If you provide company laptops to your workers, it’s only a matter of time before one goes missing. Whether it’s accidentally or maliciously parted from its owner, your priority is to make sure that any proprietary, confidential, or legally protected data does not fall into the wrong hands. Microsoft’s BitLocker drive encryption feature can help you to do that.
This guide will cover setting up a basic BitLocker deployment that will protect the data on your laptops in the event that one should fall into the wrong hands. This guide assumes that you have a small number of laptops to manage — fewer than 20 — and that you use on-premises Active Directory.
BitLocker Prerequisites, Planning and Requirements
BitLocker is included with Windows 10 Enterprise or Professional editions, so the devices that on which you are enabling BitLocker need to be running one of those two versions.
Also, to deploy BitLocker drive encryption in the most secure way, your laptops need to be equipped with a Trusted Platform Module (TPM) chip. The TPM chip stores the encryption keys for the hard drive, and only releases them if it knows that the computer has not been tampered with. Most enterprise-grade computers from the last 5 years or so include a TPM chip, though sometimes they will need to be enabled in the BIOS or UEFI config.
Finally, if you would like to have BitLocker keys automatically backed up to Active Directory, you’ll need to enable this group policy setting:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Turn on BitLocker backup to Active Directory Domain Services
Also, consider the level of security that you would like BitLocker to provide. It can be configured to use various authentication methods which provide increasing levels of security:
TPM Only: The TPM chip automatically unlocks the boot volume as long as no modifications to the boot environment have been detected.
TPM + PIN: The user must enter a PIN in order to unlock the volume.
TPM + Startup Key: The user must insert a USB flash drive that contains the startup key in order to boot the computer.
The TPM Only option will prevent a hard drive from being removed and read, but will not protect against an attack against the computer once it is booted. If you need higher levels of data protection, consider choosing one of the multifactor options.
Once you’re ready to enable BitLocker on a computer, log in as an administrator and open Control Panel > BitLocker Drive Encryption. The wizard will walk you through the steps for enabling BitLocker and backing up your recovery keys.
If the TPM chip is not enabled, the wizard will prompt you to do this and then reboot. You can continue with the wizard afterward.
Once the computer has passed the initial configuration checks, and a volume password is generated, you’ll be asked where to save the recovery key. If you enabled the group policy setting to store keys in Active Directory, this will automatically be done. But it may be a good idea to store a copy of the key on a USB flash drive (in a secure location), or on a properly secured network share.
Then, you’ll be asked whether to encrypt the entire drive, or only the used space. The used space only option is much faster, and is best for encrypting a brand-new hard drive, or one that was previously securely erased and reinstalled. If the computer has been in use for a while, it’s best to select entire drive. This will make sure that no traces of deleted files are left unencrypted in the free space of the drive.
Once the wizard completes, you’ll need to reboot, after which BitLocker will begin encrypting the drive in the background.
And that’s it! Should the laptop go missing, you can be sure that the data on the hard drive is protected from unauthorized access and prying eyes.