One of the problems with coming up with the whole Microsoft account idea is that people’s accounts are going to get hacked from time to time. There is a gray area between Microsoft not wanting to force people to create passwords so strong that they can’t remember them and creating a password that should be strong enough for most people not to get hacked. That gray area is resulting in lots of people still getting their Microsoft accounts hacked all around the world every day.
Microsoft has things in place to help you gain control of your account again should someone hack it, so it’s not lost forever, but that hasn’t stopped the hackers from viewing your stuff. Microsoft just conveniently leaves that part out on the page that runs through all of the ways you can get your accounts back after they have been compromised.
The worst thing that can happen is someone steals your laptop and manages to hack your Microsoft account password. There isn’t much in place to stop that thief from just keeping your computer and using it for as long as the police don’t knock on their door. If that situation does happen to you, you can alert the police of the theft and make sure that you are using a tracking program like Find My Device in Windows 10. You should also try logging in to your Microsoft account as soon as possible on another device and change your password to something else.
Protecting your Microsoft accounts with a strong password is important if you travel a lot because if someone does steal your laptop, then they can browse freely and use it, regardless if BitLocker is working on the computer or not. You won’t notice BitLocker working on your computer if you have set it up because it doesn’t make people sign in with any additional passwords until something unusual happens—like Microsoft detecting someone trying to use your hard drive from another computer. Apart from that, BitLocker isn’t able to do anything to stop a thief from using your computer if they have gained access to your Microsoft account because they can’t tell who is using the computer.
Microsoft owns the BitLocker program so there are some suggestions out there that it isn’t going to be a suitable solution for everybody. The terrorists among our subscribers, for example, might still run into trouble with the FBI because something like the FBI can work with larger companies like Microsoft to still claim your data—you might remember the case involving Apple and the FBI and a criminal’s encrypted iPhone in 2015. But for all of those just looking to hide stuff from family, friends, roommates, etc., the BitLocker encryption should work just fine.
As someone who has spent quite a bit of his time studying Microsoft security, I don’t typically recommend people use full drive encryption. The reason for that is because if something goes wrong with your operating system and your recovery disk or drive and all of your data is encrypted, then you lose that data. Without the key to decrypt the data, you can’t get that data back again.
So if you have some data that is very important to you—such as your SSN or tax information—that you don’t want anyone else seeing, I would recommend moving those images to a single folder and then finding out how to encrypt just that file or folder instead of the entirety of your drive.
If you are going to use encryption for the full drive, then you should also research how to backup that drive that is now encrypted with BitLocker to avoid what I mentioned above. When you choose to backup, you don’t want to be backing it up on your drive still because that won’t manage to avoid anything. You’ll need to back it up to something like an external hard drive and then encrypt that external hard drive with BitLocker To Go, for instance. Again, you’ll be faced with that same problem of is something were to go wrong with that external drive, but if you back it up to enough places then at least one of them should continue to work for you if all else fails.
Other than not being available for Windows 10 Home, BitLocker works pretty intelligently and is set up to cause users next to no fuss. When BitLocker is working for a drive, any new file that is added to the drive gets automatically encrypted with BitLocker. That file then remains encrypted for the duration of its time within that network.
How to Turn On/Off BitLocker Encryption in Windows 10 Pro
Note: The BitLocker tool is only available for the Professional and Enterprise editions of Windows 10. If you need to upgrade from Windows 10 Home to Windows 10 Pro, you can do so for $99, and then the BitLocker encryption is available for your computer. Conjointly, if you happen to own a MS Surface laptop, you can upgrade from Windows 10 Home to Windows 10 Pro for free up until the end of December this year.
If BitLocker is already on and you want to turn it off:
After studying Windows 10 encryption for the day, I’ve concluded that the whole thing is a bit of a mess—but still a usable mess. If you have a computer that supports BitLocker, it will already be turned on. You can check if BitLocker is on by opening up File Explorer and checking out your C: drive. If you can see a padlock there, then BitLocker is working. (Don’t be alarmed about the fact that it is displaying an opened padlock; that is just the symbol for BitLocker, and it represents BitLocker working.)
To get BitLocker turned off, right-click on the C: drive under the Devices and drives heading and then click on the “Manage BitLocker” link from the menu.
It directs you through to the BitLocker Drive Encryption area available in the Control Panel. It’s here where there is a link for you to “Turn off BitLocker.” As soon as you click and confirm, it is done. You can confirm that it is turned off by opening up the File Explorer and checking that the C: drive no longer has a picture of a padlock on it—not just opened or closed but rather completely gone.
If BitLocker is already off and you want to turn it on:
You can turn on BitLocker by typing “BitLocker” into the search box and then clicking on the “Manage BitLocker” link under the Best match section.
If you have recently turned off BitLocker, then you may need to wait a few minutes for the “Turn on BitLocker” button to appear under the Operating system drive heading. If it still doesn’t show up, reboot the computer and open the “Manage BitLocker” from Control Panel again. For everyone else, as long as your computer supports BitLocker, you should find the link for turning on the BitLocker there where it shows it in the picture below.
When you get to this step, make sure you choose wisely. If I had to choose one of the options for backing up a recovery key myself, I would choose my Microsoft account. If you decide your Microsoft account, your recovery key—that you must make sure you keep at all costs—will be available when you log in here: https://onedrive.live.com/recoverykey.
Once you have chosen the method that you want for backing up the recovery key, click on the “Next” button. (You can see that Windows 10 has saved your recovery key by observing the new sentence in the window that says “Your recovery key has been saved” under the heading.)
BitLocker lets you choose between encrypting the full drive or just encrypting the used disk space. Before making your choice, have a read of what is says above that because it goes into detail about what is the best option for your situation. If you already have been using the computer for a while, then you should encrypt the entire drive.
You then need to make a choice between encryption modes. Because this article is about internal drives, you’ll want to keep the first option selected. Click on the “Next” button at the bottom.
Before it goes ahead with encrypting the drive, it gives you the chance to choose to run the BitLocker system check. You have a recovery key that allows you to recover data should your drive become unusable and decryption fails. By running this system check, you make sure that the recovery option is going to work, so it’s an option we recommend doing before going ahead with the encryption. You’ll need to make sure you check the box available next to where it says “Run BitLocker system check” if you want it. Click on the “Continue” button when you are ready to start the encryption of the drive.
Once the drive is encrypted with BitLocker, the computer needs to be rebooted before the changes can take effect. You can choose to do that now or leave it for later, and the encryption will begin as of when the computer reboots sometime in the future.
If you navigate to the Start menu > Settings > This PC and then check the right side pane for the Local Disk, you’ll see there is now—albeit an opened for some reason—padlock which is there letting you know that BitLocker is now set up and working for that C: drive.
Now you need to make sure that you remember where to find your recovery key if you should ever need it. It is the recovery key that is going to allow you to get access to your backup if something ever happens to your operating system and you can’t open your data that is currently encrypted. When it says it’ll back it up to your “Microsoft account,” it is referring to your Microsoft OneDrive storage. All of you can get access to your OneDrive accounts from https://onedrive.live.com/recoverykey with your unique username and password that you already had set up for OneDrive. If you don’t yet have one, you can set up a OneDrive account now.
Should you have a problem with your computer so that you can’t decrypt and you lose your recovery key, there is nothing you can do to get the data back again. Instead, you’ll only have an option to “Refresh” or “Reset”—both of which have been explained by Microsoft employee, Ramesh Kumar below.
Requiring a Password at Startup for Encryption
Ah, thieves, where would we be without them? Just kidding, the world would be great without them. The computer doesn’t have much value if people can’t get access to use its software and that’s why a stolen laptop is often just sold off for the hardware as spare parts. One of the things that is potentially valuable to a thief though is the hard drive. A hard drive could contain some valuable information that the thief can then use against you if they get their hands on it. Taking out a hard drive from a computer and putting it into another computer is something that thieves often do. Without encryption on the hard drive, it is possible to view the contents of that hard drive on another computer.
The way BitLocker works is you don’t need to enter a password each time you turn on the computer. All you do is keep logging into the computer using the same Microsoft account that you always have, and the BitLocker will be encrypting the drive because the TPM (Trusted Platform Module) has entered the password for you. That makes BitLocker useless if your computer gets stolen and somebody guesses your Microsoft account password. What it does do, though, is prevent people from taking out the hard drive and putting it in another computer. That’s when the BitLocker encryption goes to work and stops people from reading your data—it’s also the main issue you face when someone steals your computer. It isn’t difficult to remove a hard drive if the thief knows what they are doing.
With that being understood, it is possible to change it so that you do require an additional password when booting up the computer which is going to be a password purely for additional BitLocker protection. The people who have computers without the TPM will always need to do this if they want encryption from BitLocker. The rest of you can opt to do this if even if your computer does have TPM if you like.
To set up the BitLocker password, open up the Local Group Policy Editor and then navigate to the following key:
Computer Configuration/ Administrative Templates/ Windows Components/ BitLocker Drive Encryption/ Operating System Drives. Next, look in the right side pane for the “Require additional authentication at startup” entry and click on it to open up its policy window.
Note: You’ll need to be using a Windows 10 Pro, Education or Enterprise edition of Windows 10 for this guide to work. You can’t make policy changes in the Local Group Policy Editor using the Windows 10 Home. You can upgrade from Windows 10 Home to Windows 10 Pro by heading to the Settings application if you want to be able to make changes to group policies.
You should see that it is currently set as “Not Configured” and that means you don’t have to enter a password. You’ll see the checkbox is empty under where it says “Options.”
Swap the setting over to the “Enabled” checkbox and you’ll notice the checkmark is now inside the box that says it will “Allow BitLocker without a compatible TPM” under the Options heading. Click on the “Apply” and “OK” buttons at the bottom of the policy window to apply the changes.
Four different types of Group Policies can be applied—administrators only, all users, specific users or groups, or all users except administrators—and the way you do them varies. You’ll still need to be signed in to a user account that has the administrative permissions assigned to it before you can use any of the four options though.
Windows has a Multiple Local Group Policy to help manage computers that are not part of a domain. There are four Local Group Policy Objects (LGPOs) that make up the Multiple Local Group Policy. They are the Local Computer Policy, Administrators Local Group Policy, Non-Administrators Local Group Policy, and a User-Specific Local Group Policy.
All users: The Local Group Policy Editor for all users can be opened by using the Run dialog box, the search field from the taskbar, the Command Prompt and from the PowerShell by using any of the methods available in this guide.
Specific users or groups: The User-Specific LGPO applies user policy settings to specific local users. To do it, you need to press the Windows logo + R keys on your keyboard and then type “MMC” into the field and clicking on the “OK” button. Click “Yes” when prompted by User Account Control. Now in Microsoft Management Console, click on “File,” followed by “Add/Remove snap-in” from the menu. Choose the “Local Group Policy Editor” and click on the “Add” button. From the Select Group Policy Object window, click on the “Browse” button. Next, click on the “Users” tab and then choose the account name from the list, followed by the “OK” button. You’ll then be directed back to the Group Policy Wizard where you can click on the ‘Finish” button.
All non-administrators: The Non-Administrators LGPO applies user policy settings to anyone who is not an administrator/included in a group of administrators. To do it, you need to press the WIndows logo + R keys on your keyboard and then type “MMC” into the field and clicking on the “OK” button. Click “Yes” when prompted by User Account Control. Now in Microsoft Management Console, click on “File,” followed by “Add/Remove snap-in” from the menu. Choose the “Local Group Policy Editor” and click on the “Add” button. From the Select Group Policy Object window, click on the “Browse” button. Next, click on the “Users” tab and then choose the “Non-Administrators” group and click on the “OK” button. Lastly, click on the “Finish” button from the Group Policy Wizard screen.
Administrators: The Administrators LGPO applies policy settings to users who are members of the administrator’s group. To do it, you need to press the Windows logo + R keys on your keyboard and then type “MMC” into the field and clicking on the “OK” button. Click “Yes” when prompted by User Account Control. Now in Microsoft Management Console, click on “File,” followed by “Add/Remove snap-in” from the menu. Choose the “Local Group Policy Editor” and click on the “Add” button. From the Select Group Policy Object window, click on the “Browse” button. Next, click on the “Users” tab and then choose the “Administrators” group and click on the “OK” button. You’ll then be directed back to the Group Policy Wizard where you can click on the “Finish” button.
Being someone who has spent a substantial amount of time around non-geeks and older generations, I fear for the data of a lot of these people when something does go wrong with their computers, and they are unable to get a hold of the recovery keys should they be using BitLocker encryption. Heck, most of the people I know won’t even remember what the words “recovery key” mean 12 months from now let alone be able to find the all-important recovery key that they have just created. If you are one of those kinds of people, then encrypting your drives using BitLocker might not be the best idea and you might want to follow the part of the guide above that demonstrates how to turn it off only. For everyone else: if you have valuable data that must be kept on your internal drives, feel free to use BitLocker—but make sure you remember where to find the recovery key that you saved just in case you need it. And just as importantly, make sure you don’t delete it.