Should I turn off Bitlocker?

Discussion in 'Windows 10' started by jetjock, Dec 30, 2017.

  1. jetjock

    jetjock MDL Senior Member

    Mar 6, 2010
    280
    15
    10
    I tried restoring an Acronis backup to a new Surface Pro 2017 with Win 10 ver 1703. I was told that it could not restore because the Win 10 drive was protected by Bitlocker. Does anyone know of any reason (other that security, which I really don't need on this machine) why I shouldn't just turn off Bitlocker? Will it mess anything up in Windows?

    jetjock :plane:

    P.S. That machine had many problems, so Microsoft replaced it. I am now on the new one, and it successfully updated itself to ver 1709. I want to back it up before I start installing programs, but if Acronis can't restore the drive, there isn't much point. I looked at the built in Windows backup program, but it won't even allow me to specify a folder to use for back up---only which drive to use.
     
  2. Excalibur0076

    Excalibur0076 MDL Junior Member

    Aug 5, 2015
    64
    18
    0
    #2 Excalibur0076, Dec 31, 2017
    Last edited: Dec 31, 2017
    Hi! i had the exact same problem using Acronis True Image on my Surface Pro 3 and it`s very annoying and no you do not have to use bit locker if you choose not to. The problem is your Trusted Platform Module Chip AKA (TPM) Chip which is embedded in your startup or bios compliments of Microsoft as a added security feature designed to specifically work with bit locker. The TPM is enabled by default. You can go into your setup by depressing the power and Volume up buttons at the same time and once your screen or keys on you keypad lights up take finger off power and hold volume up until setup screen comes up. Go through options and temporarily disable the TPM if you are installing Windows as the TPM will automatically turn on and enable bitlocker and encrypt your drive when installing windows without your knowledge.. If your drive has already been encrypted by bitlocker then you should have been provided a key pass that will allow you to decrypt the drive. Once that is done then you will no longer have problems backing up your partitions using Acronis!. I never went through the hassle as first off i couldn`t find the key and i had nothing important on the drive so i just started from scratch and wiped the drive and reinstalled Windows. Then i went back into the bios and re-enabled the TPM. Once windows is installed bitlocked will not start with the TPM enabled unless you choose to enable it. I hope that helps you as it helped me.
     
  3. Excalibur0076

    Excalibur0076 MDL Junior Member

    Aug 5, 2015
    64
    18
    0
    #3 Excalibur0076, Dec 31, 2017
    Last edited: Dec 31, 2017
    Also i will throw in there that Acronis aleast the newer versions will backup a partition that has been encrypted by bitlocker but only a sector by sector backup. The only reason i say that is because before i fixed the bitlocker problem with my surface i had backed up the encrypted drive many of times with Acronis True Image 2017-18. The only thing is when i backed up the drive it backed it up sector by sector, So it not only backed up the data on the partition but the whole size of the partition so it made it a huge partition backup. Lol month of Sundays it felt like if it`s almost a TB of data or more!
     
  4. jetjock

    jetjock MDL Senior Member

    Mar 6, 2010
    280
    15
    10
    Thanks for the great info. I especially appreciated the info on how to boot into the BIOS.

    I found a Youtube video on stopping Bitlocker by going to Control Panel-Manage Bitlocker and I turned it off from there.(No pass key required. Good thing, as I never got one!!) It decrypted the whole drive in a couple of minutes and so far anyway, it keeps saying that Bitlocker is off. I backed everything up then, restored a small folder. Seemed to work fine. Is this sufficient, or do I have to mess with the TPM also? There is a TPM Administration link on the Bitlocker Control Panel page that takes me a page where I can "Clear TPM". When I expand this it tells me that clearing the TPM will result in loss of all TPM keys and should not be done unless instructed by System Administrator. What can you tell me about that?

    jetjock :plane:
     
  5. Excalibur0076

    Excalibur0076 MDL Junior Member

    Aug 5, 2015
    64
    18
    0
    #5 Excalibur0076, Dec 31, 2017
    Last edited: Dec 31, 2017
    What the TPM does is store the key Pass for bitlocker on the surface in the setup so you as the administrator will always be able to access the data without being asked by Windows. It`s main purpose in a nutshell is to help prevent unauthorized access from outside meaning the internet from making changed to the hard drive without your authorization not only at a software level but also at a hardware level. 2nd question, As long as you have been able decrypt the data on the drive and everything appears to be ok then really there is no reason to clear the TPM, as doing so you could risk loosing all the data on the drive and have to reload windows. The TPM not only stores the key to bitlocker but also info on how to decrypt the drive. Unless your 110% sure all the whole hard drive has be decrypted and not just part of it then i wouldn`t clear it. If you were installing a fresh copy of windows i`d say sure but in this case it`s not a good idea!. When windows administration says you should not clear the TPM keys unless instructed by system administration basically what it`s saying is the owner of the surface," You" should be aware of it! because someone not aware of what they are doing could inadvertently destroy all the data on the drive and make your surface inoperable! I hope i was able to answer all of your questions and if you need more help i`m on from time to time and more than willing to help!
     
  6. jetjock

    jetjock MDL Senior Member

    Mar 6, 2010
    280
    15
    10
    Thanks again for all the info. I think I'll leave well enough alone!! Only problem I have now is I can't get Windows Defender to restart. Had to shut it down as it kept flagging my Office Toolkit . Now it won't restart.

    jetjock :plane:
     
  7. GodHand

    GodHand MDL Senior Member

    Jul 15, 2016
    315
    279
    10
    BitLocker is only worth using if you are using an Opal 2 self-encrypting SSD allowing BitLocker to offload the encryption process to the firmware of the drive.
     
  8. GodHand

    GodHand MDL Senior Member

    Jul 15, 2016
    315
    279
    10
    There's a lot of incorrect information here...
     
  9. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,745
    1,959
    210
    If that is true, you should explain in details WHAT is incorrect of that posted information!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Excalibur0076

    Excalibur0076 MDL Junior Member

    Aug 5, 2015
    64
    18
    0
    #10 Excalibur0076, Jan 1, 2018
    Last edited: Jan 1, 2018
    Yes please explain because with all due respect i didn`t see you step up to the plate to help him. As for me well i had the exact same problem as him and i spent a bit of time chatting with Microsoft support and googling everything i could find out about if there were anyone else with the problem. The last time i checked well actually 2 min ago when i booted up my surface and it works fine with no problems. What GodHand is trying to say in no way shape or form even relates to the surface problem!
     
  11. GodHand

    GodHand MDL Senior Member

    Jul 15, 2016
    315
    279
    10
    Well for one, the TPM does not store any key passes. It stores only a partial string of your encryption key while the other part of the key is assigned to various things like biometric devices and the user delegation registry blobs specifically for use with domain-joined PCs by supporting optional key escrow. This also allows for the use of data recovery mechanisms like BitLocker Data Recovery Agents - which are CA-issued key recovery certificates - allowing drives to be unlocked using the certificate's thumbprint. And also network unlocking certificates, allowing network administrators to unlock a device over either the intranet, VPN or a secure connection in order to perform maintenance, or to ensure all devices are unlocked at specific times. None of these secondary unlocking features interact whatsoever with the TPM.

    The end-user has absolutely no control over the encryption and decryption process - no user is decrypting their data.

    The TPM does not store data on how to decrypt the drive. The encryption/decryption algorithms are coded into the kernel of the OS. The TPM stores the majority of the encryption key that is used solely as authentication for locking/unlocking the drive and securing data-at-rest.

    The TPM is a device designed to mitigate unattended tampering and prevent the breaching of data-at-rest. It's primary focus is not data-in-transit (i.e. "from the internet"). All hardware security is designed with the assumption the end-user is not brain-dead, and thus will also ensure their data is secure when the device is accessible.

    The TPM's primary focus is to protect the encryption key and ensuring hardware that it has authenticated by assigning its own certificates contained within the module itself remain married to the device, thus making removed hardware non-functional by just plugging it into another device. Of course there are ways around this, as nothing is 100% secure, the TPM is designed for hardware integrity and consistency; not to protect internet traffic or hold key passes. Those are things the end-user is required to do.