BitLocker - Turn On or Off for OS Drive in Windows 8

How to Turn On or Off BitLocker for Windows 8 OS Drive with or without TPM


BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to authenticate their credentials to be able to access the information. Encrypting the entire Windows 8 operating system drive on the hard disk encrypts all user files and system files on the OS drive, including the swap (page) files and hibernation files.

This tutorial will show you how to turn on or off BitLocker to encrypt or decrypt the operating system drive in Windows 8 and 8.1 with or without a TPM.

You must be signed in as an administrator to be able to do the steps in this tutorial.


  • For computers that boot natively with UEFI firmware, BitLocker requires at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
  • For computers with legacy BIOS firmware, BitLocker requires at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
  • The system drive partition must be at least 350 MB and set as the active partition. If you do not have a system partition, then BitLocker will check for and create one automatically if able step 7 in OPTION ONE below.
  • To be able to automatically unlock fixed data drives, the drive that Windows 8 is installed on must also be encrypted by BitLocker.
  • Any files saved to an encrypted drive will automatically be encrypted as well.
  • Files remain encrypted only while they are stored on the encrypted drive. Files will be decrypted if they are copied on another drive, partition, or PC.
  • Users who use BitLocker to protect the content of their personal files can also use File History as it seamlessly supports BitLocker on both source and destination drives.
  • If you create a system image or backup of an unlocked encrypted drive, the files in the saved image or backup will be decrypted.
  • If you share files with other people, such as through a network, the files are encrypted as long as they're stored on the same encrypted drive, and they can be accessed by authorized people or people you've given permission to.
  • You will be able to unlock the encrypted Windows 8 OS drive at boot using either a password or a connected USB flash drive containing the startup key.
  • If you select to use a USB flash drive to unlock the Windows 8 OS drive with at boot, then you will need to make sure that you have your BIOS or UEFI set to allow reading from a USB drives at boot. Most are by default.
  • When using BitLocker with a TPM, it is recommended that BitLocker be turned on immediately after the computer has been restarted. If the computer has resumed from sleep prior to turning on BitLocker, the TPM may incorrectly measure the pre-boot components on the computer. In this situation, when the user subsequently attempts to unlock the computer, the TPM verification check will fail and the computer will enter BitLocker recovery mode and prompt the user to provide recovery information before unlocking the drive.

For more information, see: BitLocker Frequently Asked Questions (FAQ)

BitLocker Drive Encryption is only available in the Windows 8/8.1 Pro and Windows 8/8.1 Enterprise editions.





OPTION ONE

To Turn On BitLocker for Windows 8 OS Drive with or without a TPM



1. If you have not already, you will first need to do step 2, 3, 4, or 5 below for what you want to do.


2. Use REG File to Allow BitLocker to Encrypt OS Drive without a TPM

NOTE: This does the same thing as step 4 below, but automatically with a .reg file.

A) Click/tap on the Download button below to download the file below.

Enable_BitLocker_OS_Drive_No_TPM.reg

download

B) Save the .reg file to your desktop.

C) Double click/tap on the .reg file to merge it.

D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

E) Restart the PC to apply, and go to step 6 below to continue.



3. Use REG File to Require Additional Authentication at Startup with a TPM

NOTE: This does the same thing as step 5 below, but automatically with a .reg file. For example, to require USB at startup.

A) Click/tap on the Download button below to download the file below.

Enable_Additional_Authentication_BitLocker_OS_Drive_with_TPM.reg

download

B) Save the .reg file to your desktop.

C) Double click/tap on the .reg file to merge it.

D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

E) Restart the PC to apply, and go to step 6 below to continue.



4. Use Group Policy to Allow BitLocker to Encrypt OS Drive without a TPM

NOTE: This does the same thing as step 2 above.

A) Press the :winkey: + R keys to open the Run dialog, type gpedit.msc, and press Enter.

B) If prompted by UAC, click/tap on Yes.

C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below)

gpedit-1.jpg


D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot above)

E) Select (dot) Enabled, check the Allow Bitlocker without a compatible TPM box, and click/tap on OK. (see screenshot below)
NOTE: Not Configured is the default setting.

gpedit-2.jpg


F) Close Group Policy, and go to step 6 below to continue.



5. Use Group Policy to Require Additional Authentication at Startup with a TPM

NOTE: This does the same thing as step 3 above, but allows you to have more options.

A) Press the :winkey: + R keys to open the Run dialog, type gpedit.msc, and press Enter.

B) If prompted by UAC, click/tap on Yes.

C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below step 4C)

D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot above)

E) Select (dot) Enabled, uncheck the Allow Bitlocker without a compatible TPM box, and click/tap on OK. (see screenshot below)
NOTE: Not Configured is the default setting.

TPM_Group_Policy.png


F) Close Group Policy, and go to step 6 below to continue.


6. If you have not already, choose to use either an AES 128-bit or 256-bit encryption method.
NOTE: Windows 8 uses AES 128-bit encryption by default.


7. Do step 8, 9, or 10 for how you would like to start to turn on BitLocker for the OS drive.


8. Open the Control Panel (icons view), click/tap on BitLocker Drive Encryption icon. Under Operating system drive, click/tap on an arrow to expand the Windows 8 drive you want to encrypt, click/tap on the Turn on BitLocker link, and go to step 11 below. (see screenshot below)

Turn_On_Bitlocker_OS-1.jpg


9. In File Explorer, open Computer/This PC, right click or press and hold on the encrypted Windows 8 drive you want to encrypt, click/tap on Turn on BitLocker, and go to step 11 below. (see screenshot below step 10)

10. In File Explorer, open Computer/This PC, select (highlight) the encrypted Windows 8 drive you want to encrypt, click/tap on Manage (Drive Tools) tab, click/tap on BitLocker icon in the ribbon, click/tap Turn on BitLocker, and go to step 11 below. (see screenshot below)

Turn_On_Bitlocker_OS-2.jpg


11. If you did not have the required 350 MB system drive partition, then BitLocker will now create one if able. Click/tap on Next, and Restart now when prompted. (see screenshots below)
NOTE: You will not get this step if you do already ave at least a 350 MB system drive partition.

Turn_On_Bitlocker_OS-3A.jpg

Turn_On_Bitlocker_OS-3B.jpg


12. Do step 13, 14, or 15 below for what you would like to use to unlock the Windows 8 drive with at startup. (see screenshots below)

NOTE: This will not be available with a TPM unless you did step 3 or 5 above.

Turn_On_Bitlocker_OS-4.jpg

TPM.png



13. To "Insert a USB flash drive" at Boot to Unlock the OS Drive

NOTE: This will not be available with a TPM unless you did step 3 or 5 above.

A) Connect a USB flash drive, and click/tap on the Insert a USB flash drive option. (see screenshot below step 12)

B) Select the USB flash drive you want to save the startup key on, click/tap on Save, and go to step 16 below. (see screenshot below)

Turn_On_Bitlocker_OS-5.jpg




14. To "Enter a password" at Boot to Unlock the OS Drive

NOTE: This will not be available with a TPM.

A) Click/tap on the Enter a password option. (see screenshot below step 12)

B) Enter and reenter a password at least 8 characters long, click/tap on Next, and go to step 16 below. (see screenshot below)

Turn_On_Bitlocker_OS-6.jpg




15. To Let BitLocker Automatically Unlock OS Drive

NOTE: This will only be available with a TPM.

A) Click/tap on the Let BitLocker automaticalyl unlock my drive option, and go to step 16 below. (see screenshot below step 12)



16. Select how you want to back up your BitLocker recovery key, and click/tap on Next when finished. (see screenshot below)

Note   Note
The Save to USB flash drive option will not be available if you are encrypting with a TPM. If you like, you could use the Save to a file option, and select a USB flash drive to save the file to though.

If you forget the password (step 14) or lost the USB flash drive (step 13), then you can still use this recovery key (a string of 48 random numbers) to get back into the OS drive at boot.

It's essential that you store a copy of your recovery in a safe place. If you lose it, you might permanently lose access to your files on the encrypted OS drive.


Tip   Tip
The Save to your Microsoft account option is only available on non-domain-joined PCs.

If you saved the BitLocker recovery key to your Microsoft account, you will be able to log in to your Microsoft account online at the Microsoft's site below from any PC to view all of your saved recovery keys at anytime.

http://windows.microsoft.com/recoverykey





Turn_On_Bitlocker_OS-7.jpg


17. Select (dot) to encrypt entire drive, and click/tap on Next. (see screenshot below)

Turn_On_Bitlocker_OS-8.jpg


18. Check the Run BitLocker system check box, and click/tap on Continue. (see screenshot below)
NOTE: Running the system check is one more recommended way to make sure that BitLocker works smoothly for you, but it can take longer, and it requires your PC to restart. If you decide to run the system check, make sure you've saved your work before restarting. When your PC restarts, it will prompt you to unlock your operating system drive with the method you just chose in step 12 above.

Turn_On_Bitlocker_OS-9.jpg


19. You will now notice the BitLocker icon in the taskbar notification area. Click/tap on it, and on Restart now. (see screenshots below)

Turn_On_Bitlocker_OS-10.jpg

Note   Note
If you selected to enter password in step 14 above, then you will be prompted to enter the password at boot when the computer restarts.

password.jpg







20. If the BitLocker system check failed from step 10 above, then you will see this below. Click/tap on Close. You are now finished since BitLocker was unable to encrypt the Windows 8 OS drive.

Turn_On_Bitlocker_OS-11B.jpg


21. If the BitLocker system check was successful from step 18 above, then after a short moment you will notice the BitLocker icon in the taskbar notification area. You can click/tap on it to see the encryption progress. (see screenshot below)
NOTE: This may take a long time to finish, but you will still be able to use your PC during the encryption process. Just do not turn off the PC until it has finished encrypting.

Turn_On_Bitlocker_OS-11A.jpg


22. When encryption of the Windows 8 OS drive has finally finished, click/tap on Close. (see screenshot below)

Turn_On_Bitlocker_OS-12.jpg


23. Whenever you start the Windows 8 PC, you may be required to either enter a password or connect the USB flash drive depending on what you selected in step 12 above.

password.jpg


Unlocked.png









OPTION TWO

To Turn Off BitLocker for Windows 8 OS Drive



1. If you have not already, you will first need to turn off auto-unlock for any encrypted fixed data drives. If you do not, then all fixed data drives that have auto-unlock turned on will also be decrypted at step 8 below.
NOTE: This does not apply to removable data drives.

2. Do step 3, 4, or 5 for how you would like to start.

3. Open the Control Panel (icons view), click/tap on BitLocker Drive Encryption icon, and go to step 6 below.

4. In File Explorer, open Computer/This PC, right click or press and hold on the encrypted Windows 8 drive you want to decrypt, click/tap on Manage BitLocker, and go to step 6 below. (see screenshot below step 5)

5. In File Explorer, open Computer/This PC, select (highlight) the encrypted Windows 8 drive you want to decrypt, click/tap on Manage (Drive Tools) tab, click/tap on BitLocker icon in the ribbon, click/tap Manage BitLocker, and go to step 6 below. (see screenshot below)

Turn_Off_Bitlocker_OS-1.jpg

6. Under Operating system drive, click/tap on the arrow to expand the Windows 8 OS drive you want to decrypt, and click/tap on the Turn off BitLocker link. (see screenshot below)

Turn_Off_Bitlocker_OS-2.jpg

7. If prompted by UAC, click/tap on Yes.

8. Click/tap on Turn off BitLocker or Decrypt all drives depending in if you turned off auto-unlock for all fixed data drives in step 1 above. (see screenshots below)
NOTE: This may take a long time to finish, but you will still be able to use your PC during the decryption process. Just do not turn off the PC until it has finished decrypting.

Turn_Off_Bitlocker_OS-3.jpg

9. You will now notice the BitLocker icon in the taskbar notification area. You can click/tap on it to see the decryption progress. (see screenshot below)

Turn_Off_Bitlocker_OS-4.jpg

10. When decryption of the drive has finally finished, click/tap on Close. (see screenshot below)

Turn_Off_Bitlocker_OS-5.jpg


11. If you like, you could also do step 12 or 13 below to set the default setting to require BitLocker to only encrypt an OS drive with a TPM (step 2 and 4 in OPTION ONE) and not require additional authentification for a TPM (step 3 and 5 in OPTION ONE) if you like.

12. To Use a Reg File to Undo Step 2, 3, 4, or 5 in OPTION ONE


A) Click/tap on the Download button below to download the file below.

Disable_BitLocker_OS_Drive_No_TPM.reg


download


B) Save the .reg file to your desktop.

C) Double click/tap on the .reg file to merge it.

D) If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve merging.

E) Restart the PC to apply.

13. Use Group Policy to Undo Step 2, 3, 4, or 5 in OPTION ONE


A) Press the :winkey: + R keys to open the Run dialog, type gpedit.msc, and press Enter.

B) If prompted by UAC, click/tap on Yes.

C) In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives. (see screenshot below step 4C in Option One)

D) In the right pane of Operating System Drives, double click/tap on Require additional authentification at startup to edit it. (see screenshot below step 4C in Option One)

E) Select (dot) Not Configured, and click/tap on OK. (see screenshot below step 4E in Option One)
NOTE: This is the default setting.

F) Close Group Policy.


That's it,
Shawn


 

Attachments

Last edited by a moderator:
Bitlocker install apparently stalls on reboot

I have read this article which is very detailed and specific. I followed it to a "T". My machine has no TPM. The OS is WIN8.1pro without all the recent updates. I used the registry download. I have prior to this attempt used one supplied by our IT department very similar and manually made the entries. Everything follows exactly as described up until the point of reboot to finish the install. I have repeated the process about 8X now.

Once the laptop comes back up and the password or USB thumb drive key is satisfied, the screen goes rather blank and displays "Preparing automatic Repair". The first time I got this I left it in that state for about 13 hours without change, drive light notification, or visual progress of any type. The only way to get out of it is to power off.

Is this something that is working and needs to continue for a couple of days, or is something else going wrong?
 
Hello TheTechGuy, and welcome to Eight Forums. :)

I'd say something else it wrong. Do you dual boot with another OS?

If you get past the "Preparing automatic Repair" screen, what happens when you click on the "Restart to Windows" type option?
 
Thanks for the quick reply. There is only the original WIN8 that was updated to 8.1 then Pro just a week ago. So no dual boot.
Once the laptop starts to boot, I do get a blue box on the screen asking for my password for what seems to primarily be looking to fix the Bitlocker install.
I have never gotten past that black screen "preparing automatic repair". After waiting over 13 hrs. and never noticing a drive light come on or any other progress screen I just gave up and powered off so I could continue using the laptop. When I do power off and finish the reboot I, of course, get the window telling me the C: drive was never encrypted.
 
Thanks, Brink! Of course, that is not what I wanted to hear, but was afraid would end up that way. The machine has always been well maintained and updated regularly. Possibly something to do with ASUS. I have no other issues that plaque it's performance or normal use. Perhaps that is worth a call to ASUS.
In any case, thanks for the feedback. I may just get a tablet for business use and use a different compliant security.
 
I'm new to this forum so I apologize if I am not posting in the right section, but I was able to get my BitLocker on, but just curious about the following message, particularly the part where it says "...value displayed on your PC."

Where on my PC do I find this identifier?

BitLocker Drive Encryption recovery key

To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.
Identifier:
*********************************************
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive.
Recovery Key:
*********************************************
If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive.
Try another recovery key, or refer to BitLocker recovery keys: Frequently asked questions - Microsoft Windows Help for additional assistance.



Thanks!!!
 
More Questions

Ok, again I'm sorry if I am not using the right terminology or explaining anything right. This is what I have done so far.

I was able to encrypt both my Local Disk (C) and Removable Disk (E).
I strongly believe my computer is running TPM because I was able to clear the old password and save the new TPM file on my USB (E).
I believe the USB was successful because every time I plug it into the computer, it asks me for my password.

However, if you look at the attached image, what do I do to add the following options:

Turn On BitLocker
Change Password/PIN

I guess the reason I am asking is because what if someone has gets access to my computer login information but I thought to encrypt my drive so they can't access anything without a password? Is that even how BitLocker works?
 
Recent Update from ASUS

Sounds like it may be time to reinstall Windows. :(

Brink,
Just a quick update regarding my specific problem for your achieves. What I found out from ASUS tech support adds fuel to the Microsoft fire. Apparently since my laptop came with WIN8.0 and then I updated it shortly thereafter personally with 8.1 and then about a year later updated to Pro, this was the whole issue. According to ASUS, if it didn't get updated thru the store, Microsoft has a glitch in the OS that requires the ESP file to be updated. Apparently, if it was done with ASUS, for example, they are aware of the need and obviously what to do. As a end user doing the upgrade this doesn't change the ESP file and causes the problem. Worse, there is no work-around! So it is either send it to ASUS for several weeks, or try something else. The fix... I am changing the OS to WIN7PRO which will fix the dilemma and wait a few years until Microsoft can get their act together. I hear win8.2 is soon to be released and WIN9 about a year away. I hope this helps with those plaques with Bitlocker problems having the same progressive exercise.
 
Sounds like it may be time to reinstall Windows. :(

Brink,
Just a quick update regarding my specific problem for your achieves. What I found out from ASUS tech support adds fuel to the Microsoft fire. Apparently since my laptop came with WIN8.0 and then I updated it shortly thereafter personally with 8.1 and then about a year later updated to Pro, this was the whole issue. According to ASUS, if it didn't get updated thru the store, Microsoft has a glitch in the OS that requires the ESP file to be updated. Apparently, if it was done with ASUS, for example, they are aware of the need and obviously what to do. As a end user doing the upgrade this doesn't change the ESP file and causes the problem. Worse, there is no work-around! So it is either send it to ASUS for several weeks, or try something else. The fix... I am changing the OS to WIN7PRO which will fix the dilemma and wait a few years until Microsoft can get their act together. I hear win8.2 is soon to be released and WIN9 about a year away. I hope this helps with those plaques with Bitlocker problems having the same progressive exercise.


How odd.
 
Last edited:
I just installed a Windows 8.1 Enterprise image on my new Toshiba e45-b4200 laptop. I am looking to turn on Bitlocker protection without TPM. Logged in as local "administrator," I performed steps 4 and 6, and proceeded to step 10. The Bitlocker configuration page showed one Operating System volume with 637 GB free. I clicked on the widget to enable Bitlocker to encrypt it. The program did not create a new system partition as per step 10, and brought me to the screen in step 11. I selected the password option. After entering a password, the process failed displaying the message "access is denied."

Please advise.

Thanks,
EdG
 
Hey Guys,
This is showing up as an active thread to my previous posts, now closed. As I search the member logged into this last post, it has the SAME member number as I do. My issue was resolved a couple of weeks ago and the post to the fix was made but not shown here. The last comment from Brink is above, "How Odd." This is certainly not me. My handle is the TheTechGuy.... what's the deal here?
 
Hey Guys,
This is showing up as an active thread to my previous posts, now closed. As I search the member logged into this last post, it has the SAME member number as I do. My issue was resolved a couple of weeks ago and the post to the fix was made but not shown here. The last comment from Brink is above, "How Odd." This is certainly not me. My handle is the TheTechGuy.... what's the deal here?

I think you may have gotten confused about your new post notification and EdG's and my new posts above. ??

If you like, you can click on Tutorial Tools in the menu bar at the top, and click on Unsubscribe from this Tutorial to not get any more notices when someone posts in the tutorial. :)
 
Access is Denied Message

Disabled Secure Boot and tried again--behavior did not change.

I just joined the company and am waiting for my domain access. I am using my own laptop (welcome to the world of BYOD). I blew away the original Win 8 install, and installed an image that was provided by the client. For now, I am logging into the local machine as "administrator."

Screenshot of Data Management configuration attached.

Thanks,
EdG

Disk Management.png
 
Last edited by a moderator:
EdG,

Ah, I see why now. The disk already has the maximum 4 primary partitions on it. The other partitions other than C: are the factory recovery partitions.

This would be why you are getting this error since BitLocker is unable to create a new partition, or use the existing first recovery partition.

It really is a shame how these OEMs setup a disk like that.
 
Sorry for the delay, but my problem was resolved and I just now have gotten a chance to update the thread.

Once I received my domain credentials, and logged in, a job kicked off automatically and I was prompted to allow Bitlocker to run and encrypt my harddisk which it did. So I assume the domain admins were able to build something into the image that I loaded to prevent manually installing Bitlocker.

Thanks,
EdG
 
That's great news EdG. Thank you for posting back with your results. :)
 
350 MB System Reserve

Although it is mentioned everywhere that the system partition should be at least 350 MB, mine even though being 100 MB, there was no prompt to expand the drive to 350 MB and process straight away skipped to step 12. Was there any change 350 MB min requirement?
 
Back
Top