question: What system changes would cause the integrity check on my operating system drive to fail? For more information, see (bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. question: What is Used Disk Space Only encryption?īitLocker in Windows 10 lets users choose to encrypt just their data. When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. For more info, see (bitlocker-group-policy-settings.md). You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. question: How can I prevent users on a network from storing data on an unencrypted drive? No unencrypted data is ever stored on a BitLocker-protected drive. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?Īnswer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. This is true even if the power is suddenly unavailable.
question: What happens if the computer is turned off during encryption or decryption?Īnswer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. question: How long will initial encryption take when BitLocker is turned on?Īlthough BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. question: Is there a noticeable performance impact when BitLocker is enabled on a computer?Īnswer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate. question: Can BitLocker encrypt more than just the operating system drive?
For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see (/powershell/module/bitlocker/index?view=win10-ps). For more info about writing scripts that use the BitLocker WMI providers, see (/windows/win32/secprov/bitlocker-drive-encryption-provider). You can also use Manage-bde.exe to locally or remotely configure BitLocker. How you choose to implement the scripts depends on your environment. Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. question: Can BitLocker deployment be automated in an enterprise environment?
Title: BitLocker frequently asked questions (FAQ) Title: BitLocker deployment and administration FAQ (Windows 10)ĭescription: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"