After my experience with TrueCrypt and reinstalling Windows (Link). I was wondering how the Microsoft encryption works. I’m running Windows 7 Ultimate and within this version (and Enterprise) BitLocker is available. The net steps show howto encrypt the boot/system partition.

I started BitLocker Drive Encryption. image
On the left bottom there is a link for TPM Administration. 

Because my laptop has a TPM chip. I want to use it. TPM holds my certifications for the Encryption.

Choose: Initialize TPM. image
Click: Restart. image
The BIOS of the computer will ask for permissions. Give it Knipogende emoticon. After login into Windows. The following screen will popup. 

Choose: Manually create the password.

Give a TPM Owner Password. 

Click on: Save the Password.
Save it on a USB stick.

When ready, click on: Initialize.

When ready, Close. 

We can use the TPM chip with BitLocker.

Start BitLocker again. 

Click on: Turn On BitLocker.

Click: Save the recovery key to a USB flash drive. 

When ready, click Next.

Select: Run BitLocker system check. Just to be sure everything is working Knipogende emoticon 

When you are ready to encrypt. Click on: Start Encrypting.

And then, we wait… image

Now the harddisk/partition is encrypted. But no password is asked when booting the pc. This is because the certificates are stored on the TPM chip. Windows is owner of this chip, so only your Windows can unlock the partition/harddisk. That’s why Windows 7 comes with a 100MB hidden boot partition. This unencrypted partition is needed for booting the encrypted system. The following steps shows how to enable a PIN or password for booting Windows. Just to have that hand’s on experience of safety Knipogende emoticon

First open: GPEDIT.MSC image
Navigate to: Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operation System Drives. 

Open: Require additional authentication at startup.

Select: Enabled 

Deselect: Allow BitLocker without a compatible TPM

Configure TPM startup PIN: Require startup PIN with TPM

Click on: OK

!!Tip!! If you want to use characters in your PIN, enable the: Allow enhanced PINs for startup policy.

Open an elevated command prompt. image
Type: manage-bde.exe –protectors –add c: –tpmandpin 

Give the pin twice.


Every time Windows boot, it will ask for the PIN.

Edit: 10/05/2011 Encrypting the next partition.

In the following steps I’m showing how to encrypt the next partitions (eg. D:).

Start Windows Explorer and right click on the partition.

Select: Turn on BitLocker.

Since the system partition is also encrypted, it’s possible to select: Automatically unlock the drive on this computer.

If you want a password. Select: Use a password to unlock the drive.

Save the recovery key to the same USB fash drive as above.

Store the USB key in a safe place.

Click: Next.

Click: Start Encrypting image
The partition is now encrypted. It will automatically unlock when Windows boots. image


Read more about Jeroen here

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts


Configure StoreFront to default show the “Categories” tab

Note: Tested and designed for StoreFront When installing StoreFront and configure a Receiver for Web (RfW) website you can choose for a default page to show. The options are: Auto, Applications and Desktops. If you Read more…


Nederlandse vertaling X1 StoreFront X1 / Receiver X1 for Web

Onlangs is de nieuwe Receiver for Web X1 als technical preview aan de community gegeven. Zodat iedereen een beetje kan spelen met wat de toekomst ons gaat brengen. In deze Technical Preview zit reeds een Read more…


Quiet in here.

Hi all readers. I’m sorry that my latest post is from a long long time ago. I have a couple of blogs almost done (80%) but time is not there to finish them 🙁 My Read more…