Setup your BitLocker Drives and Virtual Drives

It's once again time to setup a good old fashioned workstation with all the physical and virtual drives encrypted.

If you've read teh "VHD Bitlocker Encrypted Hard Drives" article then you most likely know you can double your luck and triple your skills by mounting VHD on Physical Bitlocker encrypted drives.

The only thing I want to point out to you is the method of unlocking your drives.

I have a system that seems to work for me but depending on what you are protecting might not work for you.

I use a simple USB stick to unlock my system. The USB stick is the key or TPM.
You must never leave the USB key drive in the computer after it has booted and never leave the computer and USB key in the same area when you are not in the room.

Most of the people I know leave the USB key on their car key ring. I keep mine on my ID badge while others keep the USB key in their pockets.

Setting up your drives:

I use BitLocker but you can use any drive encryption you would like.

I use 4 hard drives internally.
Each drive is encrypted with a simple password.

My main drive C:\ boots and decodes with a USB.

I then unlock My Documents with a pasword and that will unlock the other drives.

Let's get going:

  1. From the Run / Search line type "gpedit.msc" (without the quotes) 
  2. This opens your Local Group Policy Editor.
  3. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup 
    Bit Locker -GPEdit .msc -Require -additional -authentication -at -startup
  4. Place a check in the box next to "Allow BitLocker without a compatible TPM.
  5. Allow TPM
  6. Allow startup PIN with TPM
  7. Allow startup key with TPM
  8. Allow startup key and PIN with TPM

Now, Reboot your system and follow the simple instructions. 
I'll come back and review all the additional settinss in this section of the global local policy. I know a few of you have questions and I need to use this time with a new system to do some testing. 

That's right after I do a full image backup so I can recover my system if things go south. 

And if you are wondering, I do backup to a BitLocker enabled drive that is using a simple password that is only accessible within a Win 7 Ult or Enterprise or 2008 or Vista Business OS. 





Bitlocker is really a good thing for more than just protection from unwanted disclosure. It will keep those little hands off things they don't need to see. I often share my workstations and laptops which is why I have VHD encrypted drives that I mount when needed and dismount when not needed. This article is the basic setup prior to running the Bitlocker enabled virtual drives.