How to enable BitLocker device encryption on Windows 8 RT

  • Article
  • 3 minutes to read

This document describes the workflow to enable BitLocker device encryption on the local hard disk of a Windows Surface computer that is running Windows 8 RT.

Applies to: Windows viii
Original KB number: 2855131

Summary

The certificate makes the following points:

  • Logons by guest accounts, local administrator accounts, or Microsoft accounts that are members of the guest group don't trigger BitLocker encryption of the local hard disk drive.
  • The start logon by a Microsoft account that is a member of the local computer's Administrators security grouping triggers BitLocker encryption of the local hard disk. A restart is required to consummate the feature configuration.
  • The BitLocker recovery password is put on the OneDrive share of the administrator-enabled Microsoft account that triggered the encryption. That recovery key isn't visible on the OneDrive share when the share is viewed past using a web browser or a OneDrive viewing awarding.
  • Windows Explorer displays a padlock next to local drives that are BitLocker encrypted.
  • BitLocker recovery keys may be obtained from the following website through an email message, a call, or a text message:
    Find my BitLocker recovery cardinal

More data

Note

The sizes of dialog boxes and other UI elements that are depicted in this article were changed. Changes include the placement of text in a dialog box and the size/attribute ratio.

To see how the BitLocker device encryption workflow works, follow these steps:

  1. On a new Windows 8 RT-based system, create a Guest account, and and so log on by using that account.

  2. Bank check the BitLocker status in Control Panel. The Guest user can't invoke BitLocker encryption.

    Screenshot of the BitLocker Drive Encryption page in Control Panel.

  3. Create a Microsoft account, and and then associate that business relationship with the Guest account that you created in stride i.

    Screenshot of the Your account page in PC settings.

  4. Log off.

  5. Log on past using the Microsoft account that you created in step iii. Notice that the BitLocker add-in reports that the bulldoze isn't protected.

  6. Restart the reckoner, so log on once more by using the Microsoft account that y'all created in stride three. Notice that the BitLocker protection status remains unchanged.

    The net result is that logons that were fabricated by using Microsoft accounts that are members of the Guest grouping don't trigger BitLocker encryption of the hard deejay.

  7. Create a new local account that is a fellow member of the local calculator's Administrators security group. Notice that the BitLocker add-in reports that the drive isn't protected.

  8. Restart the computer. Once again, notice that the BitLocker add-in reports that the drive isn't protected.

    The cyberspace effect is that user logons that were made past using local computer accounts that are members of the Administrators grouping don't trigger BitLocker encryption of the hd.

  9. Acquaintance the administrator business relationship that you created in step seven with a new Microsoft account.

  10. Log on by using the Microsoft account that now has ambassador permissions. Notice the following on-screen bulletin:

    Configuring Windows Feature
    X % computer
    Do not turn off your computer

  11. Restart the computer when you're prompted, and notice that the "Configuring Windows Characteristic" operation continues.

    The net outcome is that the kickoff logon by a Microsoft account that is a member of the local computer'south Administrators group triggers BitLocker encryption of the local bulldoze.

  12. Log on by using the Microsoft account that is a member of the Administrators grouping that y'all originally created in step seven. Notice the text modify that is displayed by the BitLocker item in Command Console.

    Screenshot of the BitLocker Drive Encryption page, which shows BitLocker is helping to protect your files.

  13. The padlock icon in Windows Explorer reports that the local drive is BitLocker protected.

    Screenshot of the padlock icon in Windows Explorer.

  14. Notice that OneDrive never identifies the BitLocker recovery central.

    Fifty-fifty after the local drive is clearly BitLocker encrypted and the Control Panel UI says that the BitLocker recovery key is stored on the first logon of a Microsoft account that is a member of the local computer'due south administrative grouping, OneDrive doesn't prove any BitLocker-related files.

    Screenshot of the Files page in OneDrive.

    The net upshot is that the OneDrive share for the ambassador-enabled Microsoft account that triggered the BitLocker device encryption shows no files.

  15. Find that the TPM.MSC snap-in displays a status of "The TPM is set up for use."

    Screenshot of the Trusted Platform Module (TPM) Management on Local Computer window.

  16. Connect to Observe my BitLocker recovery cardinal. Yous see the following options:

    Screenshot of the Send a text to phone options in Microsoft account verification page.

  17. If y'all sent the recovery key by using a text bulletin, the targeted phone volition receive a text message that contains the Microsoft account security lawmaking. The text bulletin resembles the following:

    Screenshot of the text message sample on the targeted phone.

  18. Type the lawmaking that you received in the text message into the Notice my BitLocker recovery key wizard.

    Screenshot of the code entry page of the Find my BitLocker recovery key wizard.

    The Find my BitLocker recovery key wizard reports the BitLocker recovery key.

    Screenshot of the page displaying the BitLocker recovery key.