[SOLVED] Bitlocker auto-unlock with boot drive - When is your drive actually encrypted?

[PaulQ2]

Hi All -

I got a new PC and I believe this one has a TPM chip. On my last desktop computer without a TPM, I had to enter a BitLocker password on boot, then my Windows login. On the new one, I added my own data drive. I turned on Bitlocker on the C: drive and got it set up pretty quickly. I then set up BitLocker on the D: drive and chose auto-unlock again.

But now I am unclear. On the old computer, I entered a password on boot to decrypt then Windows authentication. New computer, there's only Windows authentication (right now).

I read a lot of web pages before ending up posting this. I get that the TPM now has the key to decrypt. I also get that if the drives are removed, they are useless. My questions are based on if the drives remain in the machine and it's accessed in my office (or the whole thing is taken somewhere).

Can someone tell me when the data is encrypted throughout a typical day and overnight?

• I know it is when the computer is off
• I assume it is when you power on the machine from off and before you enter your Windows password.
• During the course of the day - what about when it times out and locks, sleeps, hibernates?

Is the only way to get it to fully encrypt again is to log out and shutdown?

Thanks for your help! I thought this would easy to find on my own.

 

[kerberos_20]

tpm only protection is not really that safe
u should enhance it with usb flash drive + pin

go to group policy
Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives
here look for Require additional authentication at startup
here u can select only TPM, TPM + usb key , TPM + key + pin

 

[PaulQ2]

Thanks, I will check that out. Can you give me some idea about how it works based on my questions? I'd like to understand how it works a little better. Thanks!