How to Use BitLocker in Windows 8

- select the contributor at the end of the page -
Years ago, Bill Gates made a commitment to continually improve the security of Microsoft Windows. Over the years, and even today, Microsoft has stayed true to their founder's promise. A perfect example is BitLocker full disk encryption. Introduced with Windows Vista, BitLocker has become more advanced in each subsequent version of Windows. Windows 8 doesn't disappoint as it brings us the most advanced version of BitLocker yet.

Improvements to BitLocker

Let me mention a few improvements to BitLocker in Windows 8. The first of which is BitLocker Pre-Provisioning. Pre-Provisioning allows IT Administrators to enable BitLocker for a drive before Windows 8 is even installed on the PC. The importance of this feature is that it drastically reduces the amount of time a user needs to wait before getting to work. Previous versions of Windows required a user to wait until after the OS was installed, BitLocker enabled, and the entire drive encrypted before they could start using the PC. It's now possible for the drive to be encrypted with a randomly generated Clear Protector, as Microsoft calls it, before installation so that after the install the user simply finalizes encryption by setting a fully encrypted key.

Options for encryption

Next on the list of improvements to mention is the ability to encrypt only used space. This represents a huge change as far as productivity is concerned. Consider this example for a moment:

In Windows 7 if you had a 2TB drive with 1GB used and turned on BitLocker, you'd watch as all 2TB were encrypted. The same scenario in Windows 8 could take only 1⁄2000 of the time. This gem of a change is the secret behind Pre-Provisioning only taking mere seconds in some scenarios.

With Windows 8, non-admin users now have the capability to change the BitLocker encryption PIN on their PC. The significance here is that administrators can now set a common initial PIN on a Windows image and then allow users to change the PIN to something unique. Of course, this is a pro/con scenario. Sure it eases deployment concerns for the IT department, but users are always the weakest link in the security chain. Allowing them to change the BitLocker PIN is sure to result in short, insecure PINs.

The solution here is to consider your environment and requirements. If the risk isn't worth the reward use the Disallow standard users from changing the PIN or password setting in Group Policy. Find this setting living in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives GPO container.

Fig 1 - Disallow User PIN Change GP

Getting started

Turning on BitLocker in Windows 8 is simple and straightforward. Begin by opening the Charms Bar, clicking on the Search Charm, entering BitLocker in the search textbox, and then click Settings. Click BitLocker Drive Encryption in the results list and you'll be whisked to the BitLocker Drive Encryption Control Panel Applet.

The BitLocker Drive Encryption Control Panel Applet shows the PC's hard drives, including removable storage such as USB keys and the like. Like I said, it's as simple as clicking Turn on BitLocker next to the drive letter you want encrypted. BitLocker will do a quick system check, and if all goes well it will ask how you wish to unlock the drive. If you wish to use a password select that option then you'll be asked to enter and confirm the password and click Next.

The next step is critically important. BitLocker needs to know where to back up the Recovery Key. The Recovery Key is the absolute only way to unencrypt your drive if the password is misplaced. Without the password or the recovery key the drive might as well be a Frisbee.

Due to this important factor, I strongly suggest saving the backup key to your Microsoft Account, a USB drive, or a network share.

Stay secure on the go: USB encryption video

Fig 2 - BitLocker Choose Recovery Key Location

It's possible to back up the recovery key to Active Directory if you're working in a domain environment. The recovery information is stored in the computer object, but that is a topic for another article.

Now that the Recovery Key is backed up—you did back it up, right? Select how to encrypt the drive. Choices are used disk space only or entire drive. I suggest used disk space only as it's a much faster option and one of the benefits to BitLocker in Windows 8.

Are you ready to encrypt this drive? Click Continue and let BitLocker get to work. You'll be prompted to restart and once the computer comes back up to the Desktop, the drive will start encrypting. There's really no more to it than that!

What could go wrong?

Before I go letting you believe it's always sunshine and roses I should mention that you can occasionally run into a roadblock or two. Don't worry, they don't happen regularly and are usually not too hard to resolve.

One of the most common situations to pop up is an error when you try and turn on BitLocker that "This device can't use a Trusted Platform Module." This typically means you're using an older computer or operating in a virtualized environment. If this happens to you, simply click cancel, run GPEdit.msc to edit Group Policy, navigate to the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives container and double-click the Require additional authentication at startup policy.

The next step will probably jump out at you; check the box next to Allow BitLocker without a compatible TPM, then click OK.

Fig 3 - Allow BitLocker without TPM Group Policy Setting

Exit GPEdit.msc and either wait patiently until the next automatic Group Policy update, or be impatient like me and run GPUpdate from a Command Prompt. Either way, once Group Policy updates you can start the BitLocker Drive Encryption wizard without worrying about that pesky error getting in your way again.

Windows 8 BitLocker brings its "A" game by making drive encryption easy for any user. If you're not using BitLocker already, ask yourself one question: Why not?

How to encrypt USB drives: BitLocker To Go

Try CCNA Security Training to learn IT security fundamentals and sign up for a free trial to access all of TrainSignal's courses.

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


John O'Neill Sr.

John O'Neill Sr. has been in the IT industry for 20+ years and has enjoyed the opportunity to work as a consultant, architect, executive, speaker, and author. He's been involved in multi-national networking, messaging, and communications projects as well as finding solutions for small mom-and-pop shops, allowing them to use technology to increase business opportunity and decrease operational complexity.


John has authored material for both Thomson-Reuters' Aspatore Books and Exec Blueprints publications. He regularly contributes technology articles to the online community in addition to developing exciting training courses for Pluralsight. As a recognized technology expert, John often speaks at IT events around the nation. When he’s not presenting at a conference, John can often be found leading informative webinars. He is proud to be NEOSA’s CIO of the Year Award recipient in 2012.