Windows 8 and BitLocker

Posted on July 15, 2013


I thought it was time to revisit Windows 8 this summer.  No, I’m not going to talk about the recent Windows 8.1 release.  The return of the traditional start menu has certainly garnered enough coverage lately as it is.  What we wanted to do was talk about some great features that you may not be aware of.

A fantastic feature introduced in Windows 7 was BitLocker.  BitLocker is a great feature that fully protects and locks down portable machines such as laptops and tablets from being compromised by an imposter.  Most laptop users incorrectly presume that their user authentication credentials will protect their data from being accessed in the event that their laptop is lost or stolen.  After all, if someone can’t logon with their user credentials, or those of the local administrator account, they can’t access the data correct?  WRONG!

Obviously someone with technical skills could remove the drive from the laptop and connect it another computer.   Another scenario would be that someone uses an installation DVD to install a second copy of an operating system, perhaps another copy of Windows 7 or Windows 8, creating a dual operating system environment.  After logging onto the newly installed operating system with the administrative account, that user would have full access to the local volumes.  Using the administrative privileges, they could take ownership of all of the files on that computer and grant themselves permission.

This is where BitLocker comes in.  BitLocker encrypts at the volume level, including the system volume, on your computer.  This is unlike EFS, Encrypt File System that has been around since Windows 2000 and encrypts at the file level.  BitLocker encrypts your designated volumes with a key created by the current operating system so it cannot be circumvented by another OS.  BitLocker ensures that if your laptop or tablet is lost, stolen or compromised, that your data is protected.  So why are your users not running this great feature on Windows 7?  Well, probably because it was only available on Enterprise and Ultimate editions and let’s face it, most of us just run Pro edition.  Fortunately, Microsoft has made this great feature a part of the Pro edition of Windows 8.

Enabling BitLocker is really simple.  You can enable BitLocker on the volume of your choice with a few simple clicks of the mouse, unless, you get this error.


The Trusted Platform Module (TPM). The TPM is a tamper-resistant chip embedded in the motherboard of most modern enterprise-class PCs.  If your computer has a TPM compliant chip, you may have to enable this feature in the BIOS.  TPM is required in order to implement all of the features of BitLocker but it’s not a deal breaker if you don’t have it.  Enabling BitLocker for a non-TPM environment does require a little more work however.  Here is a great link to instruct you how to do it step-by-step.

The idea behind BitLocker is that when a BitLocker enabled volume is first accessed, the user must present a PIN (password). SmartCard or a USB drive with a copy of the encryption key in order to access it.  Note that the PIN or password is not tied to the Microsoft user account.  A backup recovery key can be saved to a USB drive in case the password is forgotten.  The primary limitation of a non-TPM computer is how BitLocker encrypts the system volume.  If the system volume is encrypted, the computer is unable to boot up until the user responds to the BitLocker access prompt.  In the case of a TPM compliant machine, the user can type in a password so that the machine can now boot.  For a non TPM machine, the only option is to insert a USB drive with a copy of the encryption key.  Unfortunately, if you lose the USB drive, the bad news is, you got it, you cannot boot the machine and you will have to reinstall the operating system.  If you lose your recovery key, after forgetting your password, it’s over as well. There is no other recovery option available, and no back door. You’ll have to format the disk to use it again.

Another great way to utilize BitLocker is to encrypt USB drives that have corporate data.  Referred to as “BitLocker to Go,” it offers a secure way to distribute sensitive data via a USB stick.  For users who may need access to the data from an XP machine or Windows edition OS that doesn’t offer BitLocker, there is a BitLocker to Go Reader which allows them to read the contents of the portable drive.  Here is a short video on how to encrypt your data only on a USB drive.

BitLocker is also available for Server 2012 as well, although the utilization of BitLocker does seem a bit overkill for a machine already located in a secure environment.   All in all, BitLocker is a fantastic security feature that has been out for years, but may just now be a viable option worth contemplating with Windows 8.  Next month we will conclude our revisiting of Windows 8 by discussing a short laundry list of features that you may not be aware of.

Posted in: The PC User