An Overview of BitLocker Technology Applications

An Overview of Uses for BitLocker Technology

Windows has a security feature called BitLocker that provides volume encryption to shield data from theft or loss from lost, stolen, or incorrectly retired devices. Discover the main applications of BitLocker encryption, how to enable and disable security, and how BitLocker technology works below. The purpose of BitLocker is to protect hard drives and computers from hackers and other individuals who might attempt to access your data. A few of the principal advantages are Your entire drive is encrypted by the TPM module, which offers it a high level of safety. BitLocker is capable of automatically saving keys to Active Directory.

Principal Applications of BitLocker Technology: It's a Useful Tool 

Software attack tools or hard drive transfers to other devices can be used to get unauthorized access to data on a lost or stolen device. BitLocker technology helps lower the risk of unauthorized data access by enhancing file and system security and rendering data inaccessible when BitLocker-protected devices are recycled or retired.

TPM in addition to BitLocker 

• BitLocker technology offers the maximum level of security when paired with a Trusted Platform Module (TPM), a widely used piece of hardware installed on Windows PCs. The TPM works with BitLocker to ensure a device hasn't been tampered with while the system is offline.   

• When a user does not provide a PIN or insert a removable device with a startup key, BitLocker has the ability to lock both the TPM and the usual starting procedure. When the correct PIN or starting key is not entered, these security mechanisms make sure that the device cannot be started or awakened from hibernation. Multi-factor authentication is also available from them. 

• On computers lacking a TPM, BitLocker can still be used to encrypt the operating system drive. In this instance, the user needs to: 

• The startup key, a file stored on a portable drive that is used to start the device, must be used to wake it up from hibernation. 

• Set a password and use it. Because it doesn't have a password lockout rationale, this option is susceptible to brute force attacks. The password option is therefore deactivated and prohibited by default.

With either choice, the preboot system integrity verification that BitLocker technology with a TPM gives is not available.  

Check the computer screen with the startup key on BitLocker preboot:

Utilizing BitLocker technology,-preboot-startup-key  

Verify the BitLocker preboot and the PIN-displaying computer screen.

Examine the computer screen with the password for BitLocker preboot:

Bitlocker, preboot, and password

requirements for the system 

The following are BitLocker prerequisites: 

BitLocker technology leverages the system integrity check that a TPM offers, however it requires TPM 1.2 or later versions on the device. If the device does not have a TPM, then in order to use BitLocker, you must save a startup key on a portable drive.

A device must have a TPM in addition to UEFI or BIOS software that complies with the Trusted Computing Group (TCG). In order to enable preboot startup, the BIOS or UEFI firmware must implement the TCG-specified Static Root of Trust Measurement in order to create a chain of trust. For a machine without a TPM, firmware that complies with the TCG is not required.

The system BIOS or UEFI firmware must support the USB mass storage device class (for TPM and non-TPM devices) and allow reading files from a USB drive in the preboot environment.

Notice this

TPM 2.0 is incompatible with the Legacy and Compatibility Support Module (CSM) versions of the BIOS. Devices using TPM 2.0 need that the BIOS mode be configured to native UEFI only. It is required that the Legacy and CSM settings be disabled. For further security, enable secure boot.

An operating system installed in Legacy mode on hardware is unable to boot when the BIOS mode is upgraded to UEFI. To prepare the OS and the disk for UEFI, use the tool mbr2gpt.exe before changing the BIOS mode.

To partition the hard drive, at least two disks must be used:

• Alternatively referred to as the operating system drive, the boot drive houses the operating system and its support files. It must be formatted with the NTFS file system.

• The system disk contains the files required to load, decrypt, and boot the operating system. On this drive, BitLocker is not activated. The following are necessary for BitLocker technology to operate: 

It's not encryptable.

• either the FAT32 file system on devices with UEFI-based firmware or the NTFS file system on PCs with BIOS firmware need to be used for formatting.

• A file size of approximately 350 MB is recommended. After it is turned on, BitLocker technology takes roughly 250 MB of available space.

Essential

When BitLocker is installed on a new device, Windows creates the required partitions.

If the drive was formatted as a single, continuous area, BitLocker requires a new volume in order to hold the boot files. BdeHdCfg.exe is able to create the volume. For more information on using the program, see Bdehdcfg in the Command-Line Reference. 

Pay attention.

Prior to installing the optional BitLocker component, a server must have the Enhanced Storage functionality installed. This feature supports hardware-encrypted drives.

Windows edition and license requirements

The following table lists the Windows editions that support BitLocker enablement:

Versions of Windows:

• Pro: Absolutely

• Business: Absolutely 

• Pro-SE/education: Yes

• Absolutely, Windows Education

The following licenses grant the following license permissions when BitLocker is enabled:  

• Yes, pro/pro education/SE

• Indeed, Windows Enterprise E3.

• Indeed, Windows Enterprise E5.

• Yes, using Windows Education A3.

• Yes, using Windows Education A5 

To find out more about licensing Windows, see the Windows licensing summary.

Note: Two types of licensing are required: one for BitLocker permissions, and another for BitLocker Recovery management. For further information, see the how-to guide: Install BLR BitLocker Recovery Software.

The gadget is being encrypted.  

BitLocker encryption on certain devices can be easily enabled by Windows through a feature called device encryption. All versions of Windows can be used with device encryption, but the device must adhere to HSTI or Modern Standby security requirements. DMA ports that are open to external access cannot be found on encrypted devices.

Important Note: Device encryption does not protect USB or external disks; it only safeguards the OS drive and fixed drives.

Device encryption is activated by default, which means the device is always secure, in contrast to a typical BitLocker setup. Once Windows has been installed and the device has been fully configured, it is now prepared for initial usage. The computer's OS disk and fixed data drives are encrypted using a clear key to prepare for device encryption. This is similar to how BitLocker technology works when it is in a regular stopped state. Windows Explorer displays a caution icon next to the drive in this status. The yellow warning icon disappears after setting up the TPM guardian and backing up the recovery key.

Once the recovery key has been securely backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS), the clear key is removed from devices that are connected to Microsoft Entra or Active Directory. The following policy settings need to be enabled in order for the restoration key to be backed up: Decide how to recover BitLocker-protected operating system files.

When a user comes in with their Microsoft Entra ID, the recovery password for devices that are joined to Microsoft Entra is generated instantly. After that, the recovery key is removed, the TPM protector is created, and the recovery key is backed up to their Microsoft Entra ID. 

The recovery password for devices connected to AD DS is generated for them as soon as they join the domain. Subsequently, the clear key is removed, the TPM guardian is created, and the recovery key is saved to AD DS.   

If the device isn't already connected to Microsoft Entra or an Active Directory domain, you'll need a Microsoft account with administrator privileges on it. When an administrator logs in with a Microsoft account, a TPM defender is created, the recovery key is given to the administrator's online Microsoft account, and the clear key is removed. If a device requires the recovery key, the user is instructed to utilize an alternate device and obtain the key by logging onto a recovery key access URL using their Microsoft account details.

If a device exclusively uses local accounts, then even with security measures in place, the data on it is not protected.

Extremely Vital

For device security, XTS-AES 128-bit encryption is employed by default. If you configure a policy option to use a different encryption method, you can utilize the Enrollment Status Page to prevent the device from initiating encryption using the default technique. BitLocker begins encrypting only at the conclusion of OOBE, that is, when the device configuration procedure for the Enrollment Status Page has concluded. It allows the device to begin encryption after allowing enough time for it to receive the BitLocker policy options.

On a protected device, you have to decrypt it before you may use a different encryption technique or cipher strength. You can then employ the new strength or approach. Once the device is unlocked, BitLocker settings can be altered.

Device encryption activates a device immediately as soon as it detects it, even if you make changes to it that make it suitable for device encryption—such as turning on Secure Boot—and the device doesn't initially qualify.

Checking whether a device complies with device encryption requirements can be done with the System Information software (msinfo32.exe). The following requirements must be satisfied before System Information displays a line that reads:

Hardware encryption is not the same as BitLocker. 

For devices that meet the requirements, BitLocker technology is activated instantly through device encryption. After that, the recovery key is saved in the user's Microsoft account, AD DS, or Microsoft Entra ID.

Device encryption adds a device encryption setting to the Settings app. You can enable or disable device encryption with this setting.

Until it's finished, the Settings menu does not indicate that device encryption is enabled.

BitLocker technology makes use of on-and-off controls for device encryption.

Note: A device that has encryption turned off will not automatically switch it on again in the future. It must be manually turned on in the Settings.

Disable device security. 

For every machine that is capable of handling it, device encryption should be left enabled. However, you can alter the registry setting below to disable your device's default encryption:

Also Read : Bitlocker and How to Use BitLocker: A Complete Guide