BitLocker Drive Encryption in Windows 7:

Frequently Asked Questions

Article09/12/2012

Applies To: Windows 7

BitLocker Drive Encryption is a data protection feature available in Windows 7 Enterprise,

Windows 7 Ultimate, and in all editions of Windows Server 2008 R2. This topic includes frequently
asked questions about BitLocker in Windows 7. For frequently asked questions about BitLocker in
Windows Vista, see Windows BitLocker Drive Encryption Frequently Asked Questions .

Overview and requirements

• What is BitLocker? How does it work?

• Does BitLocker support multifactor authentication?

• What are the BitLocker hardware and software requirements?

• Why are two partitions required? Why does the system drive have to be so large?

• Which Trusted Platform Modules (TPMs) does BitLocker support?

• How can I tell whether my computer has a TPM version 1.2?

• Can I use BitLocker on an operating system drive without a TPM version 1.2?

• How do I obtain BIOS support for the TPM on my computer?

• What credentials are required to use BitLocker?

Upgrading
• What versions of Windows 7 include BitLocker? Can I use BitLocker on a Windows XP–based
computer?

• Can I upgrade my Windows XP–based computer to Windows 7 with the necessary disk
configuration for BitLocker?

• Can I upgrade my Windows Vista–based computer to Windows 7 with BitLocker enabled?

• What is the difference between disabling, suspending, and decrypting when I turn off
BitLocker?

• Do I have to decrypt my BitLocker-protected drive to download and install system updates

and upgrades?
Deployment and administration
• Can BitLocker deployment be automated in an enterprise environment?

• Can BitLocker encrypt more than just the operating system drive?

• Is there a noticeable performance impact when BitLocker is enabled on a Windows 7–based

computer?

• Approximately how long will initial encryption take when BitLocker is turned on?

• What happens if the computer is turned off during encryption or decryption?

• Why does it appear that most of the free space in my drive is used when BitLocker is
converting the drive?

• Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing
data?

• How can I prevent users on a network from storing data on an unencrypted drive?

• What system changes would cause the integrity check on my operating system drive to fail?

• What causes BitLocker to start into recovery mode when attempting to start the operating
system drive?

• Can I swap hard disks on the same computer if BitLocker is enabled on the operating system
drive?

• Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

• Can I dual boot Windows 7 and Windows Vista with BitLocker-protected operating system
drives?

• Why is "Turn BitLocker on" not available when I right-click a drive?

• What type of disk configurations are supported by BitLocker?

• What if my disk configuration is not listed?

Key management
• What is the difference between a TPM owner password, recovery password, recovery key, PIN,
enhanced PIN, and startup key?

• How can the recovery password and recovery key be stored?

• Is it possible to add an additional method of authentication without decrypting the drive if I

only have the TPM authentication method enabled?
 • If I lose my recovery information, will the BitLocker-protected data be unrecoverable?

• Can the USB flash drive that is used as the startup key also be used to store the recovery key?

• Can I save the startup key on multiple USB flash drives?

• Can I save multiple (different) startup keys on the same USB flash drive?

• Can I generate multiple (different) startup keys for the same computer?

• Can I generate multiple PIN combinations?

• What encryption keys are used in BitLocker? How do they work together?

• Where are the encryption keys stored?

• Why do I have to use the function keys to enter the PIN or the 48-character recovery
password?

• How does BitLocker help prevent an attacker from discovering the PIN that unlocks my
operating system drive?

• How can I evaluate a TPM's dictionary attack mitigation mechanism?

• Can PIN length and complexity be managed with Group Policy?

• How are the PIN and TPM used to derive the volume master key?

BitLocker To Go
• What is BitLocker To Go?

• How can I authenticate or unlock my removable data drive?

• Can I use BitLocker To Go with computers running Windows XP or Windows Vista?

• What happens if I try to open a BitLocker-protected, NTFS-formatted removable drive by

using a computer running Windows XP or Windows Vista?

• Is there a way to ensure the BitLocker To Go Reader is not installed on FAT-formatted drives?

• Can I save files to my BitLocker-protected removable drive when I am using Windows XP or

Windows Vista?

• Can I download a copy of the BitLocker To Go Reader?

• Why am I unable to access my removable drive on computers running Windows XP or

Windows Vista when using the BitLocker To Go Reader?
Active Directory Domain Services (AD DS)
） Important

For detailed instructions about how to configure AD DS for BitLocker, see Backing Up
BitLocker and TPM Recovery Information to AD DS.

• Does BitLocker require a schema extension to store recovery information in AD DS?

• What type of information is stored in AD DS?

• Does BitLocker encrypt recovery information as it is sent to AD DS?

• Is the BitLocker recovery information stored in plaintext in AD DS?

• What if BitLocker is enabled on a computer before the computer has joined the domain?

• Is there an event log entry recorded on the client computer to indicate the success or failure
of the Active Directory backup?

• If I change the BitLocker recovery password on my computer and store the new password in
AD DS, will AD DS overwrite the old password?

• What happens if the backup initially fails? Will BitLocker retry the backup?

Security
• What form of encryption does BitLocker use? Is it configurable?

• What is the Diffuser?

• What is best practice for using BitLocker on an operating system drive?

• What are the implications of using the sleep or hibernate power management options?

• What are the advantages of a TPM?

• Is Microsoft pursuing any security certification for BitLocker?

Other questions
• Can I use EFS with BitLocker?

• Can I run a kernel debugger with BitLocker?

• How does BitLocker handle memory dumps?

 • Can BitLocker support smart cards for pre-boot authentication?

• Can I use a non-Microsoft TPM driver?

• Can I write applications directly to the TPM Base Services?

• How can I determine the manufacturer of my TPM?

• Can other tools that manage or modify the master boot record work with BitLocker?

• Will BitLocker work on computers that use UEFI-based system firmware?

• Why is the system check failing when I am encrypting my operating system drive?

• What can I do if the recovery key on my USB flash drive cannot be read?

• Why am I unable to save my recovery key to my USB flash drive?

• Why am I unable to automatically unlock my drive?

• Can I use BitLocker in Safe Mode?

• Why are some of my Windows Vista scripts not working with Windows 7?

• Where is Manage-bde.wsf?

• How do I "lock" a data drive?

• Can I use BitLocker with the Volume Shadow Copy Service?

• Does BitLocker support virtual hard disks (VHDs)?

• Can I use BitLocker within a virtual machine operating environment?

Overview and requirements

What is BitLocker? How does it work?

BitLocker Drive Encryption is a data protection feature available in Windows 7 Enterprise and
Windows 7 Ultimate for client computers and in Windows Server 2008 R2. BitLocker provides
enhanced protection against data theft or exposure on computers and removable drives that are
lost or stolen, and more secure data deletion when BitLocker-protected computers are
decommissioned as it is much more difficult to recover deleted data from an encrypted drive than
from a non-encrypted drive.

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a

software attack tool against it or by transferring the computer's hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

• Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts
all user files and system files on the operating system drive, including the swap files and
hibernation files.

• Checking the integrity of early boot components and boot configuration data. On
computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the
enhanced security capabilities of the TPM to help ensure that your data is accessible only if
the computer's boot components appear unaltered and the encrypted disk is located in the
original computer.

BitLocker is integrated into Windows 7 and provides enterprises with enhanced data protection
that is easy to manage and configure. For example, BitLocker can use an existing Active Directory
Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

How BitLocker works with fixed and removable data drives

BitLocker can also be used to protect fixed and removable data drives. When used with data drives,
BitLocker encrypts the entire contents of the drive and can be configured by using Group Policy to
require that BitLocker be enabled on a drive before the computer can write data to the drive.
BitLocker can be configured with the following unlock methods for data drives:

• Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where
the operating system drive is encrypted. Removable data drives can be set to automatically
unlock on a computer running Windows 7 after the password or smart card is initially used to
unlock the drive. However, removable data drives must always have either a password or
smart card unlock method in addition to the automatic unlock method.

• Password. When users attempt to open a drive, they are prompted to enter their password
before the drive will be unlocked. This method can be used with the BitLocker To Go Reader
on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as
read-only.

• Smart card. When users attempt to open a drive, they are prompted to insert their smart card
before the drive will be unlocked.

A drive can support multiple unlock methods. For example, a removable data drive can be
configured to be automatically unlocked on your primary work computer but query you for a
password if used with another computer.

Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable
BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication
with the TPM protection. BitLocker offers the option to lock the normal boot process until the user
supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that
contains a BitLocker startup key, or both the PIN and the USB device can be required. These
additional security measures provide multifactor authentication and help ensure that the computer
will not start or resume from hibernation until the correct authentication method is presented.

７ Note

Use of both the USB and PIN along with the TPM must be configured by using the Manage-
bde command-line tool. This protection method cannot be specified by using the BitLocker
setup wizard.

What are the BitLocker hardware and software requirements?

To use all BitLocker features, your computer must meet the hardware and software requirements
listed in the following table.

BitLocker hardware and software requirements for operating

system drives
Requirement Description

Hardware The computer must meet the minimum requirements for Windows 7. For more
configuration information about Windows 7 requirements, see the Windows 7 Web site
(https://go.microsoft.com/fwlink/?LinkID=155370).

Operating Windows 7 Ultimate, Windows 7 Enterprise, or Windows Server 2008 R2

system

Note

BitLocker is an optional feature of Windows Server 2008 R2. Use Server Manager
to install BitLocker on a computer running Windows Server 2008 R2.

Hardware TPM TPM version 1.2

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the
additional security of pre-startup system integrity verification and multifactor
authentication.

BIOS • A Trusted Computing Group (TCG)-compliant BIOS.

configuration
• The BIOS must be set to start first from the hard disk, and not the USB or CD drives.

• The BIOS must be able to read from a USB flash drive during startup.
 Requirement Description

File system At least two NTFS disk partitions, one for the system drive and one for the operating
system drive. The system drive partition must be at least 100 megabytes (MB) and set as
the active partition.

BitLocker hardware and software requirements for data drives

Requirement Description

File system For a fixed or removable data drive to be BitLocker-protected, it must be formatted by using
the exFAT, FAT16, FAT32, or NTFS file system.

Note

To use the BitLocker To Go Reader to read data on a removable data drive, the drive
must be formatted by using the exFAT, FAT16, or FAT32 file system. If the drive is NTFS
formatted, it can only be unlocked on a computer running Windows Server 2008 R2
or Windows 7 and previous versions of the Windows operating system will not
recognize the drive and will prompt you to format the drive.

Drive size The drive must be least 64 MB in size.

Why are two partitions required? Why does the system drive
have to be so large?
Two partitions are required to run BitLocker because pre-startup authentication and system
integrity verification must occur on a separate partition from the encrypted operating system drive.
This configuration helps protect the operating system and the information in the encrypted drive.
In Windows Vista, the system drive must be 1.5 gigabytes (GB), but in Windows 7 this requirement
has been reduced to 100 MB for a default installation. The system drive may also be used to store
the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or
upgrade programs. Computer manufacturers and enterprise customers can also store system tools
or other recovery tools on this drive, which will increase the required size of the system drive. For
example, using the system drive to store Windows RE along with the BitLocker startup file will
increase the size of the system drive to 300 MB. The system drive is hidden by default and is not
assigned a drive letter. The system drive is created automatically when Windows 7 is installed.

Which Trusted Platform Modules (TPMs) does BitLocker

support?
BitLocker supports TPM version 1.2. BitLocker does not support previous versions of TPMs.
Version 1.2 TPMs provide increased standardization, security enhancement, and improved
functionality over previous versions. In addition, you must use a Microsoft-provided TPM driver. To
check the TPM driver provider, click Start, type devmgmt.msc in the Search programs and files
box, and then press ENTER to open Device Manager. Right-click the TPM, and click Properties.
Click the Driver tab, and verify that the Driver Provider field displays Microsoft.

） Important

When using BitLocker with a TPM, it is recommended that BitLocker be turned on immediately
after the computer has been restarted. If the computer has resumed from sleep prior to
turning on BitLocker, the TPM may incorrectly measure the pre-boot components on the
computer. In this situation, when the user subsequently attempts to unlock the computer, the
TPM verification check will fail and the computer will enter BitLocker recovery mode and
prompt the user to provide recovery information before unlocking the drive.

How can I tell whether my computer has a TPM version 1.2?

Click Start, click Control Panel, click System and Security, click BitLocker Drive Encryption, and
then click Turn On BitLocker. If your computer does not have a TPM version 1.2 or the BIOS is not
compatible with the TPM, you will receive the following error message:

A compatible Trusted Platform Module (TPM) Security Device must be present on this computer,
but a TPM was not found. Please contact your system administrator to enable BitLocker.

If you receive this error message on a computer that has a TPM, check if either of the following
situations applies to your computer:

• Some computers have TPMs that do not appear in the Windows 7 TPM Microsoft
Management Console snap-in (tpm.msc) due to a BIOS setting that hides the TPM by default
and does not make the TPM available unless it is first enabled in the BIOS. If your TPM might
be hidden in the BIOS, consult the manufacturer's documentation for instructions to display
or enable the TPM.

• Some computers might have an earlier version of the TPM or an earlier version of the system
BIOS that is not compatible with BitLocker. Contact the computer manufacturer to verify that
the computer has a TPM version 1.2 or to get a BIOS update.

Can I use BitLocker on an operating system drive without a

TPM version 1.2?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2, if the BIOS
has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will
not unlock the protected drive until BitLocker's own volume master key is first released by either
the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer.
However, computers without TPMs will not be able to use the system integrity verification that
BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use
the BitLocker system check as part of the BitLocker setup process. This system check performs tests
to confirm that the computer can properly read from the USB devices at the appropriate time and
that the computer meets other BitLocker requirements.

To enable BitLocker on a computer without a TPM, you must enable the Require additional
authentication at setup Group Policy setting, which is located in Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive
Encryption\Operating System Drives. You must select the Allow BitLocker without a compatible
TPM check box. After this setting is applied to the local computer, the non-TPM settings appear in
the BitLocker setup wizard.

How do I obtain BIOS support for the TPM on my computer?

Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS.
Ensure that the BIOS meets the following requirements:

1. It is compatible with Windows 7 and has passed the Windows 7 logo tests.

2. It is compliant with the TCG standards for a client computer.

3. It has a secure update mechanism to help prevent a malicious BIOS from being installed on
the computer.

What credentials are required to use BitLocker?

To turn on, turn off, or change configurations of BitLocker on operating system and fixed data
drives, membership in the local Administrators group is required. Standard users can turn on, turn
off, or change configurations of BitLocker on removable data drives. Disable the Control use of
BitLocker on removable drives policy setting (located in Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives) to restrict
standard users from turning on or turning off BitLocker on removable data drives.

Upgrading

What versions of Windows 7 include BitLocker? Can I use

BitLocker on a Windows XP–based computer?
BitLocker is available in Windows 7 Ultimate and Windows 7 Enterprise. However, you can unlock
encrypted removable drives on any version of Windows 7. BitLocker is not available in Windows XP,
but you can use the BitLocker To Go Reader to view content on BitLocker-protected removable
drives from a computer running Windows XP.

Can I upgrade my Windows XP–based computer to Windows 7

with the necessary disk configuration for BitLocker?
Upgrading from Windows XP to Windows 7 is not supported. For information about how to
migrate your files and folders to Windows 7, see Step-by-Step: Windows 7 Upgrade and
Migration (https://go.microsoft.com/fwlink/?LinkId=159582 ). After you install Windows 7
Ultimate or Windows 7 Enterprise, your computer disk configuration supports BitLocker by default.

Can I upgrade my Windows Vista–based computer to

Windows 7 with BitLocker enabled?
Yes. To upgrade from Windows Vista to Windows 7 without decrypting the operating system drive,
open the BitLocker Drive Encryption Control Panel item in Windows Vista, click Turn Off BitLocker,
and then and click Disable Protection. Disabling protection does not decrypt the drive; it disables
the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable
access. Proceed with the upgrade process by using your Windows 7 DVD. After the upgrade has
completed, open Windows Explorer, right-click the drive, and then click Resume Protection. This
reapplies the BitLocker authentication methods and deletes the clear key.

What is the difference between disabling, suspending, and

decrypting when I turn off BitLocker?
Decrypt completely removes BitLocker protection and fully decrypts the drive.

Disable and Suspend refer to the same process. Disable was used in Windows Vista, and Suspend
is used in Windows 7. The term was changed to more accurately describe the process. When
BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume
master key with a clear key. The clear key is a cryptographic key stored unencrypted and
unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for
changes or upgrades to the computer without the time and cost of decrypting and re-encrypting
the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal
the encryption key to the new values of the measured components that changed as a part of the
upgrade, and the clear key is erased. This option is only available for operating system drives.

Do I have to decrypt my BitLocker-protected drive to

download and install system updates and upgrades?
Operating system upgrades from Windows Anytime Upgrade require that the operating system
drive be decrypted prior to installation. If you upgrade from Windows Vista to Windows 7 or install
other non-Microsoft updates, you might need to disable or suspend BitLocker so that a new
measurement of the system can be taken after the upgrade or update has been applied. Software
and operating system updates from Microsoft Update do not require drive decryption or that you
disable or suspend BitLocker.

７ Note

Disable is the term used in Windows Vista to refer to the process of temporarily suspending
BitLocker protection on a drive without decrypting the drive. In Windows 7, the term has been
changed to Suspend to more accurately reflect the process.

Please refer to the following table to determine whether you must disable or suspend BitLocker or
decrypt your drive before you perform an upgrade or update installation.

Type of update Action

Windows Anytime Upgrade Decrypt

Upgrade from Windows Vista to Windows 7 Disable

Non-Microsoft software updates, such as: Suspend

• Computer manufacturer firmware updates

• TPM firmware updates

• Non-Microsoft application updates that modify boot components

If you disabled or suspended BitLocker, you can resume BitLocker protection after you have
installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key
to the new values of the measured components that changed as a part of the upgrade or update. If
these types of upgrades or updates are applied without decrypting or disabling BitLocker, your
computer will enter recovery mode when restarting and will require a recovery key or password to
access the computer.

Deployment and administration

Can BitLocker deployment be automated in an enterprise

environment?
Yes, you can automate the deployment and configuration of BitLocker with scripts that use the
Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration.
How you choose to implement the scripts depends on your environment. You can also use the
BitLocker command-line tool, Manage-bde.exe, to locally or remotely configure BitLocker. For
additional information about writing scripts that use the BitLocker WMI providers, see the MSDN
topic BitLocker Drive Encryption Provider (https://go.microsoft.com/fwlink/?LinkId=80600 ).

Can BitLocker encrypt more than just the operating system

drive?
Yes. In Windows 7, BitLocker can encrypt operating system drives, fixed data drives, and removable
data drives.

Is there a noticeable performance impact when BitLocker is

enabled on a Windows 7–based computer?
Generally it imposes a single-digit percentage performance overhead.

Approximately how long will initial encryption take when

BitLocker is turned on?
BitLocker encryption occurs in the background while you continue to work, and the system remains
usable, but encryption times vary depending on the type of drive that is being encrypted, the size
of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set
encryption to occur during times when you will not be using the drive.

What happens if the computer is turned off during encryption

or decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption
process will resume where it stopped the next time Windows starts. This is true even if the power is
suddenly unavailable.

Why does it appear that most of the free space in my drive is

used when BitLocker is converting the drive?
BitLocker cannot ignore free space when the drive is being encrypted because unallocated disk
space commonly contains data remnants. However, it is not efficient to encrypt free space on a
drive. To solve this problem, BitLocker first creates a large placeholder file that takes most of the
available disk space and then writes cryptographic material to disk sectors that belong to the
placeholder file. During this process, BitLocker leaves 6 GB of available space for short-term system
needs. All other space, including the 6 GB of free space not occupied by the placeholder file, is
encrypted. When encryption of the drive is paused or completed, the placeholder file is deleted
and the amount of available free space reverts to normal. A placeholder file is used only on drives
formatted by using the NTFS or exFAT file system.

If you want to reclaim this free space before encryption of the drive has completed, you can use
the Manage-bde command-line tool to pause encryption. To do this, open an elevated command
prompt and type the following command, replacing driveletter with the letter of the drive you want
to pause encryption on:

manage-bde –pause driveletter**:**

When you are ready to start encrypting the drive again, type the following command:

manage-bde –resume driveletter**:**

Does BitLocker encrypt and decrypt the entire drive all at once
when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The
encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from
system read operations. Blocks that are written to the drive are encrypted before the system writes
them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.

How can I prevent users on a network from storing data on an

unencrypted drive?
In Windows 7, you can enable Group Policy settings to require that data drives be BitLocker-
protected before a BitLocker-protected computer can write data to them. The policy settings you
use for this are:

• Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive

Encryption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker

• Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive

Encryption\Removable Data Drives\Deny write access to removable drives not protected
by BitLocker

When these policy settings are enabled, the BitLocker-protected operating system will mount any
data drives that are not protected by BitLocker as read-only.

If you are concerned that your users might inadvertently store data in an unencrypted drives while
using a computer that does not have BitLocker enabled, use access control lists (ACLs) and Group
Policy to configure access control for the drives or hide the drive letter.

For additional information about how to hide drive letters, see article 231289 in the Microsoft
Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=83219 ).

What system changes would cause the integrity check on my

operating system drive to fail?
The following types of system changes can cause an integrity check failure and prevent the TPM
from releasing the BitLocker key to decrypt the protected operating system drive:

• Moving the BitLocker-protected drive into a new computer.

• Installing a new motherboard with a new TPM.

• Turning off, disabling, or clearing the TPM.

• Changing any boot configuration settings.

• Changing the BIOS, master boot record, boot sector, boot manager, option ROM, or other
early boot components or boot configuration data.

This functionality is by design; BitLocker treats unauthorized modification of any of the early boot
components as a potential attack and will place the system into recovery mode. Authorized
administrators can update boot components without entering recovery mode by disabling
BitLocker beforehand.

What causes BitLocker to start into recovery mode when

attempting to start the operating system drive?
The following list provides examples of specific events that will cause BitLocker to enter recovery
mode when attempting to start the operating system drive:

• Changing any boot configuration data (BCD) boot entry data type settings with the exception
of the following items:

DESCRIPTION

RAMDISKIMAGEOFFSET

PASSCOUNT

TESTMIX

FAILURECOUNT

TESTTOFAIL

２ Warning

When installing a language pack, an additional option in the language pack installation wizard
asks if the user wants to apply language settings to All users and system accounts. If this
option is selected, it will change the local computer BCD settings (if the user-only option is
selected, BCD settings are not changed). This change will result in a modification of a BCD
setting to the new locale value. If you are using a TPM with BitLocker, this is interpreted as a
boot attack on reboot and the computer will require that the user enter the recovery password
or recovery key to start the computer.
We recommend that you suspend BitLocker before changing locales or installing a language
pack, just as you would before making any major computer configuration change, such as
updating the BIOS.

• Changing the BIOS boot order to boot another drive in advance of the hard drive.

• Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting
or removing a CD or DVD.

• Failing to boot from a network drive before booting from the hard drive.

• Docking or undocking a portable computer. In some instances (depending on the computer

manufacturer and the BIOS), the docking condition of the portable computer is part of the
system measurement and must be consistent to validate the system status and unlock
BitLocker. This means that if a portable computer is connected to its docking station when
BitLocker is turned on, then it might also need to be connected to the docking station when it
is unlocked. Conversely, if a portable computer is not connected to its docking station when
BitLocker is turned on, then it might need to be disconnected from the docking station when
it is unlocked.

• Changes to the NTFS partition table on the disk including creating, deleting, or resizing a
primary partition.

• Entering the personal identification number (PIN) incorrectly too many times so that the anti-
hammering logic of the TPM is activated. Anti-hammering logic is software or hardware
methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting
PIN entries until after a certain amount of time has passed.

• Turning off the BIOS support for reading the USB device in the pre-boot environment if you
are using USB-based keys instead of a TPM.

• Turning off, disabling, deactivating, or clearing the TPM.

• Upgrading critical early startup components, such as a BIOS upgrade, causing the BIOS
measurements to change.

• Forgetting the PIN when PIN authentication has been enabled.

• Updating option ROM firmware.

• Upgrading TPM firmware.

• Adding or removing hardware. For example, inserting a new card in the computer, including
some PCMIA wireless cards.

• Removing, inserting, or completely depleting the charge on a smart battery on a portable

computer.
• Changes to the master boot record on the disk.

• Changes to the boot manager on the disk.

• Hiding the TPM from the operating system. Some BIOS settings can be used to prevent the
enumeration of the TPM to the operating system. When implemented, this option can make
the TPM hidden from the operating system. When the TPM is hidden, BIOS secure startup is
disabled, and the TPM does not respond to commands from any software.

• Using a different keyboard that does not correctly enter the PIN or whose keyboard map does
not match the keyboard map assumed by the pre-boot environment. This can prevent the
entry of enhanced PINs.

• Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For
example, including PCR[1] would result in most changes to BIOS settings, causing BitLocker
to enter recovery mode.

７ Note

Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2].
Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the
PCR measurement will be different.

• Moving the BitLocker-protected drive into a new computer.

• Upgrading the motherboard to a new one with a new TPM.

• Losing the USB flash drive containing the startup key when startup key authentication has
been enabled.

• Failing the TPM self test.

• Having a BIOS or an option ROM component that is not compliant with the relevant Trusted
Computing Group standards for a client computer. For example, a non-compliant
implementation may record volatile data (such as time) in the TPM measurements, causing
different measurements on each startup and causing BitLocker to start in recovery mode.

• Changing the usage authorization for the storage root key of the TPM to a non-zero value.

７ Note

The BitLocker TPM initialization process sets the usage authorization value to zero, so another
user or process must explicitly have changed this value.

• Disabling the code integrity check or enabling test signing on Windows Boot Manager
(Bootmgr).
 • Pressing the F8 or F10 key during the boot process.

• Adding or removing add-in cards (such as video or network cards), or upgrading firmware on
add-in cards.

• Using a BIOS hot key during the boot process to change the boot order to something other
than the hard drive.

Can I swap hard disks on the same computer if BitLocker is

enabled on the operating system drive?
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the
hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the
TPM and operating system drive, so if you want to prepare a backup operating system or data
drive for use in case of disk failure, you need to make sure that they were matched with the correct
TPM. You can also configure different hard drives for different operating systems and then enable
BitLocker on each one with different authentication methods (such as one with TPM-only and one
with TPM+PIN) without any conflicts.

Can I access my BitLocker-protected drive if I insert the hard

disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel
item just as you would any other data drive by using a password or smart card. If the data drive
was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it
is an operating system drive mounted on another computer running Windows 7, the encrypted
hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by
using the recovery key.

７ Note

Mounting the hard disk on another computer running Windows 7 is a quick and
straightforward way to recover information from a damaged computer that has a BitLocker-
protected drive on the hard disk.

Can I dual boot Windows 7 and Windows Vista with BitLocker-

protected operating system drives?
Yes. Use the following procedure to set up a dual-boot computer with BitLocker protection.

２ Warning

Configuring a computer for dual boot is not recommended if the computer is running Unified
 Extensible Firmware Interface (UEFI) firmware.

To set up a dual boot computer with BitLocker protection

1. Install Windows Vista with the desired partition layout (such as a partition for Windows Vista,
a partition for Windows 7, and a data partition). We recommend that you create a 1.5-GB
partition that can be used by the BitLocker Drive Preparation Tool as the system partition or
set a 1.5-GB partition as active following the steps listed in Scenario 1 of the Windows
BitLocker Drive Encryption Step-by-Step Guide for Windows Vista .

2. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

3. For the drive Windows Vista is installed on, click Turn On BitLocker, and follow the BitLocker
setup process. You may need to run the BitLocker Drive Preparation Tool prior to beginning
BitLocker setup.

4. After encryption has started, follow the same steps to begin the process of encrypting any
data drives that you want to access in both Windows 7 and Windows Vista.

5. After all of the drives you want to encrypt are fully encrypted, click Start, click Control Panel,
click Security, click BitLocker Drive Encryption, and then click Turn Off BitLocker on the drive
Windows Vista is installed on.

6. On the dialog box that appears, click Disable BitLocker.

7. Install Windows 7 on a separate partition.

8. After the installation is complete, click Start, click Control Panel, click System and Security,
and then click BitLocker Drive Encryption.

9. For the drive Windows 7 is installed on, click Turn On BitLocker, and follow the BitLocker
setup process.

10. After encryption is complete, click Start, click Control Panel, click System and Security, and
then click BitLocker Drive Encryption.

11. Click Manage BitLocker for the drive Windows Vista is installed on, and then click
Automatically unlock on this computer. Repeat this step for any additional data drives.

12. Restart the computer. From the boot options menu, choose Windows Vista.

13. Click Start, click Control Panel, click Security, and click BitLocker Drive Encryption.

14. For the drive Windows Vista is installed on, click Turn On BitLocker.

Completing this procedure will permit access to BitLocker-protected drives as follows:

• When running Windows 7, you will have access to any BitLocker-protected fixed data drives
 and the drive Windows Vista is installed on.

• When running Windows Vista, you will have access to any BitLocker-protected fixed data
drives but will not be able to access the drive Windows 7 is installed on.

Why is "Turn BitLocker on" not available when I right-click a

drive?
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include
insufficient disk size, an incompatible file system, or a drive is designated as the system partition.
By default, the system drive (or system partition) of a computer running Windows 7 is hidden from
display in the Computer window. However, if it is not created as a hidden drive when the operating
system was installed due to a custom installation process, that drive might be displayed but cannot
be encrypted.

What type of disk configurations are supported by BitLocker?

In Windows Server 2008 R2, Windows Server 2008, and Windows 7, any number of internal, fixed
data drives can be protected with BitLocker. ATA and SATA-based, direct-attached storage devices
are also supported. The following table details which disk configurations are supported and not
supported by BitLocker.

Drive Supported Not supported

configuration

Network None Network file system (NFS)

Distributed File System (DFS)

Optical media None CD file system (CDFS)

Live File System

Universal Disk Format (UDF)

Software Basic volumes Software-based RAID systems

Bootable and non-bootable virtual hard disks

(VHDs)

Dynamic volumes

RAM disks

File system NTFS CD File system

FAT16

FAT32

ExFAT
 Drive Supported Not supported
configuration

Drive connection USB iSCSI

Firewire Fiber Channel

SATA eSATA

SAS Bluetooth

ATA

IDE

SCSI

Device type Solid state drives, such as USB flash None

drives

Hardware-based RAID systems

Hard disk drive

What if my disk configuration is not listed?

If your disk configuration is not listed in the previous question, it is a configuration that has not
been fully tested by Microsoft.

Key management

What is the difference between a TPM owner password,

recovery password, recovery key, PIN, enhanced PIN, and
startup key?
There are multiple keys that can be generated and used by BitLocker. Some keys are required and
some are optional protectors you can choose to use depending on the level of security you require.

TPM owner password

Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The
initialization process generates a TPM owner password, which is a password set on the TPM. You
must be able to supply the TPM owner password to change the state of the TPM, such as when
enabling or disabling the TPM or resetting the TPM lockout.

Recovery password and recovery key

When you set up BitLocker, you must choose how access to BitLocker-protected drives can be
recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot
validate the boot components, the personal identification number (PIN) is forgotten, or the
password is forgotten). In these situations, you must be able to supply either the recovery key or
the recovery password to unlock the encrypted data on the drive. In Windows 7, the term "recovery
key" is used generically to refer to both the recovery key file and the recovery password. When you
supply the recovery information, you can use either of the following formats:

• A recovery password consisting of 48 digits divided into eight groups. During recovery, you
need to type this password into the BitLocker recovery console by using the function keys on
your keyboard.

• A key file on a USB flash drive that is read directly by the BitLocker recovery console. During
recovery, you need to insert this USB device.

PIN and enhanced PIN

For a higher level of security with the TPM, you can configure BitLocker with a personal
identification number (PIN). The PIN is a user-created value that must be entered each time the
computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by
the Configure minimum PIN length for startup Group Policy setting and is stored internally as a
256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is
used to provide another factor of authentication in conjunction with TPM authentication.

For an even higher level of security with the TPM, you can configure BitLocker to use enhanced
PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set
to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use
enhanced PINs, you must enable the Allow enhanced PINs for startup Group Policy setting before
adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard
characters.

７ Note

To use enhanced PINs, your computer's BIOS must support using the full keyboard in the pre-
boot environment. Users can run the optional system check during the BitLocker setup
process to ensure the PIN can be entered correctly in the pre-boot environment. You should
verify that the computers in your organization are compatible before making the use of
enhanced PINs an organizational requirement.

When setting a BitLocker PIN by using the BitLocker setup wizard, the Manage-bde command-line
tool, or through Windows Management Instrumentation (WMI) remote administration, you can use
the wide character set. However, system firmware, either BIOS or Unified Extensible Firmware
Interface (UEFI), may only support a standard EN-US keyboard and keymap during system startup.
Additionally, BIOS-based systems are limited to 7-bit ASCII input during PIN entry. Thus, the use of
either non-English characters or keys that differ in position from the EN-US keymap, such as
QWERTZ and AZERTY keyboards, may cause boot-time PIN entry to fail. If your computer is
affected by this limitation, it should be identified during the system check run by the BitLocker
setup wizard. If it is not identified during the system check and the PIN is not able to be entered,
you will need to supply the recovery key to unlock the drive.

We recommend that users set their keyboard layout to EN-US during enhanced PIN entry to avoid
PIN entry failure in the pre-boot environment. If you are unable to enter an enhanced PIN from
your keyboard even after setting the keyboard layout to EN-US, you must use a numeric-only PIN.

The following list identifies characters that are not currently supported by system firmware:

• Roman characters on keyboards with a non-EN-US keymap. For example, "Z" and "Y" on
German keyboards and "Q" and "A" on French keyboards.

• Characters that are not available in 7-bit ASCII. For example, characters with umlauts, grave
accents, and tildes.

• Symbols that are not available in 7-bit ASCII. For example, squared superscript, fractions,
copyright, trademark, and international currency symbols.

Startup key

Configuring a startup key is another method to enable a higher level of security with the TPM. The
startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every
time the computer starts. The startup key is used to provide another factor of authentication in
conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive
must be formatted by using the NTFS, FAT, or FAT32 file system.

） Important

You must have a startup key to use BitLocker on a non-TPM computer.

How can the recovery password and recovery key be stored?

The recovery password and recovery key for an operating system drive or a fixed data drive can be
saved to a folder, saved to one or more USB devices, or printed.

For removable data drives, the recovery password and recovery key can be saved to a folder or
printed. By default, you cannot store a recovery key for a removable drive on a removable drive.

A domain administrator can additionally configure Group Policy to automatically generate recovery
passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected
drive. For more information about how to store recovery information in AD DS, see Backing Up
BitLocker and TPM Recovery Information to AD DS.

Is it possible to add an additional method of authentication

without decrypting the drive if I only have the TPM
authentication method enabled?
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication
mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM
authentication only and you want to add PIN authentication, use the following commands from an
elevated command prompt, replacing <4-20 digit numeric PIN> with the numeric PIN you want to
use:

manage-bde –protectors –delete %systemdrive% -type tpm

manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>

For more information about using Manage-bde, see the Manage-bde.exe Parameter Reference.

If I lose my recovery information, will the BitLocker-protected

data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required
authentication. When in recovery mode, the user needs the recovery password or recovery key to
unlock the encrypted drive. Therefore, we highly recommend that you store the recovery
information in AD DS or in another safe location.

Can the USB flash drive that is used as the startup key also be
used to store the recovery key?
While this is technically possible, it is not a best practice to use one USB flash drive to store both
keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to
your recovery key. In addition, inserting this key would cause your computer to automatically boot
from the recovery key even if TPM-measured files have changed, which circumvents the TPM's
system integrity check.

Can I save the startup key on multiple USB flash drives?

Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-
protected drive and selecting Manage BitLocker will provide you the options to duplicate the
recovery keys as needed.

Can I save multiple (different) startup keys on the same USB

flash drive?
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.

Can I generate multiple (different) startup keys for the same

computer?
You can generate different startup keys for the same computer through scripting. However, for
computers that have a TPM, creating different startup keys prevents BitLocker from using the
TPM's system integrity check.

Can I generate multiple PIN combinations?

In Windows 7, it is not possible to generate multiple PIN combinations.

What encryption keys are used in BitLocker? How do they

work together?
Raw data is encrypted with the full volume encryption key, which is then encrypted with the
volume master key. The volume master key is in turn encrypted by one of several possible methods
depending on your authentication (that is, key protectors or TPM) and recovery scenarios. For a
complete description of how encryption keys work in BitLocker, see the BitLocker Drive Encryption
Technical Overview .

Where are the encryption keys stored?

The full volume encryption key is encrypted by the volume master key and stored in the encrypted
drive. The volume master key is encrypted by the appropriate key protector and stored in the
encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume
master key is also stored in the encrypted drive, along with the encrypted volume master key.

This storage process ensures that the volume master key is never stored unencrypted and is
protected unless you disable BitLocker. The keys are also saved to two additional locations on the
drive for redundancy. The keys can be read and processed by the boot manager.

For a complete description of how encryption keys work in BitLocker, see the BitLocker Drive
Encryption Technical Overview .

Why do I have to use the function keys to enter the PIN or the
48-character recovery password?
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment
on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot
environment on all keyboards.

When using an enhanced PIN, users should run the optional system check during the BitLocker
setup process to ensure that the PIN can be entered correctly in the pre-boot environment. For
more information about enhanced PINs see What is the difference between a TPM owner
password, recovery password, recovery key, PIN, enhanced PIN, and startup key?
How does BitLocker help prevent an attacker from discovering
the PIN that unlocks my operating system drive?
It is possible that a personal identification number (PIN) can be discovered by an attacker
performing a brute force attack. A brute force attack occurs when an attacker uses an automated
tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected
computers, this type of attack, also known as a dictionary attack, requires that the attacker have
physical access to the computer.

The TPM has the built-in ability to detect and react to these types of attacks. Because different
manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's
manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.

After you have determined your TPM's manufacturer (see How can I determine the manufacturer of
my TPM?), contact the manufacturer to gather the TPM's vendor-specific information. Most
manufacturers use the PIN authentication failure count to exponentially increase lockout time to
the PIN interface. However, each manufacturer has different policies regarding when and how the
failure counter is decreased or reset.

How can I evaluate a TPM's dictionary attack mitigation

mechanism?
The following questions can assist you when asking a TPM manufacturer about the design of a
dictionary attack mitigation mechanism:

• How many failed authorization attempts can occur before lockout?

• What is the algorithm for determining the duration of a lockout based on the number of
failed attempts and any other relevant parameters?

• What actions can cause the failure count and lockout duration to be decreased or reset?

Can PIN length and complexity be managed with Group

Policy?
Yes. In Windows 7, you can configure the minimum personal identification number (PIN) length by
using the Configure minimum PIN length for startup Group Policy setting and allow the use of
alphanumeric PINs by enabling the Allow enhanced PINs for startup Group Policy setting.
However, you cannot require PIN complexity by Group Policy.

How are the PIN and TPM used to derive the volume master
key?
BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and
the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume
master key. The volume master key is now protected by both the TPM and the PIN. To unseal the
volume master key, you are required to enter the PIN each time the computer restarts or resumes
from hibernation.

BitLocker To Go

What is BitLocker To Go?

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the
encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by
using the NTFS, FAT16, FAT32, or exFAT file systems.

How can I authenticate or unlock my removable data drive?

In Windows 7, you can unlock removable data drives by using a password or a smart card. After
you've started encryption, the drive can also be automatically unlocked on a specific computer for
a specific user account. System administrators can configure which options are available for users,
as well as password complexity and minimum length requirements.

Can I use BitLocker To Go with computers running

Windows XP or Windows Vista?
Yes. By default if the removable data drive is formatted by using the FAT file system and then
locked with BitLocker To Go using a computer running Windows 7, it can be unlocked on a
computer running Windows XP or Windows Vista. However, the files will available with read-only
access on those operating systems and no files will be able to be added to the removable drive
from those computers. When you insert the removable drive into a computer running Windows XP
or Windows Vista, the only readable file on the drive is the BitLocker To Go Reader application,
which is automatically written to the drive when BitLocker protection is turned on for the drive in
Windows 7. By running the BitLocker To Go Reader, you will be able to view the files on the
BitLocker-protected removable drive.

７ Note

The BitLocker To Go Reader is not supported on removable drives formatted with NTFS.

What happens if I try to open a BitLocker-protected, NTFS-

formatted removable drive by using a computer running
Windows XP or Windows Vista?
In most cases, Windows XP and Windows Vista will not be able to recognize a BitLocker-protected,
NTFS-formatted removable drive. In many situations, the user will be prompted to format the drive.
Because of this, it is recommended that removable drives be formatted by using the FAT, FAT32, or
exFAT file system when using BitLocker.

Is there a way to ensure the BitLocker To Go Reader is not

installed on FAT-formatted drives?
Yes. Group Policy can prevent the application from being installed on the drives. The first option is
to disable the policy settings that allow computers running Windows Vista, Windows XP with
Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) to open BitLocker-protected data
drives. These policy settings are located in the Local Group Policy Editor in Windows 7 or the Group
Policy Management Console in Windows Server 2008 R2 in the following locations:

• Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive

Encryption\Removable Data Drives\Allow access to BitLocker-protected removable data
drives from earlier versions of Windows

• Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive

Encryption\Fixed Data Drives\Allow access to BitLocker-protected fixed data drives from
earlier versions of Windows

To allow computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2
to open BitLocker-protected data drives but prevent the BitLocker To Go Reader application
from being installed on the drive, enable these policy settings and select the Do not install
BitLocker To Go Reader on FAT formatted removable drives and Do not install BitLocker To
Go Reader on FAT formatted fixed drives check boxes on the respective policy settings.

７ Note

Before deleting the BitLocker To Go Reader from a drive, BitLocker checks that the
identification field of the drive is either blank or matches the identification field for your
organization.

Can I save files to my BitLocker-protected removable drive

when I am using Windows XP or Windows Vista?
No. The BitLocker To Go Reader provides read-only access to BitLocker-protected removable drives.

Can I download a copy of the BitLocker To Go Reader?

Yes. To download the BitLocker To Go Reader, see https://go.microsoft.com/fwlink
/?LinkID=151425 .
Why am I unable to access my removable drive on computers
running Windows XP or Windows Vista when using the
BitLocker To Go Reader?
The most common reason for this situation is that the drive is not formatted by using the FAT,
FAT32, or exFAT file systems. To check for this, insert the drive in a computer running Windows 7,
right-click the drive, and then click Properties to see the file format of the drive. Another reason
could be that the system administrator has disabled access to removable drives from previous
versions of Windows by using the BitLocker Group Policy settings. To check for this, attempt to
access the drive from a computer running Windows XP or Windows Vista that is not joined to the
domain.

） Important

You should ensure that BitLocker has finished the encryption process on your drive before
attempting to view the drive by using the BitLocker To Go Reader.

Active Directory Domain Services (AD DS)

） Important

For detailed instructions about how to configure AD DS for BitLocker, see Backing Up
BitLocker and TPM Recovery Information to AD DS.

Does BitLocker require a schema extension to store recovery

information in AD DS?
This depends on the operating system and AD DS implementation.

Windows Server 2003 with Service Pack 1 (SP1)

In Windows Server 2003 with SP1, the schema must be extended to support storing BitLocker and
TPM recovery and password information.

Windows Server 2008 and Windows Server 2008 R2

In Windows Server 2008 and Windows Server 2008 R2, the schema already includes the required
attributes.

What type of information is stored in AD DS?

Three primary pieces of information are stored in AD DS. The following table details this
information.

Stored Description
information

Hash of the TPM The password hash can be stored only if the TPM is owned and the ownership was taken
owner password by using components of Windows 7, such as the BitLocker Setup Wizard or the TPM snap-
in.

BitLocker The recovery password allows you to unlock and access the drive in the event of a
recovery recovery incident. Domain administrators can view the BitLocker recovery password by
password using the BitLocker Recovery Password Viewer. For more information about this tool, see
BitLocker Recovery Password Viewer for Active Directory.

BitLocker key The key package helps to repair damage to the hard disk that would otherwise prevent
package standard recovery. Using the key package for recovery requires the BitLocker Repair Tool,
Repair-bde. For more information about this command-line tool, see Repair-bde.exe
Parameter Reference (https://go.microsoft.com/fwlink/?LinkId=162622).

Does BitLocker encrypt recovery information as it is sent to

AD DS?
Yes, the transmission of recovery information from a Windows 7–based client computer to AD DS is
protected by using the Kerberos authentication protocol. Specifically, the connection uses the
authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and ADS_USE_SIGNING.

For more information about Active Directory authentication flags, see

ADS_AUTHENTICATION_ENUM Enumeration (https://go.microsoft.com/fwlink/?LinkId=79643 ).

７ Note

After recovery information is transmitted, AD DS does not store the BitLocker and TPM
recovery information in an encrypted format. However, access control permissions are set so
that only domain administrators or appropriate delegates can read the stored information
when the server is online. Enterprises concerned about offline attacks on branch office servers
should consider enabling BitLocker on those servers. We also recommended configuring your
domain controllers to support encryption sealing and that any recovery retrieval application
used in your organization use sealing as well.
For more information about developing applications that exchange encrypted data over a
network, see the following articles on MSDN:

• Binding with Encryption (https://go.microsoft.com/fwlink/?LinkId=151844)

• Using ldap_init (https://go.microsoft.com/fwlink/?LinkId=151845)

For more information about configuring servers to support encryption sealing, see the following
articles:

• Using SASL (https://go.microsoft.com/fwlink/?LinkId=151846)

• Using SSL/TLS (https://go.microsoft.com/fwlink/?LinkId=151847)

• How to enable LDAP signing in Windows Server 2008 (https://go.microsoft.com/fwlink

/?LinkId=151848)

Is the BitLocker recovery information stored in plaintext in

AD DS?
Yes, the recovery information is stored unencrypted in AD DS, but the entries have access control
lists (ACLs) that limit access to only domain administrators.

If an attacker gains full access to AD DS, all computers in the domain, including BitLocker-protected
computers, can be compromised. For more information about securing access to AD DS, see
Securing Active Directory Administrative Groups and Accounts (https://go.microsoft.com/fwlink
/?LinkId=83266 ).

What if BitLocker is enabled on a computer before the

computer has joined the domain?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the
recovery information will not be automatically backed up to AD DS when the computer joins the
domain or when Group Policy is subsequently applied. However, in Windows 7 you can use the
Choose how BitLocker-protected operating system drives can be recovered, Choose how
BitLocker-protected fixed drives can be recovered and Choose how BitLocker-protected
removable drives can be recovered Group Policy settings to require that the computer be
connected to a domain before BitLocker can be enabled to help ensure that recovery information
for BitLocker-protected drives in your organization is backed up to AD DS.

The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to
write a script to back up or synchronize an online client's existing recovery information; however,
BitLocker does not automatically manage this process. The Manage-bde command-line tool can
also be used to manually back up recovery information to AD DS. For example, to back up all of
the recovery information for the C: drive to AD DS, you would use the following command from an
elevated command prompt: manage-bde –protectors -adbackup C:.

） Important

Joining a computer to the domain should be the first step for new computers within an
organization. After computers are joined to a domain, storing the BitLocker recovery key to
 AD DS is automatic (when enabled in Group Policy).

Is there an event log entry recorded on the client computer to

indicate the success or failure of the Active Directory backup?
Yes, an event log entry that indicates the success or failure of an Active Directory backup is
recorded on the client computer. However, even if an event log entry says "Success," the
information could have been subsequently removed from AD DS, or BitLocker could have been
reconfigured in such a way that the Active Directory information can no longer unlock the drive
(such as by removing the recovery password key protector). In addition, it is also possible that the
log entry could be spoofed.

Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with

domain administrator credentials by using the BitLocker password viewer tool.

If I change the BitLocker recovery password on my computer

and store the new password in AD DS, will AD DS overwrite
the old password?
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you
might see multiple passwords for each drive. To identify the latest password, check the date on the
object.

What happens if the backup initially fails? Will BitLocker retry

the backup?
If the backup initially fails, such as when a domain controller is unreachable at the time when the
BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to
AD DS.

When an administrator selects the Require BitLocker backup to AD DS check box of the Store
BitLocker recovery information in Active Directory Domain Service (Windows 2008 and
Windows Vista) policy setting, or the equivalent Do not enable BitLocker until recovery
information is stored in AD DS for (operating system | fixed data | removable data) drives check
box in any of the Choose how BitLocker-protected operating system drives can be recovered,
Choose how BitLocker-protected fixed data drives can be recovered, Choose how BitLocker-
protected removable data drives can be recovered policy settings, this prevents users from
enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker
recovery information to AD DS succeeds. With these settings configured if the backup fails,
BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-
protected drives in the organization.
When an administrator clears these check boxes, the administrator is allowing a drive to be
BitLocker-protected without having the recovery information successfully backed up to AD DS;
however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can
create a script for the backup, as described earlier in What if BitLocker is enabled on a computer
before the computer has joined the domain? to capture the information after connectivity is
restored.

Security

What form of encryption does BitLocker use? Is it

configurable?
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable
key lengths of 128 or 256 bits, as well as an optional Diffuser. The default encryption setting is
AES-128 with Diffuser, but the options are configurable by using Group Policy. For additional
information about the BitLocker encryption method, see AES-CBC + Elephant diffuser in the
Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=80598 ).

What is the Diffuser?

The Diffuser is an algorithm that is designed to mitigate a possible class of attacks that involve
changing encrypted information to introduce a security vulnerability into the system. With the
Diffuser, small changes to the encrypted cipher text of a sector affect the entire sector when the
data is decrypted. This behavior makes targeted attacks much more difficult to perform. For
additional information about the BitLocker encryption method, see AES-CBC + Elephant diffuser
in the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=80598 ).

What is best practice for using BitLocker on an operating

system drive?
The recommended practice for BitLocker configuration on an operating system drive is to
implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-
compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition
to the TPM validation, a malicious user that has physical access to the computer cannot simply
start the computer.

What are the implications of using the sleep or hibernate

power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced
authentication) provides additional security for the hibernate mode. However, BitLocker provides
greater security when it is configured to use an advanced authentication mode (TPM+PIN,
TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because
returning from hibernation requires BitLocker authentication. As a best practice, we recommend
that sleep mode be disabled and that you use TPM+PIN for the authentication method.

What are the advantages of a TPM?

Most operating systems use a shared memory space and rely on the operating system to manage
physical memory. A TPM is a hardware component that uses its own internal firmware and logic
circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking
the TPM requires physical access to the computer. Additionally, the tools and skills necessary to
attack hardware are often more expensive, and usually are not as available as the ones used to
attack software. And because each TPM is unique to the computer that contains it, attacking
multiple TPM computers would be difficult and time-consuming.

７ Note

Configuring BitLocker with an additional factor of authentication provides even more

protection against TPM hardware attacks.

Is Microsoft pursuing any security certification for BitLocker?

All of the versions of BitLocker that have been included with the operating system have obtained
the Federal Information Processing Standard (FIPS) 140-2 certification, and have been Common
Criteria certified EAL4+.

Other questions

Can I use EFS with BitLocker?

Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive.
BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can
provide additional user-based file level encryption for security separation between multiple users
of the same computer. You can also use EFS in Windows 7 to encrypt files on other drives that are
not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system
drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS
on other drives is also indirectly protected by BitLocker.

Can I run a kernel debugger with BitLocker?

Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the
debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing
the computer to start properly. If you need to turn debugging on or off when using BitLocker, be
sure to suspend BitLocker first to avoid putting your computer into recovery mode.

How does BitLocker handle memory dumps?

Windows 7 has a modified storage driver stack to ensure that memory dumps are encrypted when
BitLocker is enabled.

Can BitLocker support smart cards for pre-boot

authentication?
BitLocker does not support smart cards for pre-boot authentication. There is no single industry
standard for smart card support in the BIOS, and most computers either do not implement BIOS
support for smart cards, or only support specific smart cards and readers. This lack of
standardization makes supporting them very difficult.

Can I use a non-Microsoft TPM driver?

Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using
them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause
BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used
with BitLocker.

Can I write applications directly to the TPM Base Services?

The TPM Base Services (TBS) supplies a very low-level application programming interface (API) that
provides an interface for intermediate software, such as Trusted Computing Group Software Stack
(TSS) implementations designed to communicate directly with a TPM. Software vendors that want
to use TPM functionality within their applications should use a TSS or other application-level API
and not use the TPM Base Services directly. Some TSS vendors have versions of their software layer
that have been written to use the TBS.

How can I determine the manufacturer of my TPM?

To determine your TPM manufacturer, use the following procedure.

To determine the TPM manufacturer

1. Click Start, type tpm.msc in the Search programs and files box, and press ENTER.

2. The TPM manufacturer is listed in the details pane, under TPM Manufacturer Information.
 ７ Note

The Manufacturer Name field in the TPM Manufacturer Information listing is information
provided by the TPM and is often an abbreviation (such as ATML for Atmel, BRCM for
Broadcomm, or IFX for Infineon).

Can other tools that manage or modify the master boot

record work with BitLocker?
We do not recommend modifying the master boot record on computers whose operating system
drives are BitLocker-protected for a number of security, reliability, and product support reasons.
Changes to the master boot record (MBR) could change the security environment and prevent the
computer from starting normally, as well as complicate any efforts to recover from a corrupted
MBR. Changes made to the MBR by anything other than Windows 7 might force the computer into
recovery mode or prevent it from booting entirely.

Will BitLocker work on computers that use UEFI-based system

firmware?
Yes. Starting with Windows Vista with SP1, BitLocker can be used with computers that use Unified
Extensible Firmware Interface (UEFI)-based system firmware.

Why is the system check failing when I am encrypting my

operating system drive?
The system check is designed to ensure your computer's BIOS is compatible with BitLocker and
that the TPM is working correctly. The system check can fail for several reasons:

• The computer's BIOS cannot read USB flash drives.

• The computer's BIOS or boot menu does not have reading USB flash drives enabled.

• There are multiple USB flash drives inserted into the computer.

• The PIN was not entered correctly.

• The computer's BIOS only supports using the function keys (F1–F10) to enter numerals in the
pre-boot environment.

• The startup key was removed before the computer finished rebooting.

• The TPM has malfunctioned and fails to unseal the keys.

What can I do if the recovery key on my USB flash drive

cannot be read?
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS
and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the
use of USB drives in the BIOS and boot settings and then try to read the recovery key from the USB
flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on
another computer so that there is an operating system to attempt to read the recovery key from
the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply
a recovery password or use the recovery information that was backed up to AD DS. Also, if you are
using the recovery key in the pre-boot environment, ensure that the drive is formatted by using
the NTFS, FAT16, or FAT32 file system.

Why am I unable to save my recovery key to my USB flash

drive?
The Save to USB option is not shown by default for removable drives. If the option is unavailable, it
means that a system administrator has disallowed the use of recovery keys.

Why am I unable to automatically unlock my drive?

Automatic unlocking for fixed data drives requires that the operating system drive also be
protected by BitLocker. If you are using a computer that does not have a BitLocker-protected
operating system drive, the drive cannot be automatically unlocked. For removable data drives, you
can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking Manage
BitLocker. You will still be able to use the password or smart card credentials you supplied when
you turned on BitLocker to unlock the removable drive on other computers.

Can I use BitLocker in Safe Mode?

Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be
unlocked and decrypted by using the BitLocker Drive Encryption Control Panel item. Right-clicking
to access BitLocker options from Windows Explorer is not available in Safe Mode.

Why are some of my Windows Vista scripts not working with

Windows 7?
In Windows 7, all interfaces of BitLocker consistently enforce Group Policy settings. This means that
if something is disallowed by a policy setting, it will be disallowed in the graphical user interface,
the Manage-bde command-line tool, and the Windows Management Instrumentation (WMI)
provider. Most likely, your scripts are attempting to call a function that is prohibited by your policy
settings.
Where is Manage-bde.wsf?
In Windows 7, Manage-bde is an executable file instead of a script file. Scripts should be updated
to call Manage-bde.exe instead and then tested to make sure that they operate as desired before
being used in a widespread deployment.

How do I "lock" a data drive?

Both fixed and removable data drives can be locked by using the Manage-bde command-line tool
and the –lock command.

７ Note

Ensure all data is saved to the drive before locking it. Once locked, the drive will become
inaccessible.

The syntax of this command is:

manage-bde <driveletter> -lock

Outside of using this command, data drives will be locked on shutdown and restart of the
operating system. A removable data drive will also be locked automatically when the drive is
removed from the computer.

Can I use BitLocker with the Volume Shadow Copy Service?

Yes. However, shadow copies made prior to enabling BitLocker should not be used because they
can cause the drive to be inaccessible. Only shadow copies made after BitLocker has been enabled
should be used.

Does BitLocker support virtual hard disks (VHDs)?

BitLocker does not support the encryption of VHDs, but does permit storage of VHDs on a
BitLocker-protected drive.

Can I use BitLocker within a virtual machine operating

environment?
BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption
within a virtual machine. You can use BitLocker in the virtual machine management operating
system to protect volumes that contain configuration files, virtual hard disks, and snapshots.