At IU, how do I enable BitLocker on a Windows Vista Enterprise or Ultimate computer that has a TPM chip?
On this page:
- Hardware and software requirements
- Requirements for escrow of recovery information to the domain
Hardware and software requirements
- A computer that meets the minimum requirements for Windows
- A TPM microchip, version 1.2
- A Trusted Computing Group (TCG)-compliant BIOS
- A BIOS setting to start up first from the hard drive, not the USB
or CD drives
- Administrative credentials on the computer on which
BitLocker is being configured
- The ability to print from the computer on which BitLocker is being
- A USB thumb drive (optional but recommended)
Requirements for escrow of recovery information to the domain
- Windows Vista must be configured according to the steps in At IU, how can I escrow BitLocker recovery information in Active Directory?
- The computer must be attached to a network and be able to communicate with Indiana University's Active Directory.
Note: Before running the BitLocker Drive Preparation Tool, be sure to back up any critical data or files, as data loss is always possible when repartitioning your hard drive.
To create a BitLocker partition and turn on BitLocker Drive Encryption, follow these steps:
- Download the BitLocker Drive Preparation Tool from the "Security"
area on IUware.
- Install the BitLocker Drive Preparation Tool.
All Programs, then
System Tools, then
BitLocker, and finally
BitLocker Drive Preparation Tool.
- Accept the software licensing terms.
- On the "Preparing Drive for BitLocker" screen, click
Note: Do this only if you are sure you have backed up critical data.
- Once the drive preparation is complete, click
- When prompted to restart, click
Control Panel, then
Security, and finally
BitLocker Drive Encryption.
This control panel may open automatically after the restart.
- On the BitLocker Drive Encryption page, click
Turn On BitLockeron the operating system volume.
- If your TPM is not initialized, you will see the Initialize TPM
Security Hardware Wizard. Follow the directions to initialize the TPM.
UITS strongly recommends that you print the TPM owner
password and save it on removable media.
For more information on initializing the TPM, see the Microsoft TechNet article Windows Trusted Platform Module Management Step-by-Step Guide.
- On the "Save the recovery password" page, you will see the
- Save the password on a USB drive: Saves the password to a USB flash drive
- Save the password in a folder: Saves the password to a network drive or other location
- Print the password: Prints the password
UITS recommends the following:
- UITS strongly recommends that you print the password and save it on a USB drive. Saving the password to a USB drive will allow you to run the BitLocker system check on the next screen.
- Do not store the USB drive that contains the recovery password with your laptop.
- For each option, make your selection and follow the steps in the
wizard to set the location for saving or printing the recovery
- When you have finished saving the recovery password, click
- Assuming you chose to save the password on a USB drive, on the
"Encrypt the selected disk volume" page, confirm that the
Run BitLocker System Checkcheckbox is selected, and click
- Confirm that you want to restart the computer by clicking
Restart Now. The computer will restart and BitLocker will verify that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem.
- If it is ready for encryption, the "Encryption in Progress" status
bar is displayed. You can monitor the ongoing completion status of the
disk volume encryption by dragging your mouse cursor over the
BitLocker Drive Encryptionicon in the toolbar at the bottom of your screen.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to this volume. The next time you log in, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the computer from a disk to circumvent the operating system, the computer will switch to recovery mode until the recovery password is supplied.
Information in this document comes from the Microsoft TechNet article Windows BitLocker Drive Encryption Step-by-Step Guide, which contains much more detailed information about using Windows BitLocker in Windows Vista.
Last modified on August 27, 2012.