BitLocker questions

Hey all. I like to do this now. So where am i suppose to download bitlocker? So all of you guys are in agreement bitlocker is the preferred program for what i want here?

Im using windows 10 pro on my laptop. Someone said if you have windows 10 pro, you get windows bitlocker for free but if you have other version, you have to pay for it?

So again this is what i want. I want my laptop to be locked where if someone has access to my laptop, they cannot just view everything on it and of course download virus/files to hack my computer. Because if someone has access to my laptop and then just turns it on, not only can they see what programs i have... but they basically could just download virus/malware or anything like that and basically my entire computer will be compromised right? Basically it would be like you downloading malware on your computer itself but that person could download specific virus/malware and basically they could do what they want etc?

As for my documents, i secure many of them with axcrypt. I think its great program. So unless im signed into axcrypt, then you cant access certain documents i locked.

But of course if someone has access to my computer and just turns it on, that means my documents even with axcrypt isn't going to mean much right?

 

Also is this process hard or not as im not that tech savy.

 

Bitlocker only comes on certain versions of Windows (such as Pro); you cant buy Bitlocker separately if you don’t have the right Windows version. If you can’t use Bitlocker, I’d use VeraCrypt as an alternate (and it’s what I personally use),. I don’t know anything about axcrypt, so I can’t comment on that.

And you basically have it right. If someone gets a hold of your computer and can’t log in, they won’t be able to see anything on your hard drive if you do full-disk encryption (not even what software you have installed can be viewed). If you don’t do full-disk encryption and instead only encrypt certain files/folders, then someone can still see the other contents of your hard drive; they just won’t be able to access whatever files/folders you’ve encrypted.

 

Hi there got a question. I know a place near me where a guy is very smart with computers and fixes pcs etc. I had went to him before for other issues. If i had him install bitlocker or veracrypt on it, do you know how long it would take for someone to do this? And also how much he should charge for a service like this.

 

Don’t know (how long it takes depends on several factors) and don’t know (I’m not in the business of pricing out computer services, and I just do this on my own anyway).

 

Ya, one word - Chromebook.

The local drive is encrypted, as well as its cloud storage.
The boot image is verified.
The browser and apps are sandboxed.
Choose a strong password and even 2 factor authentication such as a yubi key.
It's security made easy.

(Of course nothing is perfect. It probably could be compromised by man-in-the-middle attacks and DNS spoofs.)

 

I did get a chromebook. But thats for web browsing and streaming so no big deal. There is a password to my chromebook and even if somehow someone gets in, not big deal as i dont put any important information in


For my dell xps 15 9550, you guys suggest bitlocker still for what i want to do right? Basically i have a dell xps 15 9550 laptop where i dont want any issue if someone were to get access to my laptop, well as long as they dont get into my documents and put in a virus etc im fine. I use windows 10 on it. Thus imagine a hacker knows you have important information on your computer and somehow had access to your laptop physically let say. Well if they turn on your computer with no issue, i know they could install some virus/trojan so next time you turn on laptop and type in passwords, well everything is going to show up on their computer etc. I heard this is with keystrokes etc. Thus if you download a program that has virus/trojan, same thing can happen when you enter accounts and passwords etc and that person has it. But for me, i would be more careful going to sites online on the computer. But if someone had access to my laptop somehow or stole it and get access to it easily, then that would be bad


The thing is could i try downloading bitlocker and try to do this on an old windows 7 desktop before i try this on my windows 10 dell xps laptop? Is this process pretty complicated for someone not that tech savy? I read that you need to encrypt hard drive. So how many passwords do you need? So you just can't use bitlocker and put down a password and that is all when you log in? It needs to be a couple of them? Someone said if you just use the windows password, they could just take out hard drive and go through your hard drive easily.

 

As mentioned sometime ago, encrypting your hard drive (or files) helps against the sort of attack you describe at the end of your post (someone getting physical access to your machine and pulling the drive). It won’t help you avoid malware though.

 

No, as written in earlier post, it's not any standalone program but a built-in part of the OS in the windows pro versions, 1st step would be to get hold of a relevant windows version.

Keep the OS (and whatever that's not personal) non-bitlocked on one partition (or hd\ssd), do bitlocking on another partion (or another hd\ssd) and save all sensitive content there.

Basic security (theft etc), enable bios + hd (ssd) password in bios.

Keep backups (for example cloud, or USB hd with bitlocker) of anything important.

 

Im looking through youtube on this and it seems that veracrypt probably is probably better than bitlocker? Would you recommend that instead?

 

Veracrypt may be fine, never used it so no opinion.

Personally am trusting and using bitlocker, it just works, year after year (and no risk of surprises like what happened with truecrypt).

 

Hi there. But i read the issue with bitlocker is that its closed source. But is that a big deal?

 

Veracrypt is a good choice to consider.

Closed-source isn’t that bad in itself, but in the context of security it does make it harder for independent security auditors to verify that it’s completely secure, whereas people have done that what Veracrypt.

 

Hi there im thinking about doing it now. I want to do this with my windows 10 laptop. However, i also have an old windows 7 desktop computer as well. The thing im thinking is maybe test veracrypt on my xps 8100 desktop with windows 10 first? So to make sure i have it right because i try it on my main computer the dell xps 15 9550 laptop?


Are there any specific videos that are linked here where i can watch someone do this step by step whether its instructions or video?

Can someone posts a specific video on someone doing veracrypt correctly so i could follow step by step? Im checking youtube now for videos and there are several and each one, always someone mentioning there is an issue with a step... which is not what i want to encounter.

 

https://www.veracrypt.fr/en/Documentation.html

The documentation on Veracrypt's website is pretty well-detailed and should help you just fine.

 

Okay thanks i will take a look. Have you used it for windows 7 and 10 though? I will try it on windows 7 first... then if not issue i will do windows 10 which is my main laptop that i want to encrypt..


Also for the flash drive, typically how much gb would i need? I assume its around how much gb your computer used up? Example if it shows 413gb available out of 465gb available on your windows 7 desktop, well you going to need at least 52gb on it?


Would there be any issues using a 1tb external hard drive 7200rpm and making a backup there when using windows 7 for it. Then doing it on the dell xps 15 for windows 10?

 

I have:
* Bitlocker software encryption;
* Windows 10 user password or fingerprint authentication (fingerprint authentication disabled after 3x failed attempts, standard setting AFAIK);
* BIOS admin password;
* boot order locked in BIOS, internal SSD being the only device allowed to boot;
* webcam disabled in BIOS;
* microphone controlled by hotkey with status light indication;
* silicone port covers on all ports except power (against liquids);
* disable USB ports access in BIOS when taking the laptop out in the wild;
* Kensington lock in bars cafes etc and even sitting on a bench in the park reasonably long time. (only helps against see&grab thieves but hey better than nothing)

Additional notes:
* I use bloody long passwords for important stuff, and easy to remember shorter passwords for things I don't care much about;
* I backup the most important stuff to multiple devices, including off-site.

 

Hi there thanks for the response. Well that is certain very secure. But for someone like me with what i described what i want, is basically the encryption all i need? You mention webcam and microphone but that does not concern me or anything right?


When you say kensington lock in bars and cafes you mean you lock it to the table or something? Im confused what is meant by this.

 

@Drew1 based on your other threads, I believe you could really use most of those measures. You definitely seem to need to address potential USB issues, again based on your other threads - but via OS settings, not BIOS like me. Consider this method. Webcam and microphone probably do not concern you, but since I was listing system settings, included those as well.

As for kensignton lock - yes, I wrap the cable around a table or something. Be aware that key-based kensington locks can be opened with pen tip or cardboard tube, and those with code lock - with a fork, either in less than a minute.

 

Hi there. When you say potential usb issues, you mean even if you use bitlocker or veracrypt, and they can't turn on your computer because they don't have the password, they can put something on your usb drive somehow and do malware/keylogger to it?


Wow the kensignton lock thing... i never thought about that. Im curious but do you get strange looks from others? I don't think i ever seen that ever.

 

@Drew1 if you're in a public place someone can insert a malicious USB thumb drive into the laptop you're using before you stop them. That's a very unlikely possibility, but it exists. Or somebody may trick you into plugging a malicious USB device via social engineering - on protected machine it will request driver installation revealing itself, instead of doing the nasty things straight away, so you can confirm it is what it's supposed to be.

I never noticed strange looks from others when using Kensington devices. But then again, I only use those sometimes, when it's really easy for someone passing by to grab the laptop and run away.

 

Hi there that makes sense with someone sticking a malicious usb thum drive in your laptop. So if someone does that, how long does it take? And when they do this, they still have to click on your keyboard and move your mouse to open the file right? Or could they do something malicious just by putting the usb in your usb port and take it out?


Well if the laptop is encrypted and not turned on, someone cannot stick a malicious usb thumb drive into it and put a virus in it right as long as computer is not turned on? That would be not possible right?

 

Be aware that such a lock is more of a symbolic gesture than a real security feature. It only really stops opportunistic thieves that don’t have any tools like a bolt cutter on hand with them. If you want to make sure you’re laptop is secured while in public, you simply just don’t leave your laptop alone, period. Going to the bathroom or something? Pack up your laptop and bring it with you; dont leave it on a table, expecting a thin bit of steel wire to protect it.

 

As soon as the drivers for it are installed. Seconds.

The beauty of it is that the usb device needs only be inserted, then does everything by itself.

Right.

 

Hey all. Do you recommend me to use veracrypt or bitlocker? Most seem to go with bitlocker. Which one is easier to install or is both the same? Does one take longer than the other? I'm not that tech savy so I would need step by step instructions whether its a video or a guide. Is there any on this site for windows 10? I checked a few articles out on bitlocker on google but the comments i read, some ppl said this caused their hard drive to fail or they were omitting a few things.

I would like to encrypt my dell xps 15 9550 laptop which is windows 10 pro, so i know it comes with bitlocker.

But I really am hesitant of testing it on my my laptop first and want to try it on another computer to make sure it works... then i do it on my windows 10 laptop. My issue is i only have a desktop that is windows 7 home premium only. So that means i cant install bitlocker on it right since i have to buy it? I have no purpose for the dell windows 7 desktop at the moment. So i was thinking about installing veracrypt on it to see if it works... then assuming everything is fine, do same thing on windows 10 laptop. Would you suggest this or just go and install bitlocker on my main laptop?

I was looking at certain guides and a few things im a bit confused about is they ask you to back everything up. By that, you mean like backing up files to an external hard drive? Like copy and pasting any important files and documents that are important? So could you backup the programs/icons on your desktop as well or not? Because what confuses me with backing up is say you have a few programs you downloaded online. Let say its programs that you could download yourself online like youtube downloader to make it simple. How do you back this up? Also when people say back everything important, this is done manually right such as just copy and paste whatever files or programs you have to external hard drive? Its not possible to copy the entire hard drive from your laptop to an external hard drive right... where say its on your hard drive and then you install it on the new computer, then all the icons on the screen is exactly the same as your old laptop and everything else?

I read its very important that when you do this, no power outage happens right? So example, if you are doing this on a laptop and a power outage happens, as long as you still have power on your battery its fine? And if you have a power bank, thats better?

Can someone takes a guess on how long it would take for me if my hard drive shows 232gb ssd hard drive and i have about 42gb free? Thus i'm using about 190gb?

I been putting this off for a long time because I'm concerned something will go wrong and because when doing things like this, there is always a part where im stuck and don't know what to press etc. Does anyone have any advice on this?

I want to do it as soon as possible... been putting this off for years already.

Starlight and 6730b, can you help me with this process on my thread? I will be doing it soon but if im stuck in any part, can i post what issue im currently having and then wait for either of you or anyone else who used bitlocker to help me with this? Is there ever an issue where you are not sure what to press during the process and then wait an hour or more before clicking on it because i don't want to click on the wrong thing?

Thus i would be installing bitlocker on my dell xps 15 windows 10 pro laptop.. while i will be on my windows 7 or chromebook on this forum to post questions in case i run into anything?

The thing im really concerned is if it ask me a question where im not sure what to click on or it does something where im not sure its happening... then i dont know what to press and make a mistake. Then i would post on this thread and wait until someone here could answer the question and then i press whatever button i have to continue with the process? Im really worried/scared of trying this as im worried something would go wrong in this process.

My main concern is to encrypt my laptop where if anyone has access to it physically, they cannot turn it on and install malware or trojan or anything like that. But most importantly not do it when im not aware of it and then im back on the computer.

About those physical locks on the computer itself, i dont need any of that. Also im well aware of it doesnt protect you from malware that you install yourself etc.

Im not even sure what is the best guide for this as i seen several online but some doesn't seem to be correct b/c other ppl said you made mistake with your instructions.

Thanks.

I have a 16gb usb stick that still has some space. I have a 1TB external hard drive that has probably like 900gb of space. Which of these should i use to back up my data? I assume my data would be external hard drive? Also, i read through the guide you backup the key in case you forget your password, do you back it up to usb stick? Im confused what is the key when they say back it up. Is it a file or its the password? I would make sure i put a password i remember and write it down on paper as well.

I found this guide in the tenforums. Is step 1 all i have to do here? But there is no mention of backing up the information on your computer? So they assume you are already doing that?

https://www.tenforums.com/tutorials/37198-turn-off-bitlocker-fixed-data-drives-windows-10-a.html

I see there is another guide here below but this is not what i want to do now right?

https://www.tenforums.com/tutorials...cker-operating-system-drive-windows-10-a.html

Sorry im just overwhelmed with all this.

 

@Drew1 I only used Bitlocker, didn't try Veracrypt. I believe Bitlocker is much easier since it is embedded in the OS. How much time will it take depends on how much space is occupied on your drives, if you have a 256GB SSD - shouldn't take much, but I sadly can't give you the exact figure, probably couple hours or so. Don't bother with testing on Windows 7, Bitlocker just works. I would recommend Bitlocker software encryption over hardware, though - while there is a very slight battery life hit & SSD performance hit, it is more reliable. To make sure Bitlocker software encryption is used, set hardware encryption for fixed drives & operating system drives to disabled in group policy -> administrative templates -> windows components -> bitlocker drive encryption.

Make sure to save the recovery key somewhere very safe and secure (and make multiple copies of it), because if e.g. you update BIOS without suspending Bitlocker before doing it - Windows will ask for it to unlock the drive next boot. Or if you remove the SSD from your laptop and try to access it elsewhere.

As for backup - it's up to you, really. I personally have Syncthing automatically copying the most important stuff (by copying that stuff to synced folder) over multiple devices, and manually some other stuff to NAS (used to manyally copy it to external HDDs before). I'm sure it can be all automated but I didn't look into that. Syncthing may be confusing at first but once you understand the logic behind it, setting it up becomes very easy, maybe give it a try if you have some other computer device? By the way, you probably can make Syncthing sync literally everything except system files to some other machine, though that's probably an overkill and will probably be quite taxing.

You can use USB stick or other external storage, or print it. Key is like a bloody long automatically generated password, it is stored in a file though when you backup to storage instead of printing, so both the file and the actual key are referred to as key. For external drives you can also choose a password (for internal too, but that is disabled by default)

Normally you don't need to backup data before enabling Bitlocker, but I guess better safe than sorry especially since you're doing it for the first time, and less than 200gb doesn't take long to copy even to a sluggish HDD - so make a backup first, and then just turn on the bitlocker. Setup some authentication for all user accounts on the pc, at least a password for each, before encrypting - as far as I remember it won't let you encrypt without it, though I may be mistaken.

Good luck, and feel free to ask any additional questions! It's totally OK to ask a lot of questions, this is what the forums are for. (=

 

starlight5 thanks for the very long response.


When you say set hardware encryption for fixed drives and operating system drives to disabled in group policy, admin templates - windows components- bitlocker driver encryption, do i do that now before i do this process, during the install process or after the install process?


So in that option of where to save recovery key, few articles i read mention saving it to microsoft account. But is usb flash drive better? I dont have a microsoft account but in an article, it said its more safer because online? Could you save it multiple ways? Or you only save it one way then after encryption is done, you can always save the key another method so you have 2 or 3? Would you say saying it to usb stick and external hard drive is good? Could you say it to your google account thus google drive?


Well all the backing up i ever did on my computer, its basically me manually copying and pasting the files, documents and say video/music into the external hard drive. But say i have to reinstall windows 10 on the laptop or use a brand new computer. Sure i connect the external to it and i can copy all my files, documents and video/music to it and its there in my documents. But all the programs in my desktop like in the desktop icons and everything else won't be there right? Is there a way to backup my windows 10 computer where if something happens to it, then if i reinstall windows 10 or get a new windows 10 computer, then after installation, i can put the external hard drive in it and then it suddenly look exactly the same with desktop icons as my old windows 10 computer? Thus even when i click start menu, i see programs that wouldnt be there? Is there a way to do this or not?


I read online about restoring an image disk and using aomei or macrium. Is that it? If so, does it do that? Because if so and it does, wouldn't this be better since well you are basically restoring your new computer to the same thing as it looked previously?


Sorry for asking all these questions. I just want to make sure of all this before i attempt the bitlocker installation. I been wanting to do this long time, but im just very paranoid something goes wrong or im stuck where i go.. oh man what do i click on now... then i have to post it on the forum and wait for a reply while the screen stays on that question. I want to install the bitlocker by tonight. Also its true when you install bitlocker, it does a restart itself right? So the process after you go through it, how long about till it restarts your computer? Because i read they restart, then it ask you for your password...then its actually encrypting itself while you are using the computer? Then you wait and check to see the c drive to see how much percent is complete? Because i had thought you had to encrypt then wait the entire process and then it says you are done... then you restart it... then enter your password and you are good. So that last part is not how it goes right? Because i find that a bit strange if true? When its encrypting or starting the process, it makes you restart the laptop and make you enter password? Or you could let it encrypt till its done... then you restart computer and enter password?


Thanks.

 

Before.

USB stick is definitely more private, but you want to keep it somewhere safe and single easily destroyed USB stick is definitely not safe. Just save it on a stick then e.g. put it in a 7z archive with strong long password and store it on all devices you usually backup to. I don't have MS account either, and that's what I do. Google drive or other cloud services is only OK if you put it in well encrypted archive with strong password, otherwise I wouldn't do it. You can also print one or two physical copies and put it somewhere really safe if you don't have many devices.

There is a way but I never looked into it. One's current OS installation usually gets screwed for that reason, HDD or SSD failures being quite rare unless one buys bottom of the barrel storage products after all - so it makes much more sense to me to make a clean reinstall, to avoid more OS failures. Bottom line, you'll have to wait someone knowledgeable in these backup solutions to answer that one.

This is totally OK and the right way to do it. A lot of technical documentation is confusing, or quite often outright inadequate, completely missing important explanations. There's a saying - better feel a fool once, while asking, than remain a fool entire life.

You don't have to install it, it is included in Windows. As far as I remember, It only restarts when checking if your system is compatible with it before applying encryption. This check is optional, I usually skip it. You can continue using the laptop while it's encrypting, it's no bother - just do not turn it off (to be honest I'm not sure if it's allowed with Bitlocker or not, but on other devices you're not supposed to turn it off before encryption process is completed).

You don't need to restart to enter the password. For operating system drives, Bitlocker password is disabled by default. You can enable it in group policy for operating system drives if you want; I never bothered, just used Bitlocker key when I forgot to suspend Bitlocker before flashing new BIOS image or stuff like that, and it asked for key before being able to boot. You do need a password for your Windows account, and probably fingerprints for faster (and often more secure, with cameras everywhere and people snooping around) authentication instead of typing a password every time (and windows will ask you to setup pin - to simplify, it's just another password with less priviledge, you can disable that in group policy if you don't want it, or set it same as main password; it makes sense when you use MS account, then password is for whole account but pin is tied to particular machine, so if somebody knows your pin he/she can access particular computer but not your whole account, and password is still required for some actions even if pin is known). Setting an account password, pin and fingerprint (and Windows hello facial recognition if you have IR camera) is unrelated to bitlocker and doesn't require restart either - but encryption of system drive is sorta pointless without them, since anyone will be able to access the data anyway.

 

Starlight thanks for that info.

Okay so i guess i will just back up my data the manual way by copy and pasting it into external hard drive and usb stick then since you say you never tried that method of copying it where it looks exactly the same.

Okay so i checked the guide on another forum and asked this on tenforums. Can you tell me if this is the link where it shows the steps and its the correct way of doing it? Thus follow step 1 only? What confuses me is step 1-5. Why are they asking me to check that TPM settings? I need to do all those steps? I did check my computer and i do have TPM in my device manager.

https://www.tenforums.com/tutorials...cker-operating-system-drive-windows-10-a.html

There is also another link on how to do this on tenforums

https://www.tenforums.com/tutorials/37198-turn-off-bitlocker-fixed-data-drives-windows-10-a.html

But the 2nd link is if you want to try this with an external hard drive or small usb flash drive correct?

I do have a 64gb usb stick that i never used. Should i test this out on this first before doing my windows 10 laptop? But the process is a bit different at the beginning but still same right?

Im thinking do this on my windows 10 laptop first with bitlocker. Then do the flash drives later on? Because well if someone accessed my laptop while i dont know and put something on it, then i wouldnt know. But they can easily do the same with taking my external hard drive or usb stick and plug it into a laptop or tablet or anything put malware/keylogger on it and return the external hard drive or usb stick as is and i wouldnt have a clue right?

When you say set hardware encryption for fixed drives and operating system drives to disabled in group policy, admin templates - windows components- bitlocker driver encryption, do i do that now before i do this process, during the install process or after the install process?


I went to windows components. I do not see bitlocker driver encryption as a folder here...

 

@Drew1 what TPM version does it report in device manager? Is it 2.0 or something else?

Those links just create confusion. You check group policy manager, disable hardware encryption for operating system drives and fixed drives just to be on the safe side (though you can skip it and stick with hardware encryption if you want). Then you right click on your system drive and choose turn on bitlocker. select newer bitlocker encryption method if bitlocker asks whether to choose new or old.

Then go on to do this to flash drive and external drive. Each external drive will ask for a password, you can use the same password if you want just make sure it's strong. When you enter that password to unlock the encrypted drives tick a box to remember it so that you don't have to enter it every time on that laptop.

Attach a screenshot of your group policy. Make sure you're in computer configuration not user configuration.

 

HI there made a mistake. Itts there. I clicked on user config, admin templates. In the tenforums link, they say its 128 bit but you recommend 256 right?

The TPM version i have is 1.2 when i check device manager.

okay so do not follow that guide on tenforums? Yes it looks really confusing. And im not sure if its that link or the other one. Someone on that forum said one is for your windows computer, other is for an external hard drive or usb?

starlight will you be on this forum throughout the rest of the day? If so, im going to do this right now since you are here in case i have an issue.

Im now on this now page

 

No, I am personally OK with 128bit, and use that. I believe 128bit is enough at the moment. Maybe in some years 256bit usage will become justified, but not now, in my opinion Some people think otherwise.

I didn't touch any of those settings, because my SSDs and all other drivers encrypt themselves with Bitlocker software encryption by default.

I personally use TPM2.0 built into CPU instead of discrete TPM1.2 I also have. These settings could be available in BIOS, or it could be unavailable at all. Anyway, you can switch TPM later, although it will clear fingerprint data so you'll need to reset that, and you will need to enter Bitlocker recovery key right after boot.

I'll be receiving guests soon so my availability will be very limited for a while. I'll be checking forum from time to time if possible.

 

Okay so 128 bit is default so im fine

Okay thanks. I think i might do this a bit later then. I just dont' want the issue of not knowing what to do or press in case i press something wrong and have to wait a long time for a response from someone here. Are you from the US by the way? Im in the us now east coast time.

In the picture i posted, i would be clicking on that one highlighted right and go from there? I wont do it now since you say your time is limited.

And one last question before i do this later on. But i have no password set for windows 10. Im not sure if my admin settings are right? I basically named the windows my name and thats all. But is there anything like run as admin or anything like that i need to make sure of my settings first before i do this. Example some programs that i open from my desktop, it does have that message user account control, do you want to allow this app from an unknown pub to make changes to your device?

Or does all that not matter?

 

@Drew1 I am not in the US but who cares. ^^ Just skip the setting that you highlighted, in my opinion - leave it at default. Bitlocker may ask you to setup your account authentication properly. Or it may not ask, honestly I don't remember, I always setup the accounts before initiating the encryption.

When you run as admin under your admin account it doesn't ask for authentication. Authentication is only requested when you log in in this scenario. If that's the way you like things, just set a password and fingerprint for that admin account, and make sure other accounts require password, or just delete them (if there are any). Basically all this stuff doesn't matter for Bitlocker.

 

HI there okay. So after this, the first step would be turn on bitlocker right?

https://www.tenforums.com/tutorials...cker-operating-system-drive-windows-10-a.html

The mod who created the tutorial on the other forum tells me to follow these steps and start from step 5. Is that what i want to do here?

In the picture i posted, well its a picture that was posted by the mod on the other site, you don't want me to do this?

C) In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Require additional authentication at startup policy to edit it. (see screenshot above)

D) Select Enabled at the top, check the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box under Options, and go to step 6 below. (see screenshot below

Starlight so if i want to setup the accounts like you before the encryption, what do i do? I basically want to do exactly what you did.

Hey starlight5, can you tell me the first few steps i should be doing? Such as step 1 , step 2 to like step 5 so I can get a head start? Im just overwhelmed now because at first I seem to have to follow step 5 in that guide but now you say i could skip it.

I know there is that step where you are suppose to go to your c drive and click on turn bitlocker. But is that the 2nd step here or 1st? Can you list me the first few steps that you know for sure and remember what to do? Then I will either go through it on my own and if there is any part i'm stuck, i will just wait for a response from you while leaving my computer on.. on that screen?

Thank you.

 

@Drew1 to make it simple - leave the group policy alone, don't make any changes there, just turn on the bitlocker.

 

Okay I will do that right now. What is the next step? I am going to be on the forum all day. Going to also have email notification on the moment you or anyone post this thread so I will be replying back within 5 minutes after each post.

starlight5, I don't mind doing the group policy thing. But i just want to know exactly what to press. Because maybe not doing that 1 step might cause an issue? Or is that only to change it from 128 to 256 bit which isn't that big of an issue. I just don't want an issue later on when it doesn't load or something and it was because i omitted a step.

Ok by accident i clcked on bitlocker without doing the thing you mentioned of

Those links just create confusion. You check group policy manager, disable hardware encryption for operating system drives and fixed drives just to be on the safe side (though you can skip it and stick with hardware encryption if you want). Then you right click on your system drive and choose turn on bitlocker. select newer bitlocker encryption method if bitlocker asks whether to choose new or old.

Then go on to do this to flash drive and external drive. Each external drive will ask for a password, you can use the same password if you want just make sure it's strong. When you enter that password to unlock the encrypted drives tick a box to remember it so that you don't have to enter it every time on that laptop.

Because you said it sounds confusing and to skip it. But can i still do that now? I didn't know right click turn on bitlocker would turn it on... thought there would be another page to confirm it.

What it shows now is

how do you want to backup your recovery key

save to microsoft account
save to a file
print the recovery key

Do I save to a file? If so, is this to my computer or an external hard drive? Can i use my 64gb flash drive for this or use the 1tb external hard drive?

Do i have option to cancel here or if i do this, im screwed because im going on with the process without saving the recovery key? I cannot go back to the previous message?

Now im stuck not knowhing what to do. Typing this on my other laptop now. Would appreiciate if someone could reply to this. Im making sure im not touching the laptop and its staying on that screen of how do you want to backup your recovery key.



I was watching this video and notice how this person tries to turn on bitlocker but message is this device cant use a TPM. Your admin must allow bitlocker without a compatible tpm in the required additional authentication at startup. Then i see he goes to group policy etc and then goes to clicking on required additional authentication at startup and changed it to enabled. So did i had to do this or not?

Can i go back now and do that before turning on bitlocker or is it too late because im on the next page now? I cant seem to click on the back button, only thing ic an click on is cancel but im worried cancel means i cant go back and i cannot backup recovery key?

As i watch the video after he clicks next after turning on bitlocker, he gets completely different screen than me. It checks bitlocker is checking to see if pc fit requirement and then shows

Bitlocker drive encryption setup

When you turn on bitlocker, your computer performs following steps

prepare your drive for bitlocker
encrypt your drive

Can someone tell me why my next page was that recover key page? I am freaking out right now because if something happens like a power outage happens now, am i screwed? Please if someone can reply back to this soon.

---------------------------------------------------------------------------------------------------------------------------------

And is the reason why my options of where to backup your recovery key doesn't show a usb drive because i did not have one connected at the moment? I just connected one right now.
Do i click cancel? Do i close the box? It seems like i could X the box but not sure what happens then?

Because if I have a power outage now or computer turns off, am I screwed?

Okay I looked through the tutorial again. It seems like since i already checked i had tpm 1.2 yesterday, well i can go directly to step 6 right? Okay so it seems to skip a lot of steps because i already have tpm 1.2? So it seems like in step 11, it has that message where you want to save your backup key.

--------------------------------------------------------------------------------------------------------------------------------

But i don't have the option to save to a usb drive because my usb drive was not connected to my computer at this time? So how do i do that now on this page? Could i click to save to a file and it gives me option to choose the usb flash drive i just put in right now? Or could i save it to a file and then just save it to my documents in my computer? Then immediately copy that document to the usb flash drive?

With my luck with computers, I can just imagine my computer shutting off for no reason and then im screwed because im not sure how to save this recovery key.

What confuses me then is where is the option to type your password in it? I do not see this option doing it the way i already started?


So basically the way i started it out, i can only unlock my computer with the TPM and no password? Or can i go back? Can someone please tell me what to do here?

This was my fear of doing this ever since i posted it. Thats why i was always paranoid of doing this because if i make a wrong click or omitted a step, then I don't know if i could go back or what to do and just leave my laptop as it is until i know what to do. If anyone has any advice, please post anything here.

 

@Drew1 you're encrypting system drive, unless you deliberately change settings there won't be an option to set Bitlocker password. Save to a file means save to a usb drive (it won't allow you to save the file on the disk you're encrypting). You can insert USB drive any time. If you don't want to use usb flash drive for saving the key, then just choose print and select XPS document writer, it will print to a file and you can save it on your pc. If you want me to reply faster, tag me like this @Starlight5 and I'll see a notification.

 

starlight how do i tag you? I clicked on your profile and clicked follow... is that good?

okay so the page that im on now.. click save to a file, then save to a usb file right? I dont have printed connected to my laptop at the moment.

@Starlight5

Wait so if i continue on with this, everytime i turn on my computer, it wont ask me for my password? But this is what i want right? I wanted to turn it on and ask me for password.

So you could turn it on with password or tpm which would be the usb stick, thus you have 2 options? But i cannot choose the password option now?

But i prefer password since well the usb stick could be corrupted, lost etc right.

@Starlight5

Do i want to encrypt system drive or do i want to do something else here? Is there a way to know if i didn't make any deliberate changes to any settings. I did not click on anything with the group policy as in double click anything etc. I just viewed it thats all. But i saw in that video youtube link i posted, that person did something where he didn't want to choose tpm and choose password and was able to type in a password to log into their computer.

But I don't have this option or i still do>

So basically from the beginning this is what i did.

1. I checked i had tpm 1.2 yesterday under device manager. So i did not bother to check this again since i know i have this.

2. I went to c drive, right click and turn on bitlocker

3. The screen that is showing

How do you want to backup your recovery key

save to mic account
save to a file
print the recovery key

I could click cancel or X the box out it seems. I do not want to do this right?

Im confused because where do i type in my password because that is how i want to log into windows 10 computer everytime. Do you log into your computer with a password? Because if its TPM, i need to insert that usb stick every time?

@Starlight5

I ask this on the other forum and the guy on the other forum said if i continue on with this, i would be choosing tpm to turn on my computer each time as oppose to password. If i wanted to do password, i have to go back to step 4. Im confused whats going on here as you say its fine but the other person say its fine how it looks but you will be turning on your computer with a tpm as oppose to password... which is obviously what i DO NOT want.

So what am i suppose to do now since im on the page

How do you want to backup your recovery key?

Do i save it to a file?

Do i click cancel and go back? Do I X this box?

Right now my bitlocker is already turned on? So i have to make sure i save this key to my usb drive? But if i do this, won't it then start encrypting process which i do not want because it would be doing it with the tpm and not the password?

How do i start over to encrypt it again when im at the current page im at now?

@Starlight5

I went to my pc and clicked on local disk. Then right click and see it shows Turn on Bitlocker. So that means i have not turned it on yet correct? So does this mean i could just close the page that is showing up now and start over? If so do i X it or click cancel?

If i cancel, that means i can start this entire process over since i did not start any process yet?

I opened my c drive and then right clicked it to check to see if bitlocker was on or off and it seems to be off as it says turn block locker on while the other screen is stll in the middle of the screen which ask me

How do you want to backup your recovery key screen is showing?

Its the screen that says

How do you want to back up your recovery key?

X Your recovery key couldn't be saved to this location. Choose a different location.

A Recovery key can be used to access your files and folders if you're having problems unlocking your pc. Its good idea to have more than one and keep each in safe place other than your cd.

Save to your microsoft account

Save to a file

Print the recovery key

Right now my options are click one of those which is what i dont want to do right? Or click cancel? Or click the x on the top right to close this? So close the window with the x? After i do this, go check c drive and right click it to see if it has that same wording turn bitlocker on? Which would confirm its not on?

A person on the other forum says it doesn't seem i enabled bitlocker yet?

Okay so i cancelled the bitlocker process according to the other person.

So apparently what i did, i was trying to encrypt it with tpm thus my usb drive and not password?

So i have to use either step 4 TPM with pin or step 5 which is no TPM and password or usb flash drive right?

Which is preferred here? I read TPM with pin also allows you to use password but the other one has no TPM.

I want to type password to log in when i first turn on computer. So do i go with step 5 here as oppose to step 4?

https://www.tenforums.com/tutorials...cker-operating-system-drive-windows-10-a.html

 

Choose print the key, choose either Microsoft Print to PDF or Microsoft XPS Document Writer, it will save the key as PDF or XPS file respectively. Transfer that file to safe location.

This has nothing to do with Bitlocker. Below is a video on enabling Windows user password.

You'll have to choose between following that confusing guide, and following my advice. You can't do both.

 

@Starlight5

Im confused here. That enabling windows password thing you posted... isn't that useless? Many ppl said its useless because all someone has to do is take out the hard drive from the laptop and then put it on another and view everything on it?

That person who responded back to me seems to be the person that posted that guide. He said what i was doing earlier, when i turn on my laptop, it would ask me for the usb flash drive as oppose to the password when first turning on computer. So that made sense.

He said there are 3 ways to do it. One is the one i posted. 2nd is TPM with pin. 3rd is no TPM and just password.

So how will i log into my computer then if i do it the method i was currently doing before i cancel it? With a windows 10 password i set up completely unrelated to bitlocker? I thought the password i want is in bitlocker... not windows 10... since ppl said that password is useless?

Here is what confuses me. If you want me to put a password for windows 10, then the purpose of me doing the bitlocker is to prevent them from getting to my windows 10 screen asking for my windows 10 password? So you are saying if i do it this way, that means i have to remember a 6-20 digit pin for my computer? Then once i type that in when i start up my laptop, then i have to type in my windows password? So essentially i have to remember 2 things before i log in?'

Or do i need my usb flash drive to connect to it to start up, then it does... then i have to put my windows password?

So basically you want me to enable 2 forms of security or something? If so, i just want to start up my computer by powering it on...then enter my password and thats it. From looking at images online, it seems when you put a password to log in, it shows bitlocker... not windows 10 screen. So im really confused now. Or if it just do it the way i was doing, my only method to log into the computer was stick the usb stick in it or enter that password recovery key manually?

 

You'll encrypt the drive with Bitlocker to avoid that.

Windows password is useless on its own. And Bitlocker is useless on its own. But together they make your system secure.

 

@Starlight5


Yes i know windows password is useless on its own. Bitlocker is useless on its own? I did not know the 2nd part. So most ppl that have bitlocker, they put a windows password as well? I never heard of this.


You say encrypt the drive with bitlocker to avoid that. Okay that makes sense. But had i did the method i was doing earlier before i cancelled it... what did i need to log into to my computer? I know i need my windows 10 password had i put one in. But that is for the 2nd part of it. But how do i log in with bitlocker? I had to always have that usb flash drive with me at all times or something? If not, i needed the paper printout of the recovery key? So i couldn't type in a password for bitlocker first, then type in password for windows 10? Example i take my laptop outside with me. But then i left my usb flash drive with the recovery key thats inside it and i left the printout of the backup key printed at the apartment, now i can't log into my computer when outside because i don't have the usb stick or printout copy of the recovery key?

 

@Drew1 most people set Bitlocker to auto-unlock on boot as far as I know. You have TPM for that, it will just unlock your encryption for your OS. It is more convenient. You can use biometrics to unlock Windows, but you can't use them to unlock Bitlocker. Using passwords all the time, there are chances someone will see you typing it, or a camera records you typing your password well enough for someone to reproduce it. While it is possible to produce a fake fingerprint, it takes more time and effort than just snooping around, and chances are it won't work within 3 tries given by Windows to unlock the computer with fingerprint, then requests password/pin.

This is all opinion-based of course. Some people are strongly in favor of passwords over biometrics. It depends on one's threat attack model.

 

@Starlight5

I have no idea what you mean by set bitlocker to auto unlock on boot. How do you do this? You say TPM but wouldnt that require my usb flash drive everytime?

I have no idea what biometrics is.

Im not that concerned with password and someone watching what im typing or camera recording it. That is interesting to point out but i never thought about that. Because i always would be careful typing it if i was out public with it.

I do not need any fingerprint or anything like this. What you describe is very advanced and something i do not need.

But had i gone with that method i was doing earlier with TPM, how would i have logged into windows each time? Everytime i would have needed either that usb flash drive or the recover key paper with me? Thus had i went outside with my laptop and left both things at home, i cannot log into my laptop? The other issue is this. Let say i lost my usb drive or it got corrurpted. Or let say someone did something with my usb drive. Now isn't it compromised?

What i wanted was very simple. I want everytime i log into my windows computer, it ask me for password... i type it in and im in the computer... nothing more. So that is not the option i was doing earlier right?

 

If you set password for Bitlocker but don't set Windows account password, you will be typing the password when computer boots, but not when you log in. You have a laptop. Whenever the laptop sleeps, it will be unprotected. It is stupid and dangerous unless you never use sleep on your laptop.

If you set password for both Bitlocker and Windows, you will have to type Bitlocker password when you boot, and Windows password when you log in. If you like to type passwords a lot, go for it.

If you set password for Windows only, and enable Bitlocker automatic unlock without any passwords, usb drives and all, you will have to type a password only when you log in. It is the most sraightforward and easy way, and most easy to setup. That is the way I described in all my posts in this thread.

I'm sorry but I can't help if you completely ignore what I write, and follow a guide that severely complicates things instead.

 

@Starlight5

I do not have my laptop on sleep or hibernate. The other thing is this. If i use my laptop and say im not there at the moment, im not going to leave it unattended unless im inside my apartment. I will be turning off the laptop. So if that is the case, the windows 10 password is not necessary right? I understand what you mean if it sleeps or hibernates. So if it does that and someone access your laptop, they need the windows 10 password to log in. That makes sense.

Wait so what happens if the laptop sleeps or hibernates. Then someone sticks a usb flash drive to put malware/virus into it? That would still work though right for them?

Well im asking about the procedure i was doing earlier. Had i continued with that, that was not a password option correct? It didnt give me option to put password later on? So had i did it the way earlier... whenever i turned on my laptop, how would i get in? Was it by flash drive only or having the recover key sheet? So that meant if im outside with my computer and forgot to have the usb flash drive, i cant access the laptop.. is that correct?

If so, i would not want that. Also what would happen if someone did something to my usb stick then and compromise it? The password seems the most simple for bitlocker dont it?

If you set password for Windows only, and enable Bitlocker automatic unlock without any passwords, usb drives and all, you will have a reasonably secure machine that is easy to use and easy to setup.

Can you explain what you mean with enable bitlocker automatical unlock without any passwords, usb drives and all?

That is what i still do not understand here.

So can you tell me how you start up your computer? I know the 2nd part is you type in your windows 10 password. But what about the first part? Do you put a usb flash drive in or some other method? Because i know you are not typing in a password for bitlocker based on what you said earlier.

 

@Drew1 I edited my post. I hope it is easy to understand now.

Unless you manually changed group policy setting to allow password like the guide you follow says, it would not allow you to set a Bitlocker password.

Since you didn't set any Windows password, you would just get in automatically when you log in (which happens automatically without a Windows account password), because your encryption keys would have been stored in TPM module and applied every boot.

 

@Starlight5

If you set password for Windows only, and enable Bitlocker automatic unlock without any passwords, usb drives and all, you will have to type a password only when you log in. It is the most sraightforward and easy way, and most easy to setup. That is the way I described in all my posts in this thread.

So here... you mean when i turn on my laptop, i only have to enter my windows 10 password and thats all? And there is nothing left to do?

What confuses me here is the enable bitlocker automatic unlock.

So i do not need any usb stick connected to it or anything?

Because that is what confused me throughout the entire thing that made no sense to me.

@Starlight5

If you set password for both Bitlocker and Windows, you will have to type Bitlocker password when you boot, and Windows password when you log in. If you like to type passwords a lot, go for it.

The only difference between this method and your method is basically just one more password to type in the beginning?

 

Yes.

I couldn't find any pictures of that. As far as I remember if you have TPM, unless you changed group policy Bitlocker will just use auto-unlock without asking - and if you don't have TPM, auto-unlock is unavailable. I may be mistaken, though; didn't setup Bitlocker on system drives in a while.

No, you won't need anything connected. Bitlocker unlock will tie itself to Windows log in.

Yes.