About Protecting Data with Windows 8

BitLocker
Microsoft BitLocker Drive Encryption technology uses the strongest
publicly available encryption to protect your computers data, and
prevents others from accessing your disk drives without
authorization.
BitLocker To Go prevents unauthorized access to your portable
storage drives, including Universal Serial Bus (USB) flash drives, also
known as thumb drives.
When you install Windows 8, you can use the Setup program to
enable BitLocker. If you didnt enable BitLocker when you installed
Windows 8, you can use this guide to walk you through the process.
You can also use this guide to learn how to suspend BitLocker or
encrypt portable drives with BitLocker To Go.
Topics in this guide include:

Preparing to Turn BitLocker On

Backing Up Files

Turning BitLocker On

Suspending BitLocker Protection

Encrypting a Portable Drive with BitLocker To Go

Managing BitLocker To Go

Customization note: This document contains guidance and/or

step-by-step installation instructions that can be reused,
customized, or deleted entirely if they do not apply to your
organizations environment or installation scenarios. The text
marked in red indicates either customization guidance or
organization-specific variables. All of the red text in this document
should either be deleted or replaced prior to distribution.

Preparing to Turn BitLocker On

All new systems that <<organization name>> provides are ready
for BitLocker Drive Encryption. However, before you turn BitLocker
on, connect to the corporate network and join your computer to a
corporate domain (if it isnt already joined). When your computer is
joined to the corporate domain, you can store your recovery
information in << local storage URL>>. You can use this recovery
information in the event of a random failure or operating-system or
BIOS change.

Backing Up Files
<<Organization name>> IT provides several solutions for backing
up your data. Before enabling BitLocker on your computer, see the
Backing Up Your Data Work Smart Guide: << insert URL or file
location >>.

Turning BitLocker On
After you join your computer to the corporate network and connect
to the corporate domain, you can turn BitLocker on. BitLocker then
turns on your computers Trusted Platform Module (TPM) chip, which
is a microchip that enables your computer to utilize advanced
security features.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 1 of 8

Initially, when you start BitLocker, you can create a personal

identification number (PIN) that you can use each time you start your
computer. This additional protection is optional, but IT requires it if
you want to use DirectAccess for remote access.

In the Choose how to unlock your drive at startup

screen, tap or click Enter a PIN (recommended). A PIN is
required if you want to use DirectAccess as a remote access
solution.

Note

If the Trusted Platform Module (TPM) chip on your computer

hasnt been turned on, you may see additional screens that
walk you through the process of turning on the TPM chip.

In the Enter a PIN screen, enter a PIN, re-enter it to confirm

it, and then tap or click Set PIN.

In the How do you want to back up your recovery key?

screen, tap or click Save to a file.

Note If youre using a Slate PC, you are not required to create a
PIN.

Turn BitLocker On
1

In the Start screen, type Control Panel, and then tap

or click the Control Panel app on the left side of the
screen (or press ENTER) to open it.

In the Control Panel, tap or click System and Security, and

then tap or click BitLocker Drive Encryption.

In the BitLocker Drive Encryption dialog box, tap or click

Turn on BitLocker.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 2 of 8

In the Save BitLocker recovery key as dialog box, enter

<<network storage path or URL>> in the path box. After
selecting the correct folder or storage location, tap or click
Save, and then tap or click Next in the How do you want
to back up your recovery key? dialog box.

In the Choose how much of your drive to encrypt

screen, pick one of the options, and then tap or click Next.

The BitLocker Drive Encryption dialog box shows that

BitLocker is turned on (the command changes to Turn off
BitLocker).

Note
IT recommends that you choose the Encrypt used disk
space only option for fast encryption. There is no risk of
data loss.

In the Are you ready to encrypt this drive? screen, tap

or click Continue.

10

When youre prompted to restart your computer, tap or click

Restart now.

11

After your computer restarts, enter your BitLocker PIN, and

then press ENTER.

12

Slide the Windows 8 Lock screen up, and then log on using
your network password.

13

Open the Control Panel, tap or click System and Security,

and then tap or click BitLocker Drive Encryption.

Notes

You can continue to use your computer during the encryption

process.

After BitLocker is enabled, each time that you attempt to log

on to your computer, you will need to enter your BitLocker
PIN before Windows starts. If you have any issues accessing
your computer, contact << helpdesk contact or technical
support URL>>.

If youre using a Slate PC, you are not required to create a

PIN.

Suspending BitLocker Protection

On occasion, you may need to suspend BitLocker. For example, you
might need to do a hardware upgrade or basic input/output system
(BIOS) updates. When you suspend BitLocker, Windows disables
protection on your system. You wont need to enter your PIN to start
your computer, but your data will be unprotected.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 3 of 8

You can perform all updates and system changes by suspending

BitLocker protection. You typically do not need to turn BitLocker off
for any reason other than to decrypt your drive.

Suspend BitLocker
1
2

Open the Control Panel, and then tap or click System and
Security.
Tap or click BitLocker Drive Encryption, and then tap or
click Suspend protection. When prompted to confirm, tap or
click Yes.

Decrypt Your Drive

1

Open the Control Panel, and then tap or click System and
Security.

Tap or click BitLocker Drive Encryption, and then tap or

click Turn off BitLocker.

Note
After one reboot, BitLocker is automatically turned on again.

Resume BitLocker
1

Open the Control Panel, and then tap or click System and
Security.

Tap or click BitLocker Drive Encryption, and then tap or

click Resume protection.

You can continue to use your computer during the decryption

process.

Encrypting a Portable Drive with

BitLocker To Go
When you encrypt a portable drive with BitLocker To Go, you can set
it to unlock by using a password or your smart card.
Password encryption requires that you enter an 8-character
password during the setup process. IT recommends a xx-character
password to minimize the risk of someone reading or modifying
data on a lost or stolen device. This password does not expire. You

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 4 of 8

will not need to reset or change the password unless you want to.
You can also use the auto-unlock feature to avoid having to enter a
password each time you use the portable drive. For more
information, see Managing BitLocker To Go later in this guide.

Smart card encryption is more secure and requires additional steps.

To use smart card encryption, you encrypt the device using your
smart card and a PIN. You can only share this information with
someone who has a smart card reader, and you must insert your
smart card and enter your PIN to unlock the portable drive.
To turn on BitLocker To Go:

Connect to the corporate network.

Open the Control Panel, tap or click System and Security,

and then tap or click BitLocker Drive Encryption.

If you havent already done so, insert the portable drive

(USB drive, SC card, SD/MMC card, etc.) into the
appropriate slot. The portable drive will appear in the
BitLocker Drive Encryption dialog box in the Removable
data drives section.

Tap or click Turn on BitLocker.

In the Choose how you want to unlock this drive screen,

select one of the following options.

If you want to use a password to unlock the drive,

select the Use a password to unlock the drive
check box, enter your password twice, and then tap
or click Next.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 5 of 8

If you want to use a smart card to unlock the drive

instead, select the Use my smart card to unlock
the drive check box, insert your smart card, and
then tap or click Next.

In the Save BitLocker recovery key as dialog box, enter

<<network storage path or URL>> in the path box.

Tip
BitLocker suggests a filename to use. You can edit this
filename to distinguish it from any other recovery keys that
you may acquire for additional portable drives.

In the How do you want to store your recovery key

screen, Windows shows that your recovery key has been
saved. Tap or click Next.

In the Choose how much of your drive to encrypt

screen, tap or click one of the options, and then tap or click
Next.

Note
IT recommends choosing the Encrypt used disk space
only option for fast encryption. There is no risk of data loss.

In the How do you want to back up your recovery key?

screen, tap or click Save to a file.

10

In the Are you ready to encrypt this drive? screen, tap

or click Start encrypting.
An encryption progress dialog box will appear, followed
eventually by a completion notice. If you remove the
portable drive and then reinsert it, you will be prompted for a
password if you chose password protection. If you chose
smart card protection, you will need to insert your smart
card in your smart card reader and enter your smart card
PIN.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 6 of 8

Notes

The time required to encrypt a portable drive with BitLocker

To Go varies depending on the drive size, your connection
speed, and the technology you use, such as External Serial
Advanced Technology (eSATA), FireWire, USB, or USB 2.0. You
can continue to use your computer during the encryption
process.

Each time you attempt to use the drive, you will need to
enter the password or smart card unless you set up BitLocker
To Go to unlock the drive automatically. If you have any
issues accessing your drive, contact << helpdesk contact or
technical support URL>>.

If you want to change the password for a portable drive or

change the auto-unlock feature, see the Managing
BitLocker To Go section of this guide.

All recovery keys are stored in Active Directory and can be

obtained via the self-help process in << insert URL or file
location >>.

To do any of these tasks:

Open the Control Panel, tap or click System and Security,

and then tap or click BitLocker Drive Encryption.

In the BitLocker Drive Encryption dialog box, select the

appropriate BitLocker option.

Managing BitLocker To Go
After you encrypt a portable drive, you may want to back up or print
a recovery key, change a password, remove a password, add a
smart card to unlock the drive, enable or disable the auto-unlock
feature, or turn BitLocker off.

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 7 of 8

Note
To print this Work Smart Guide, press CTRL+P.

For More Information

Windows 8
http://windows.microsoft.com/en-US/windows-8/get-started

Microsoft User Experience Virtualization (UE-V)

http://www.microsoft.com/en-us/windows/enterprise/productsand-technologies/virtualization/UE-V.aspxl

More Work Smart Content: http://microsoft.com/itshowcase

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 8 of 8