BitLocker FAQ
On this page:
- Do I need to encrypt my computer using BitLocker?
- How does BitLocker protect my data?
- Where is my recovery key escrowed?
- Is my computer protected when it is in sleep mode or when the screen saver is active?
- If I change my Kerberos password, will my BitLocker password also change?
- Can I share my password with Desktop Support?
- My computer is prompting me for the Windows BitLocker Recovery Key. Where do find my Windows BitLocker Recovery Key?
- See Also
Do I need to encrypt my computer using BitLocker?
Currently, laptops and other portable storage devices (i.e. portable hard drives, USB memory sticks) that contain personal information requiring notification (PIRN) are required to be encrypted.
If you want to use BitLocker, check in first with your system administrator. Local IT policy may require additional safeguards to ensure that - should you leave MIT, be unavailable, or forget your password - someone from your business area can still access the important business files on the encrypted computer.
How does BitLocker protect my data?
How BitLocker works with operating systems
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:
- Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
- Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer.
BitLocker is integrated into Windows 7 and provides enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.
BitLocker offers no protection for malware (computer virus) infections. Users must maintain their operating system and practice good computing hygiene (applying patches, security updates, creating strong passwords, and staying away from dubious links and web sites).
BitLocker also does not encrypt email or attachments. Users must look to other tools for protecting data in transit.
Where is my recovery key escrowed?
Computers in the WIN domain
The recovery key is stored centrally in AD as well as the MBAM database (if the MBAM client is installed). The key can be recovered by using the MBAM BitLocker self-service portal or by calling the helpdesk.
Please Note: If the BitLocker encryption was enabled prior to joining the computer to the WIN domain, then the recovery key will not be automatically escrowed to AD and must be manually uploaded.
Computers NOT in the WIN domain
The recovery key is stored locally, either in a text file, saved directly to a USB flash drive, a printed file, or Microsoft account (cloud). It is highly recommended to store the recovery key to a secure location such as LastPass.
Is my computer protected when it is in sleep mode or when the screen saver is active?
Yes. BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
If I change my Kerberos password, will my BitLocker password also change?
No, the two are not connected. Although you may have originally used your Kerberos password as your BitLocker password, if you change your Kerberos password later on, this does not also change your BitLocker password.
Can I share my password with Desktop Support?
You should not need to, and doing so may violate state laws that require you to protect personal information that is on your computer.
My computer is prompting me for the Windows BitLocker Recovery Key. Where do find my Windows BitLocker Recovery Key?
If your computer is (which scenario do I have?):
- Unmanaged, not on the WIN domain - You likely saved the key to a text file and/or copied the key to LassPass, or perhaps stored the key in a Microsoft account (cloud).
- Managed, on the WIN domain - The key is stored in AD and MBAM (if the MBAM client is installed). Please use MBAM self-service to retrieve the recovery key or contact the helpesk.