Microsoft Bitlocker Procedure

Procedure Notes:

Check to see if Bitlocker functionality is supported in the current

BIOS configuration.

Go to the
Start --> Control Panel --> Security Settings -> Enable Bitlocker

Select Turn On Bitlocker -->

Note:
If this is an initial configuration you will get the error at the bottom of the
screen. You will need to 'Enable' the integrated TPM chip.

Enable Bitlocker and Proceed with Disk Encryption

Start --> Control Panel --> Security Settings -> Enable Bitlocker

You will be prompted for credentials in order to make this change. Enter
your power user credentials.

The system will prompt you to save or print the Bitlocker Encryption Key.
(see below where to save the key)

Recovery Key Maintenance

Rename the Key to include the Laptop name and Save the Key to the
server

Note: As we move this process forward we will be automating the above

step via an Active Directory Group Policy procedure to eliminate the need
for manually renaming, saving and copying the recovery key.

Make sure you select the Run Bitlocker System Check.

The system will check for compatibility and will reboot again to verify the
encryption key as stored in the TPM chip and to 'actually' enable and
make available the Bitlocker chip functionality.

Disk Encryption

Once the reboot is complete the computer will prompt for login as usual
and will begin the formal encrypt process. We have selected consolidated
logon and will not be requiring an additional pin or third party encryption
option. This should simplify this process for us in the configuration phase
and the users moving forward.

The Disk Encrypt process will require approximately 2 hours to complete.

Once complete you should be able to proceed with the installation of the
core software components. It is also possible to install the core
applications during the encryption process but it could impact the
estimated encryption completion time.

Bitlocker Decrypt Procedure

For the purposes of this procedure we will assume that this is a portable
device that has been in user for some time.

Run Checkdisk

This process, technically, can be skipped. However, for systems wherein the data is of a
sensitive or valuable nature that have been deployed for more than a year, it is highly
recommended

To insure that the decrypt completes without error best practices dictate that we compete a
disk verification with the following flags /r /f. Use both flags as the flag /f doesn't check for
bad sectors while /r does.

Manual steps to run Chkdsk at the command prompt

Click Start --> Search programs and Files --> type CMD.

At the Command prompt type --> Chkdsk /r /f

You should receive the warning that ChkDsk cannot run because the volume is in use by
another process. Would you like to schedule this volume to be checked the next time the
system restarts? (Y/N)

Type Y (for Yes, obviously ;P ) and then press ENTER to schedule the disk check, and then
restart your computer to start the disk check. Depending upon the size and age of the drive
this process could complete relatively quickly (winin 10 minutes) or it could take hours.

This process will both locate bad sectors, and recover readable information.

Decrypt Process

Start --> Settings --> Control Panel --> Turn Off Bitlocker

You will see the below graphic

Select Decrypt Drive