Windows BitLocker Drive Encryption is a security feature that provides better data protection by encrypting all data stored on the Windows operating system volume. For the sake of this article, a volume consists of one or more partitions on one or more hard disks. BitLocker works with simple volumes, where one volume is one partition. A volume usually has a drive letter assigned, such as C:
BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM the required encryption keys are stored on a USB flash drive. This flash drive must be presented (plugged in) to unlock the data stored on a volume.
The data is protected by encrypting the entire Windows operating system volume. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing the hard disk and installing it in another computer. During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that the Windows installation has been tampered with. By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options. For enhanced security, combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive. On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.
When trying to turn on Bitlocker on a Windows 7 Hard Drive, an Access Denied Error message may be encountered while initializing TPM.
Additionally, when opening the TPM Management Console and attempting to initialize TPM, error message 0x80070005 will appear.
Follow the instruction below to set the correct permissions:
1. Open Active Directory Users and Computers.
2. Select the OU for all computers which will have Bitlocker turned ON.
3. Right Click on the OU and click Delegate Control.
4. Click Next, then Add.
5. Type SELF as the Object Name.
6. Select create a custom task to delegate.
7. From the object in the folder, select Computer Objects.
8. Select the 3 checkboxes under show these permissions.
9. Scroll through the permissions and select Write msTPM-OwnerInformation.
10. Click Finish.
After completing these steps, TPM can be successfully initialized.
Windows BitLocker™ Drive Encryption Step by Step Guide (https://go.microsoft.com/fwlink/?LinkId=53779)
Backing Up BitLocker and TPM Recovery Information to AD DS (https://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx)