BitLocker is a software-based Hard –Drive encryption solution which is built into the Windows Vista versions which are aimed at the corporate market, i.e. Enterprise and Ultimate. The solution works by using drive partitioning to separate the drive into a smaller active system partition (called a split-load configuration), and an encrypted partition in combination with a Trusted Platform Module -TPM (a hardware component built into most recent PCs). The solution uses standard 128 or 256 bit AES (with an optional diffuser) encryption mechanism, and is certified by CESG in the UK to “Restricted” level (or Common Criteria EAL 3).
Why would I need it?
There are a number of other resources which discuss the technical details and pros/cons of this technology, so we won’t go into them here. The main benefit is that the encrypted drive can only be accessed using Windows, with the BitLocker key via the TPM module (or a USB key for older hardware). If someone tries to boot from other bootable media, they won’t get access to the encrypted data. They can’t use Recovery Console (unless the BitLocker key is provided), nor perform a parallel installation of windows (then re-permission files).
OK, but I know all this ... why do I need this Blog?
Well, while the help files are great, and there are a number of additional materials out there on the web, there are a few “gotchas” to be aware of. The first one I encountered was that BitLocker can’t be enabled after Windows Vista has been installed. The reason for that is that the drive partitions must be created before installing Windows Vista. Therefore, it is important to plan this into your Vista deployment strategy to avoid un-necessary re-work. However, a recent change to this situation is the BitLocker Drive Preparation Tool (http://support.microsoft.com/kb/930063), but at the time of writing, I would still recommend that this is done at build time to keep the environment as clean as possible.
The other issue I encountered is that there is often a BIOS update needed to fully enable TPM, and even on “brand new” PCs. Windows will warn you if it can’t use TPM in it’s current state, but it’s something you will need to plan for (especially if you are going to use Zero touch or Light Touch installations).
The last (and main one) is the management of BitLocker and the encryption keys. There is an easy way to do it, and a hard way to do it ...
Change boot order and allow your machine to boot from removable media in BIOS. Refer to your manufacturers guidelines for this, but it’s usually fairly simple to do.
Boot from the Vista Enterprise DVD
Select your language.
Select “Repair”, and choose “dos prompt”.
The following steps create 2 partitions (one for BitLocker) - s:=2000MB and C: using the remaining disk capacity. Type the following commands to wipe the existing disk partitions (warning backup any required files before doing this) and create the new ones:
select disk 0
create partition primary size=2000
format fs=ntfs quick
create partition primary
format fs=ntfs quick
Note: The “Clean” command can be used to delete all volumes, but I prefer to do it as above for greater control. Since the above commands can be scripted, the Clean command can be introduced when the process is fully tested.
Boot from the Windows Vista DVD and complete setup (it will only allow install into the larger partition).
Open Control Panel, and select the BitLocker icon. In most cases, it will say that the drive partitions are unsuitable (but we know that’s wrong!). What it is really looking for is TPM (the feature I mentioned earlier). By default it’s not enabled out of the box, and must be enabled using the BIOS of your computer. I have found that some major PCs manufacturers also need a BIOS update to enable TPM properly, so that’s worth watching out for!
In Control Panel, Open the BitLocker icon again, and click “Turn on TPM”. Reboot when requested.
F1 to accept the change (BIOS message – if it applies to your hardware)
Click Turn On BitLocker
Note: If you receive an ERROR: “The Trusted Platform Module (TPM) on this computer does not work with the current BIOS. Contact the computer manufacturer for BIOS upgrade instructions”, it is likely that you need to update that. I would recommend that you disable the BIOS password before doing this. For the HP machine I used, this was simple – just run the HPQ Flash utility within Windows Vista, and Reboot
Click TPM Administration, click initialize TPM
Click Turn On BitLocker. When you are prompted to save or print key – do all three (to USB, to file and print the key). Click “Encrypt”, and sit back. Note: these are important ... effectively the Keys to your drive, so protect them and store them safely. We will touch on how the Administrator can automate this key management issue more effectively in the next section.
There are a series of Group Policy Objects to allow management of the BitLocker settings, and a administrative blessing in the form of Active Directory storage of BitLocker keys. The settings are all within the “Computer” Settings, under Administrative Templates, Windows Conponents, BitLocker Drive Encryption.
To allow automatic backups, you must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. Consult online documentation for more information about setting up Active Directory Domain Services for BitLocker.
Next, its a case of switching it on, and letting Windows Vista do it’s thing when BitLocker is enabled on the machine.
If you select the GPO option to "Require BitLocker backup to AD DS", BitLocker can’t be turned on unless the computer is connected to the domain and the AD DS backup succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. Otherwise, AD DS backup is attempted but network or other backup failures do not impact BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup. This is another setting which you should build into your plans to ensure that there are no BitLocker keys in your enterprise which are not backed-up ... the easy way to do it I mentioned earlier!
I think the use of BitLocker in Enterprise environments is an obvious option. While it takes a little setup, it’s very automatable and the peace-of-mind it provides as well as the protection of your corporate Intellectual Property means that it would be crazy not to implement it.
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.