Locking all the bits with BitLocker
So you want data at rest encryption. Bitlocker by default uses this nasty numeric password as a recovery option. However, you can actually lock this down pretty well after removing this giant security risk of a password and here's how. Requirements: Enable Enhanced Pins I'm going to save some effort and defer to the many articles on the internet for this. You can find a decent article here . Or you can use some google fu to find similar ones. Learn about manage-bde and the other powershell commandletts here . Enable TPM and PIN and Startup Key (flash drive) Add-BitLockerKeyProtector c: -TpmAndPinAndStartupKeyProtector This will make bitlocker require a TPM AND USB flash drive AND a password on boot. It's the most secure option but a bit annoying. You will be presented with a couple prompts. One for the path to the flash drive and one for the password Enter the path to the flash drive Enter your strong password Enable TPM and Startup Key (flash d...