ITS

Information Technology Services
Information Technology Services

Windows 7 BitLocker Encryption (Desktop and laptops)

USB Startup Key Tutorial

Applies to Window 7 Pro and Windows 7 Enterprise 

Note: Your system must meet the minimum system requirements.


Congratulations! You have encrypted your hard drive. Remember to keep your recovery key safe and secure. Do not store it with your computer.

  1. The USB Startup Key option should only be used when a TPM is not available. If you have a TPM in your computer please see the TPM+PIN tutorial.
  2. To enable the use of a USB Startup Key you must modify the local group policy using the Local Group Policy Editor. Go to the start screen and type GPedit.msc then click on the icon to launch it. The following window will appear after you launch GPedit.msc.
    group policy window
  3. Below Computer Configuration, select Administrative Templates, Windows Components, BitLocker Drive Encryption, then click on Operating System Drives.  Now on the right side of the screen, double-click "Require additional authentication at startup".
    group policy - administrative templates
  4. You are now modifying the OS BitLocker policy. Select Enabled and make sure "Allow BitLocker without a compatible TPM" is checked. Ignore the rest of this policy, click Apply and OK. Close the Policy Editor.
    policy settings change window
  5. To turn on BitLocker:
    • Click Start
    • Select Control Panel
    • From the View by: (top right) dropdown menu, select Small icons

    control panel

  6. Click on BitLocker Drive Encryption 
    control panel icons
  7. BitLocker Drive Encryption will open
    • Select Turn on BitLocker
    • BitLocker will initialize and check for system requirements.
    • It may want to reboot once or twice.

    bitlocker settings

  8. If you computer DOES have a TPM Module, it will give you the option to Enter a PIN. This is the recommended configuration.
    • If you do have a TPM please see the TPM + PIN Tutorial  page.
    • If you do not have a TPM, continue to Step 8
  9. Since you don't have a TPM, BitLocker will now give you the option to "Require a Startup key at every startup". If you have not done so yet, please insert the USB key you would like to use for your startup key. Please note that you will need to have this key inserted in your computer to be able to boot properly.
    • Click "Require a Startup key at every startup

    bitlocker wizard

  10. You will be prompted to choose the USB key that you would like to save your startup key to.
    • Click on the drive letter that corresponds with the USB key you want to use and click Save.
      screen shot illustrating above step
  11. The How do you want to back up your recovery key? screen will open.  Very Important:  BitLocker will prompt you to save the Security Recovery Key to a USB flash drive, or to a file, or to print the recovery key.
    • Do not  save the Recovery Key to a file on your hard drive or to the USB drive that you are using for your startup key. Save it somewhere else or print it.
    • You will need the Recovery Key if your computer ever has a problem. 
    • Make your selection and click the Next button

    bitlocker setup wizard

  12. BitLocker now asks Are you ready to encrypt the drive?
    • Enable the Run BitLocker system check
    • Click the Continue button 

    finish encrypting wizard

  13. A system restart is now required,
    • Click the Restart now button and let the system reboot. 

    restart window

  14. After rebooting, the Full Hard Drive Encryption process has begun. It will take about an hour to complete this. 
    • You may use your computer while this is occurring but it will run slowly until completed.
    • The encryption process is stopped if your computer goes to sleep, hibernates or is shutdown. 
    • The encryption process will restart once you power up your computer again.
    • When BitLocker finishes encrypting the drive, it may not display any message but the hard drive light should stop flashing constantly.

    tooltip