BitLocker
Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This topic for the IT professional provides a high-level overview of BitLocker, and it provides links to additional content that will help you learn more about working with BitLocker Drive Encryption.
Overview
BitLocker helps prevent unauthorized access to data on lost or stolen computers by combining the following major data-protection procedures:
Encrypts the entire Windows operating system volume and any associated data volumes
Verifies the integrity of early boot components and boot configuration data
The most secure implementation of BitLocker leverages the enhanced security capabilities of a supported Trusted Platform Module (TPM). The TPM is a hardware component that is installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer running Windows has not been tampered with while the system was offline.
On computers that do not have a supported TPM, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation. Additionally, this implementation does not provide the prestartup system integrity verification that is offered by BitLocker when it is working with a TPM.
BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device (such as a flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
If you enable BitLocker on a computer that has TPM version 1.2 or 2.0, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a password (which can be a personal identification number (PIN), a passphrase, or a password) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key. Both the password and the USB device also can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.
In Windows Vista, BitLocker could only encrypt operating system drives. Capabilities introduced in Windows Vista SP1 and Windows Server 2008 added support for encrypting fixed data drives. With support introduced in Windows Server 2012 and Windows 8, BitLocker can encrypt operating system drives, fixed data drives, and removable data drives.
Resources
Content about BitLocker is located in various Microsoft TechNet libraries. The following table lists important BitLocker resources and their locations.
| Resource | Description | Library location |
|---|---|---|
Questions and answers that explain requirements, upgrading systems, deployment, key management, and administration. |
Windows Server 2012 R2 and Windows Server 2012 |
|
Under this navigation page are resources to help you understand the impact of new features, explain how to deploy BitLocker and deploy BitLocker on servers, plus topics about issues such as recovery and network unlock. |
Windows Server 2012 R2 and Windows Server 2012 |
|
Prepare your organization for BitLocker: Planning and Policies |
Topics within this collection help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems in Windows 8.1 and Windows 8. |
Windows 8.1 and Windows 8 |
Helps you understand the circumstances under which the use of preboot authentication is recommended for devices running Windows 8 1, Windows 8, or Windows 7, and when it can be safely omitted from a device’s configuration. |
Windows 8.1 and Windows 8 |
|
Navigation page for resources relevant to Windows Server 2008 R2, Windows Server 2008, Windows 7, and Windows Vista. |
Windows 7 |
|
Foundational content that provides basic concepts and processes as introduced in Windows Server 2008 and Windows Vista. |
Windows Server 2008 |
|
Foundational content that provides the instructions you need to set up Windows BitLocker for Windows 7 in a test lab environment. |
Windows 7 |
|
Describes the various aspects of planning for deploying BitLocker on computers running Windows Server 2008 R2, Windows 7 Enterprise, or Windows 7 Ultimate in an organization. |
Windows 7 |
|
Describes the various aspects of deploying BitLockeron computers running Windows 7 Enterprise or Windows 7 Ultimate in an organization. This guide is intended for use by a deployment specialist or deployment team. |
Windows 7 |