on Suspend protection for the operating system drive. You will then be presented with the same screen as in Step 6. Step 1: Click Computer and go to open Control Panel. Bitlocker keeps things simple (largely to boost adoption), and doesn’t bog itself down with power-user features that, depending on who you are, you need or want to see to take the tool seriously. All you need is to right click on the USB drive in ‘My Computer’ and select the ‘Turn On BitLocker’ command from the menu. government approached Microsoft about adding a "back door" to its encryption scheme, BitLocker hasn't enjoyed the greatest reputation. Policy: Description: Store BitLocker Recovery Information In Active Directory Domain Services (Windows Server 2008 And Windows Vista) Enabling this policy silently backs up BitLocker recovery information to AD DS. Turn on TPM backup to Active Directory Domain Services: Enabled; Configuration for testing environment. Press Windows Key and R together to open the run menu, type control, and press enter key. 5Tb when I accidentally turned off the computer. Hello r/Sysadmin!. BitLocker is a partition-level encryption solution that comes with Windows 10. Next, click Turn on BitLocker > select the option using which you would want to unlock the drive. Click on "BitLocker Drive Encryption". Windows 8 doesn't disappoint as it brings us the most advanced version of BitLocker yet. This guide will demonstrate how to enable the BitLocker startup PIN for pre-boot authentication on Windows 10 with Microsoft Intune. In this post, I'll walk you through the steps to enable BitLocker encryption on Windows 10 without TPM. Select Enabled radio button and check the box for "Allow BitLocker without a compatible TPM". Create a new Group Policy and navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption. BitLocker Group Policy Settings("Enable use of BitLocker authentication requiring preboot keyboard input on sl. Step 1: Go to Control Panel on your computer. Open the TPM Management (tpmadmin. Turn on BitLocker Now that you have that taken care of, there are a couple of ways to enable BitLocker. If you want to remove BitLocker encryption from a USB drive, two steps for you, unlock the BitLocker-protected USB drive then turn off BitLocker. Navigate to the "Require additional authentication at startup" setting beneath the. Then right-click your system drive where Windows 10 is installed, then click Turn on BitLocker. You will then be presented with the same screen as in Step 6. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives should be selected. I'd really recommend you to read these two guides and then you'll be up and running with Bitlocker in like less than 15 minutes:. BitLocker will scan your computer to make sure that it meets the. Notice a padlock symbol next to your C: drive and options to suspend protection, back up recovery key, remove password and Turn off BitLocker encryption. Complete the following steps to turn on Bit-Locker. It not only lets you set up your resources to comply with all regulations; it is also nondisruptive so your systems' compatibility, stability and performance remain fully intact. From here, select System and Security and click on Bitlocker Drive Encryption. Where in the Sophos Central portal do I turn it on?. Open Control Panel and navigate to System and Security and BitLocker Drive Encryption. Decrypt directly with password: open “Control Panel” and choose “BitLocker Drive Encryption” to decrypt the drive by clicking on “Turn Off BitLocker”. If you would like to restore the default Group Policy setting to have BitLocker use a TPM instead of a USB flash drive, then do METHOD ONE (step 5) or METHOD TWO (step 2) in the PREPARATION section at the top of the tutorial. To configure BitLocker drive encryption complete the following actions: Turn on the TPM in the BIOS Setup utility. Policy: Description: Store BitLocker Recovery Information In Active Directory Domain Services (Windows Server 2008 And Windows Vista) Enabling this policy silently backs up BitLocker recovery information to AD DS. Show students the recovery information on the tab. A streamline was of managing bitlocker in your environment would be to consider a multi discipline approach. Open Windows 10 Group Policy Editor BitLocker relies on a so called TPM-module (Trusted Platform Module) for encrypting Windows 10 system disks. Open Assets and Compliance tab. Edit the Group Policy. In order to turn on TPM recovery information backup into AD:. Enable Bitlocker in GPO and have users click 'OK' to turn it on via the MBAM agent. For Windows Desktop 8, 8. Using BitLocker without a TPM requires a Group Policy change, which is possible by a non-administrator if you’re using a stand-alone PC not joined to a domain and are willing to edit local. Deploy BitLocker without a Trusted Platform Module. Such a system will require a BitLocker password at startup. Prevent users from specifying recovery options when they turn on BitLocker on a drive. Step 1: Enter Desktop in the Start menu on Windows 8 computer. To use the BitLocker Drive Encryption tools in the Control Panel instead of using the manage-bde command, just click the "Turn off BitLocker" option next to the drive you want to decrypt. Default is Off. As with BitLocker, BitLocker To Go allows us to encrypt a USB flash drive and restrict access with BitLocker password or BitLocker recovery key. [HELP] I really need help with my hackintosh, once I enter in my bootflag it restarts(it was working fine earlier) It shows the "Hackintosh Zone" logo for a split second and then it restarts. To Change BitLocker Encryption Method and Cipher Strength in Windows 10, Open the Local Group Policy editor app. Providing GPO access to Bitlocker for encryption (No TPM) Hold Start Menu key + R button from the keyboard to launch the Run box. With this configuration the recovery password will be. The policy setting described here allows you to manage the Active Directory Domain Service (AD DS) backup of BitLocker Drive Encryption recovery information. I have configured to to boot with a PIN but it wont enable due to no pre-boot keyboard being avaialble. The vulnerability affects SSDs that support hardware encryption by local access to the SSDs and reverse engineered the firmware of it to access the data. In the Windows Group Policy Editor, select Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Method 3: Disable BitLocker Service to Turn Off BitLocker. To turn on BitLocker: Go to the Start screen and type Control Panel; Click the icon and the Control Panel will appear; From the View by: (top right) dropdown menu, select Small icons; Click on BitLocker Drive Encryption BitLocker Drive Encryption will open Select Turn on BitLocker; BitLocker will initialize and check for system requirements. Have in mind only members of the local Administrators group can enable BitLocker. For the procedure, refer to the following: Dell; Lenovo; Toshiba; HP; All others through Microsoft; Turn on the TPM: Open the TPM Management (tpm. In the search bar on the taskbar, type bitlocker. Enable Bitlocker in GPO and have users click 'OK' to turn it on via the MBAM agent. Intro: Bitlocker on Windows supports hardware-drive-encryption called eDrive. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. This will open the Local group policy editor. msc): Enable BitLocker Drive Encryption. You'll be prompted to confirm that you want to turn off BitLocker, and then the process will begin. It is used to access and recover the encrypted data on a damaged drive encrypted with BitLocker. First of all a little background on HSTI. We'll see. On the ribbon, click on Turn On. Here Click Turn on BitLocker Bellow to Operating System Drive. A TPM is required to turn on Bitlocker. powercfg /waketimers. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. - Configuration and Deployment of Always On VPN, utilising a Cisco ASA firewall as the terminating device, to replace the legacy dial up VPN. We use Dell's CCTK (Dell Command Configure) to programmatically Enable and Activate the TPM during the task sequence before enabling BitLocker. In File Explorer, in the navigation pane, expand This PC. Click Next Select Save to a file, then insert a USB flash drive to save the Recovery Key. In Control Panel, select System and Security, and then under BitLocker Drive Encryption, select Manage BitLocker. This means that the encryption happens at the SSD drive with no penalty in performance and without using CPU to do the encryption calculations. Schedule a Task to Enable Bitlocker via PowerShell. or you can simply Right click on the encrypted Drive and select Manage BitLocker. This is our GPO with all the MBAM 2. Now that the policy has been set to allow us to enable and use BitLocker without TPM we can proceed. I'd really recommend you to read these two guides and then you'll be up and running with Bitlocker in like less than 15 minutes:. While you can't use Bitlocker on Windows 10 Home, there are several options to enable Bitlocker drive encryption feature. 5Tb when I accidentally turned off the computer. How to Configure GPO to Automatically Save BitLocker Recovery Key to AD. If this step is skipped you may receive the following error: "The group policy settings for bitlocker are in conflict and cannot be applied. Link to buy TPM headers. That’ll open the Local Group Policy Editor. Using BitLocker without a TPM requires a Group Policy change, which is possible by a non-administrator if you’re using a stand-alone PC not joined to a domain and are willing to edit local. BitLocker is pretty transparent once it’s set up. If you're using a newer Macbook Pro (i'm using the 2018 model) then it's pretty easy actually. Installing BitLocker. Activate the TPM in the BIOS Setup utility, or allow the BitLocker wizard to do so. This requires a USB flash drive on. Introduced with Windows Vista, BitLocker has become more advanced in each subsequent version of Windows. It is an interface to report the results of security-related self-tests. Select Turn On BitLocker. Click Turn off BitLocker to decrypt the drive. The first thing it asked me for was to insert a removable USB flash drive to save a startup key to. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. Check it out for. Create a new task (Enable Bitlocker). Verify BitLocker Encryption Method Switch to BitLocker Software Encryption via BitLocker Group Policy settings Turn off BitLocker on existing drive Reference. Default is Off. HSTI is a Hardware Security Testability Interface. 0 module or software-based Intel Platform Trust Technology), enabling BitLocker on your computer can be as easy as opening the Control Panel and launching. In order to get the BitLocker and Policy data, you need to extend the SCCM Hardware Inventory. On the BitLocker Drive Encryption Setup page, click Next. Steps: Open the group policy editor (gpedit. I have configured to to boot with a PIN but it wont enable due to no pre-boot keyboard being avaialble. The policy setting described here allows you to manage the Active Directory Domain Service (AD DS) backup of BitLocker Drive Encryption recovery information. Windows Components\BitLocker Drive Encryption\Operating System Drives. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact. A big part of this is to encrypt the disks of their devices using BitLocker. Once the script is ready, it is time to use Group Policy to create a Scheduled Task on our computers to run the script. This article describes 3 easy ways to enable/disable the automatic unlock BitLocker protection in Windows 10/8. Remotely enable TPM on Dell Computers I already have the Bitlocker GPO configures so if the TPM is enabled when users in that OU log in it will turn bitlocker on and start drive encryption. BitLocker will scan your computer to make sure that it meets the BitLocker system requirements. Note: If you didn't follow the steps in "To Unlock Operating System Drive at Startup with Configured TPM Settings" or "To Unlock Operating System Drive at Startup with Password or USB flash drive" and you have a TPM chip then you will see the window in step 8. Windows 10 Device Encryption Support Elevation Required To View. Step 2: Choose BitLocker Drive Encryption to Manage BitLocker. ) Once that Group Policy setting is made, you can go to Control Panel to turn on Bitlocker on the system drive. Many organizations do not consider Bitlocker for servers as they are not in general as portable as desktop operating systems such as Windows 7, 8 or 10 especially when it comes to laptops. If this step is skipped you may receive the following error: "The group policy settings for bitlocker are in conflict and cannot be applied. Turn on BitLocker Without TPM on Windows 10. How to Turn ON BitLocker (Windows 10) June 6, 2020 May 30, 2020 by WhatisMyLocalIP Using Widows Search Box, Please find and run Manage BitLocker Click "Turn ON BitLocker" On this Example we will save the Recovery Key on Cloud Domain Account,Click Save to your Cloud domain account > Next Note:For Personal use, You may choose to save it on. Schedule a Task to Enable Bitlocker via PowerShell. Select Turn on BitLocker and then follow the instructions. Once you’re there, click on Require additional authentication at startup. BitLocker did not revert to using BitLocker software encryption due to group policy configuration. I have a plan for enabling TPM and know what encryption I'm looking to enforce, however I'm finding that my GPO isn't initializing the Bitlocker encryption on my clients. Use Action: Update. " software encryption and then. If you are using a modern motherboard including lower cost ones then definitely your motherboard would have a TPM header support. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. How to turn on BitLocker on Windows 10 devices This document provides step-by-step instructions for Microsoft Intune end users (and IT administrators who want information about the experience of their end users) on how to turn on BitLocker on their Windows 10 devices, when IT admins have configured an Intune policy that requi. If your computer meets the system requirements, the setup wizard continues with the BitLocker Startup Preferences. However, both the VMK (encrypted with TPM SRK + PCR measurement values) and FVEK (encrypted with VMK) are stored on the Bitlocker protected volume itself (yes, the keys to unlock the volume remains in the protected volume itself). Actually, Surface comes with BitLocker encryption enabled by default. This setting is per drive type - OS, Fixed, and Removable. How to Enable BitLocker in Windows 10 without TPM chip. For the sake of this article, a volume consists of one or more partitions on one or more hard disks. While you can't use Bitlocker on Windows 10 Home, there are several options to enable Bitlocker drive encryption feature. Once the script is ready, it is time to use Group Policy to create a Scheduled Task on our computers to run the script. Click Next. There are a few ways to do this, but they still leave bitlocker unlocked, so it would be better to hibernate if you are concerned with that. BitLocker scans your computer to verify that it meets the system requirements. BitLocker GPOs are computer scope, meaning the computer has to restart for them to fully take effect. In the pop-up window, navigate to the following path: Computer Configuration -> Administrative Templates -> Windows Components – > BitLocker Drive Encryption -> Fixed Data Drives. You should set Bitlocker Encryption to software in Group Policy right now! Original Post: I’m updating our TS for Windows 10 (1511) and wanted to take advantage the new encryption. msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here. To Disable Standard Users from Changing BitLocker PINs or Passwords Select the radio button for Enabled , and click OK. Click the Search icon in the taskbar and type "group policy". It's pretty simple in it's use and only mildly frustrating as you're waiting for the device's first encryption (it can take quite a while on a 1TB portable drive). Create a new Group Policy and navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption. 2 In the left-hand navigation bar, expand (by clicking on the arrow to each item’s left, if necessary), in turn:. You can unlock that device on a device running any edition, including Windows 10 Home. Turn on BitLocker Without TPM on Windows 10. Then right-click your system drive where Windows 10 is installed, then click Turn on BitLocker. Bitlocker PCR Validation GPO settings. msc" and clicking the "OK" button. This is how you delete/remove the TPM Protector. Here Click Turn on BitLocker Bellow to Operating System Drive. This is a complete report that also displays BitLocker GPO settings. Open Computer from the Desktop, right-click on your local drive and select Turn on BitLocker. The BitLocker control panel, accessible from the Security item in the Windows Vista Control Panel, displays BitLocker status and provides the functionality to enable or disable BitLocker. Click Next. Here is how that is done. At the bare minimum, you need: "Choose drive encryption method and cipher strength" "Store BitLocker recovery information in Active Directory Domain Services". PCR Settings. Right-click on the removable drive and select Turn on BitLocker… You should then see a Starting BitLocker screen. These settings are pretty safe and have no adverse effects if applied to all machines. But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. or you can simply Right click on the encrypted Drive and select Manage BitLocker. If you have multiple ID's t. Hi, I have been testing Bitlocker on my Surface Pro and ran into a small problem. In order to store Bitlocker recovery information into AD: Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it. Use the Command Prompt to Create a PIN. - Group Policy Name [Select the recovery method for the BitLocker-protected operating system drive]. You will need to make a GPO for this to work and that's where it got tricky for me. BitLocker is Microsoft's proprietary disk encryption software for Windows 10. Right-click your C drive in the Computer folder, click Turn on BitLocker. Enable Bitlocker in GPO and have users click 'OK' to turn it on via the MBAM agent. Notice a padlock symbol next to your C: drive and options to suspend protection, back up recovery key, remove password and Turn off BitLocker encryption. Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. Hi, I have been testing Bitlocker on my Surface Pro and ran into a small problem. Before you proceed please make sure you have read all the notes and cautions: NOTES BitLocker encryption is a Microsoft product and there are widely available instructions on the internet on how to encrypt your computer using it. Or if you start encryption before the group policy has been pushed to your machine. We'll see. You’ll first be asked how you want to unlock your drive when your PC boots up. Setting up an MBAM server with all its associated requirements (such as an additional SQL server) would increase your complexity as well as causing you to write scripts to perform automated deployments. Select ‘Turn BitLocker on’ to begin the setup wizard. Using BitLocker without a TPM requires a Group Policy change, which is possible by a non-administrator if you’re using a stand-alone PC not joined to a domain and are willing to edit local. You can then click Group Policy Management to launch it. Active Directory and BitLocker - Part 3: Group Policy settings as of Windows 10 1607 it is no longer possible to enable the GPO option "Turn on TPM backup to. Turn off BitLocker in Windows 10. First and foremost, you need to check whether BitLocker uses hardware or software encryption on your system. Close Group Policy Editor and continue to the next step. http://tips4pc. Using BitLocker without a TPM requires a Group Policy change, which is possible by a non-administrator if you’re using a stand-alone PC not joined to a domain and are willing to edit local. In this way, your drive is no longer in BitLocker. From the results Ive found so far it seems that controlling Bitlockers configuration via GPO is going to be the easiest. Turn on BitLocker Drive Encryption in Windows 10 Click Start > File Explorer > This PC. Decrypting a volume. Create a GPO with these settings and put it in an OU containing the target PCs. Click Manage BitLocker. Reboot your computer for the policy changes made above to take effect. On the properties page, select the Enabled setting to turn the policy on and then check the box under Options labeled Allow BitLocker without a Compatible TPM. Select Enter a password. BitLocker is a feature that's built into most Windows 10 Pro, Education, and Enterprise editions. If you don't need to encrypt your hard drive any longer, you can turn off Bitlocker by following the steps below. To do this, launch an elevated Command Prompt windows (type cmd. A list of search results appears. exe /name Microsoft. (see screenshot below) If you did step 1 above to set a default encryption method and cipher strength, then you will not have this setting available since BitLocker will use what you set in step 1 instead. Under Operating System Drives the following options are found and can be configured as needed. Enter a number between four and seven digits. Click on Suspend protection for the operating system drive. In the Action pane, click Turn TPM On to display the Turn on the TPM Security Hardware page. We turned on the group policy to require the bitlocker key be stored in ad. I did download GPEdit Enabler for Windows 10 Home Edition but it does not work. Turn on TPM backup to Active Directory Domain Services: Enabled; Configuration for testing environment. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption on the left. Solution 2: Disable Bitlocker with Command Prompt. Personally, I know how to set GPO’s etc to mandate the use of Bitlocker, but I also know how easy it is for a user to turn it off. So I've learned the hard way that BitLocker doesn't automatically backup the security keys to Active Directory if you join the domain AFTER you've encrypted your machine. The BitLocker feature of Windows is supposed to offer a degree of peace of mind that files are going to be secure -- but one expert points out that a simple key combo is all it takes to bypass the. msc" into the Run dialog box, and press Enter. All businesses want to protect their data to make sure it is safe from unauthorized users. BitLocker Recovery Mode can occur for many reasons, including: Authentication errors:. A big part of this is to encrypt the disks of their devices using BitLocker. Confirm that the Group Policy settings have propagated to the computer. When the Windows Recovery Environment is not enabled and this policy is not enabled you cannot turn on BitLocker on a device that uses the Windows touch keyboard. It is an interface to report the results of security-related self-tests. Possibly the most profound security enhancement that has become the norm for organizations in recent years is encryption. To enable BitLocker on the drive, simply click the "Turn on BitLocker," which can be found on the right-hand side of the window shown in Figure 4. Also, you do not need to wait for FullyEncrypted state before calling Enable-BitLockerAutoUnlock. FVE_E_EDRIVE_BAND_IN_USE - 0x803100B0 - (176) The drive cannot be managed by BitLocker because the drive's hardware encryption feature is already in use. Note that if you do not enable this policy setting options in the "Require additional authentication at startup" policy might not be available on such devices. By Jessica Helfand. Once you've enabled BitLocker, follow these steps to set up a pre-boot PIN: Open the Local Group Policy Editor and browse to:. Get your Windows 7 Ultimate pactivation licence key at a wholesale price. In this way, your drive is no longer in BitLocker. Right-click on the removable drive and select Turn on BitLocker… You should then see a Starting BitLocker screen. Next, we will configure Group Policy to 'Turn on TPM backup to Active Directory Domain Services'. How to Turn ON BitLocker (Windows 10) June 6, 2020 May 30, 2020 by WhatisMyLocalIP Using Widows Search Box, Please find and run Manage BitLocker Click "Turn ON BitLocker" On this Example we will save the Recovery Key on Cloud Domain Account,Click Save to your Cloud domain account > Next Note:For Personal use, You may choose to save it on. (All DCs enable Bitlocker Drive Encryption (no you don't need to use it on DC just need it installed)) The keys get stored in AD when it's encrypted (using that GPO options I set) Then in AD you can do a search by the recovery ID and it finds what machine it was and the key. To Enable and configure BitLocker Feature First Open Control Panel > System And Security > Here you will see the option BitLocker Drive Encryption Click on it. This will open the BitLocker Drive Encryption Window. The BitLocker Drive Encryption window appears. msc) snap-in. Client Management Group Policy definitions. By using PowerShell for this task we can deploy it to multiple machines at ones and in the meantime store the recover password in the Active Directory. I then created a GPO for my settings and encrypted the OS drive and the data partition on a test laptop. Note all of the extra Vista related policy settings that are accessible when managing the SBS Vista Group Policy Object from a Windows Vista machine. You can only add one protector per call. You can unlock that device on a device running any edition, including Windows 10 Home. BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed "Cornerstone" and was designed to protect information on devices, particularly if a device was lost or stolen; another feature, titled "Code Integrity Rooting", was designed to validate the integrity of Microsoft Windows boot and system files. BitLocker will scan your computer to make sure that it meets the BitLocker system requirements. Way 1: Remove BitLocker Encryption through Control Panel. In the Intune portal in https://portal. This guide is intended for a sophisticated audience. Create a new GPO and navigate to Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks. I am looking into deploying Bitlocker company wide here in the next few months. Option 2: Enable or disable suspend BitLocker in Command Prompt; Option 3: Enable or disable suspend BitLocker in PowerShell; How to suspend or Resume BitLocker Protection in BitLocker Manager. Delete the existing FIPS-compliant recovery password. When installing the MBAM Client you need to do a couple of things. To enable BitLocker To Go in Windows Explorer or the Control Panel, do the following: 1.