Bitlocker - some notes

Bitlocker, the native windows encryption product should probably used by everyone who has this option (some older/home versions of windows don't have this option). Certainly it should be being used in the workplace, and as part of preparing for the upcoming GDPR regulations.

It can be enabled from within windows on a single user basis: settings->manage bitlocker
Or it can be managed from Active Directory/ Group Policy. Also from Azure intune/device management which has a nice interface for managing. Both AD/Azure routes have options for storing the recovery keys in the mangement console so that if a user loses his pin/password/usb you can still recover the PC.

Modern PCs often come with a security chip called a TPM. This chip will (among other things) store the private keys needed to encrypt/decrypt your hard drive. Some PCs don't have TPM

There are essentially 3 ways you can use bitlocker:
Pin + TPM : the best most secure option
TPM only: User doesn't need to type in a pin/password. Still worth doing, but less secure (see below)
Without TPM: tricky but can be done by following some MS technotes (

Bitlocker with TPM only will only protect you from "attacks" on only the hard drive. If your whole laptop gets stolen the thief can:
-Boot up your windows instalation
-Try to enter the password
-Try to do DHCP attacks to force windows to give the hash of the current logged user (This only works if let's say the person using the PC Hibernated the PC instead of a shutdown, other wise wont work at all)

What he cannot do with TPM only bitlocker(or it's harder anyway):
-Boot of a USB / CDROM to access the files in the hard drive directly (in the same machine bypassing the need to a password, this assuming you dont block USB boot in the BIOS/UEFI) or plug the Hard Drive in other computer
-Access the Drive without the Decryption Key

Before switching on Bitlocker you should be aware of a few things:

Some PCs come partially pre-encrypted (without the keys being made available to the user). I think the keys are linked to an MS email address/account used during the windows setup. This is part of a MS lowest device configuration baseline policy.

To find out the status of a PC, powershell as admin:
manage-bde -status c:

To switch it off:
manage-bde -off c:

The pin/password used to start an encrypted PC is usually set up by the user once bitdefender is enabled.

If you get the following error:
Bitlocker could not be enabled
The Bitlocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.
C: was not encrypted.

Check in tmp.msc should say "The TMP is ready for use" : Note it doesn't say we have ownership, so we need to initialise the TMP and take ownership.

You may "clear the TPM to remove ownership and reset the TPM to factory defaults". Do this if def no encryption.
Or diable TMP to do a TMP'less encryption.

Other management options:
For smaller offices Bitdefender GravityZone can be used to manage Bitlocker.
-Create a policy with encryption enabled.
-Apply it to PCs
-Type in pin on each PC.
To recover without Pin:
-Click on PC name->Protection->Encryption->recovery (recovery key ID is what you need (type in your password and it should show the info once the PC has finished initial encryption))
-May be worth keeping a copy of the key in case the PC is deleted from bitdefender console by accident.
-Type key in at recovery boot (press esc from pin screen)

Another management tool:
MBAM - Microsoft Bitlocker Administraton and Monitoring