[Windows 10 Pro] How to enable / disable the BitLocker Drive Encryption in conjunction with the TPM function
[Windows 10 Pro] [Windows 8.1 Pro] How to enable / disable the BitLocker Drive Encryption in conjunction with the TPM function
Products
Windows 10 Pro
- TPM security chip equipped models only is the target.
Table of contents
Description
Prior confirmation
How to enable BitLocker Drive Encryption
How to disable the BitLocker Drive Encryption
Input method of recovery key
For information about how to unlock the startup drive
For BitLocker Drive Encryption in a domain environment
Description
If you enable the BitLocker drive encryption, data of the entire drive is encrypted, only those who have the correct encryption key can decrypt.
The ability to encrypt the entire drive, helps to protect critical data such as passwords.
For example, remove the hard disk from the PC, you will not be able to access to the data to be connected to another PC. PC with TPM security chip is mounted, it is possible to store an encryption key that can decrypt into the TPM security chip, and prevents the leakage of the encryption key, you can increase security.
[APA]
- ·
Please refer to the contents of the associated Q & A of the following in advance.
▼ Related Q & A:
[VAIO_PC] Notes If you are using the TPM function
- In our company, we do not conduct the operation guarantee about the BitLocker Drive Encryption.
If necessary, please do a backup of the data in advance. - Model corresponding to the InstantGo, you can also use the devices for encryption.
▼ Related Q & A:
[VAIO_PC] for encryption of device
- How to enable BitLocker Drive Encryption
Make the settings for BitLocker in the following procedure.
- Access the Control Panel screen.
- While the Control Panel screen is displayed, and then select System and Security.
- While the [System and Security] screen is displayed, you will select the [BitLocker Drive Encryption].
- While the [BitLocker Drive Encryption] screen is displayed, the [operating system drive] column, and then select the Enable BitLocker].
【Reference information】
If you have disabled the TPM function in the BIOS setup menu, because it is displayed [BitLocker Drive Encryption Setup screen, please do the following operations.
- In [BitLocker Drive Encryption Setup screen [Next] and select the button.
- Click to enable the TPM security hardware] Since the screen is displayed, and then select Restart button.
- While the confirmation screen is displayed at startup, select [Execute], and then press the [Enter] key.
- When you select the [Reject], TPM function will remain inactive.
- Windows will start and then display the desktop screen after startup.
- While the [BitLocker Drive Encryption Setup screen is displayed, select the Next button.
- Please specify a backup method for the recovery key.] Since the screen is displayed, select one of the following, and then select a backup method of recovery key.
※ Here you select Save to File as an example.
- Will be stored in the Microsoft account
you need to sign in with your Microsoft account. - To save to a file
it will save the recovery key (password) in a text file in any location. - To print a recovery key
you will print the recovery key
- While the Save to BitLocker recovery key] screen appears, select any location, and then select the Save button.
- Here as an example, USB flash memory and save it to.
- Please specify a backup method for the recovery key. Before returning, make sure that it is displayed as “recovery key has been saved.”, And then select the [Next] button.
- While the [range of selection to encrypt the drive] screen appears, select one of the following, and then select the [Next] button.
- Encrypt only the used space
only area where data is stored is/can be encrypted.
Historical data that has been recycled or deleted will not be encrypted. - To encrypt the entire drive
all of the data and the free space is encrypted.
- Encrypt only the used space
- If you are applying the Windows 10 November update to your Windows 10 machine, while the “Selecting the encryption mode to use” screen is displayed, in helping you select any of the settings, and then select [Next].
- While the [whether this drive is now ready to be encrypted?] dialog box is displayed, you can put a check in the Run BitLocker system check, and then select the [Continue] button.
- When the “You need to restart your computer” message is displayed, you can select the [restart now] button.
【Reference information】
If the above message screen does not appear, a notification in the bottom right corner “Encryption will begin after a restart of the computer” displays a message screen When you select a balloon.
- Windows will restart and display the desktop screen.
- Notification “is running the encryption” from the region balloon appears, it will wait for a while because the encryption is started.
- Time it takes to encrypt depends on the capacity, such as CPU and hard disk, but is a standard 1GB per about 1 minute.
- When the encryption is complete, the “Encryption of C: has been completed” Because the message is displayed, click the close button.
This completes the operation above.
- How to disable the BitLocker Drive Encryption
※ The following, as an example, is the procedure for unencrypting/ disabling encryption of the operating system drive (C drive).
- It will display the Control Panel screen.
- Since the Control Panel screen is displayed, and then select System and Security.
- While the [System and Security] screen is displayed, select the [BitLocker Drive Encryption].
- Since the [BitLocker Drive Encryption] screen is displayed, you can select to disable the BitLocker] of [operating system drive.
- [BitLocker Disable because the screen is displayed, you will select the button [to disable the BitLocker].
- From the notification area, the message “Windows is unencrypting the drive”, the removal of encryption will start.
- [C: decryption was completed. ] Since the screen is displayed, choose the [Close] button.
This completes the operation above.
- Input method of recovery key
And if you replace the parts in the repair, if the configuration changes unexpected related to the problem and security on the hardware has been made, you will see the following recovery mode screen when Windows starts. If this screen appears, please enter the recovery key in the following procedure.
- It is described in the recovery key that you backed up, string at the beginning of the is displayed on the recovery mode screen “ID”, to see if the same or a string of “key ID”.
- If the “ID” is the same, enter the recovery key, and then select [Continue].
- The lock is released and, when displayed as “is the correct recovery key”, please select [Restart].
This completes the operation above.
Windows will start as usual.
【Reference information】
- You can not enter the recovery key from the touch panel or the on-screen keyboard. Please always enter the recovery key from the physical keyboard.
- If the side of the recovery mode screen after unlock is displayed, enter the recovery key, after the Windows starts-up, please disable the encryption of the device.
If you want to encrypt the device in the future again, you can enable encryption at a later time.
Because a new recovery key is generated at this time, please be sure to backup.
In addition, by executing a reset of the lockout of TPM, but you can also unlock the TPM, in this case in advance TPM management, you must have set a password for the TPM owner.
For TPM management, the control panel it is possible to select the [TPM Management “BitLocker Drive Encryption”, or “encryption devices” screen of the lower left, you can view the configuration screen.
For additional configuration details, please refer to the following Web page. TPM management
- For information about how to unlock the startup drive
In the normal setting, but startup drive of the lock is released automatically, Please operate in the following procedure To ensure you do not connect the PIN input or USB flash drive drive of the lock is not released.
- Press [Windows] key and the [R] key at the same time.
- While the “Run” dialog box is displayed, type [gpedit.msc], and select [OK].
- Since the “Local Group Policy Editor” screen is displayed, from left, [Computer Configuration – Administrative Templates] – [Windows Components] – [BitLocker Drive Encryption] – After selecting the operating system of the drive], Select [Request additional authentication at startup] from the list on the right.
- While the “Require additional authentication at startup” screen is displayed, select the [OK] after selecting the [Enable] check box.
【Reference information】
- In the basic configuration, only numbers can be used for the PIN, if you want to use a string for a PIN, while on the “Local Group Policy Editor” screen, you may enable the setting of the “Allow the startup of the extended PIN”.
- For VJZ13A * series, the basic settings “to enter the PIN” can not be used.
If you want to use to “enter the PIN” is, in the “Local Group Policy Editor” screen, please enable the setting of “slate to be able to use the pre-boot keyboard input is required BitLocker authentication in”.
- It will open the Control Panel.
▼ Related Q & A:
[Windows 10] “Settings” and how to display the “Control Panel” screen
- Select the System and Security.
- While the “System and Security” screen is displayed, select the [BitLocker Drive Encryption].
- While the “BitLocker Drive Encryption” screen is displayed, select [Change how to unlock the drive at startup].
- While the “Choose how to unlock the drive on startup” screen is displayed, select one of the following, you can set according to what is displayed on the screen.
- To enter the PIN
and enter the string you set in any at startup. - Insert a USB flash drive
so that you can not start that it is not pointing to a USB flash drive that is set for the drive release. - To unlock the drive automatically in BitLocker
you want to automatically unlock the drive.
- To enter the PIN
This completes the operation above.
- For BitLocker Drive Encryption in a domain environment
In a domain environment, you might have to use the BitLocker Drive Encryption is restricted.
If you want to use BitLocker Drive Encryption in a domain environment, the advance in the system administrator, please check for propriety of the use of a domain environment.
For VJZ13A * series, you can not use the BitLocker Drive Encryption as it is in a domain environment.
If you want to use BitLocker Drive Encryption in a domain environment, please enable BitLocker Drive Encryption after changing the settings of the Local Group Policy by the following procedure.
- Press [Windows] key and the [R] key at the same time.
- While the “Run” screen is displayed, type [gpedit.msc] without brackets into the command field, then click [OK].
- While the “Local Group Policy Editor” screen is displayed, from left, [Computer Configuration – Administrative Templates] – [Windows Components] – [BitLocker Drive Encryption] – After selecting the operating system of the drive], you can select to be able to use the required BitLocker authentication is pre-boot keyboard input in the slate] from the list on the right.
- “Because slate is to be able to use the pre-boot keyboard input is required BitLocker authentication in” screen is displayed, after the check box of [Enable], and then select the [OK].
This completes the operation above. Refer to how to enable BitLocker Drive Encryption, please enable BitLocker Drive Encryption.