Enable BitLocker, Automatically save Keys to Active Directory Concurrency


Companies have always been concerned in regards to the safety of data on their mobile users’ computer systems. What happens if the computing device is lost or stolen?How are you able to make certain that the “stuff” on that computer does not fall into the inaccurate hands?The answer is encryption, and there were lots of alternatives like GuardianEdge, CheckPoint Pointsec and TrueCrypt, but now with Windows 7 Enterprise and Ultimate, Microsoft has introduced a new choice called BitLocker and BitLocker to Go that is built right into the Operating System. Let me let you know about it and how to use it. Before getting began, let me in brief cover just what BitLocker is. Microsoft describes it so that you could give protection to your data from being lost or stolen by “putting a virtual lock on your files”.

While here’s basically true, it is more than just locking the files, it’s really locking the file system that the files exist on, not just the files themselves. That’s as a result of BitLocker is a “full disk encryption” suite FDE that secures a complete partition and never just contents of directories like EFS does Encrypted File System. It can also be called “Full Volume Encryption” FVE as it is really encrypting a partition on the disk. To boil it down further, encryption is simply a way of scrambling data by using a secret code or “key” that might make that data unintelligible with out that key. Maybe think of it as anything like Pig Latin for data, except that no one can decipher it unless they have your secret decoder key. That key is usually stored in your computer in a place called a TPM chip a “Trusted Platform Module” that’s built into most recent laptops, and if the harddisk is ever far from the desktop, or if the computer boots from anything apart from that harddisk like a CD/DVD or USB drive then the data on the disk cannot be read or copied it is safe by BitLocker!Here’s a quick video to inform you more.

BitLocker can also be used to encrypt detachable media like a USB drive using “BitLocker to Go”. The drive can then be used on any Windows 7 desktop by simply plugging it in and coming into the password you created should you encrypted it. Earlier models of Windows like Vista and XP also can read the disk if it’s FAT, not NTFS. When they attach the encrypted media, if they don’t have already got it, they might be triggered to set up the BitLocker to Go Reader which is incorporated on the drive, after which they could copy files from the encrypted disk but aren’t in a position to write to it. PCMAG has a nice and brief article on it too. Here’s another video about BitLocker and this one is all about BitLocker to Go.

As I mentioned in advance, with the intention to decrypt a “BitLocked” drive you have to have the decryption key. This key can be entered manually, which might be very bulky, or it may be presented from a USB flash drive that you just connect to the computer, but better yet, the important thing can be stored in a TPM chip that is in-built to the laptop. Microsoft has a nice evaluation of how keys are secured within TPM if you would like some more particulars. Before that you may use the TPM chip, you must Enable it AND Activate it. Most of the laptops I have done this on have required two reboots into the BIOS but you simply are looking to do this the first time you want to enable BitLocker and then leave it alone. For instance, here’s how you do it on a Dell Latitude laptop.

Boot the laptop and press F2 every now and then Delete to enter the BIOS, then navigate to Security and select TPM Security. The first time you open this you will only have the ability to Enable TPM defense by checking the box. If you’ve been here before you might even see additional alternatives however the main thing is to ensure that the box IS checked. You’ll be told that you simply want to restart for the changes to take effect so click OK, save your changes and restart. You’ll want to enter the BOIS again so hit F2 or Delete to get into the BIOS System Setup and navigate back to TPM Security again. This time which you can Activate the chip.

Again, save your settings and reboot. If you don’t have a TPM chip, that you would be able to still use BitLocker, but for this guide I will assume you may be using TPM. HowToGeek has a nice guide on using a USB Startup Key for BitLocker as an alternative of using TPM. It might not be apparent, but the way the TPM secures the encryption keys is by ensuring that the style your system boots up or starts is usually the same as it was at the time you enabled BitLocker. This means if you’re encrypting your system drive C: it is important that you just set the boot order in order that the Hard Drive is always first.

If the desktops tries in addition from CD/DVD or USB first then you definately the TPM chip will not release the keys to decrypt the drive and you may end up being unable to boot your system without manually getting into the key. It’s by design. If later you want to boot from other media that you would be able to still hit F12 or change the BIOS environment, just know that the disk will not immediately unlock and you may need the decryption key so that you can access it. I have seen it work fine when a “Diskette Drive” is listed first in the boot order, but laptops don’t have those anymore so the HDD ends up being first by herbal alternative. I find it best practice to force the HDD to be first by definition.

Why?For instance, if a user has a bootable disc of their computer like a Windows DVD, when their laptop boots and reads from the DVD the user is caused to “press any key to boot” from that disc. If they do not press any key the gadget moves to a higher boot option, most likely the hard drive, but I have seen some computer systems try booting next from the encrypted partition and never from the boot partition. This activates the user to enter the decryption key and consequences in a call to tech help. If they remove the DVD and boot normally it really works fine. So, new rule: Set the BIOS boot order to load the HDD first. If you are looking to boot anything else press F12 while booting to manually select it at that time.

See also  Fundación para el Desarrollo de la Libertad Ciudadana ExigeTransparencia TransparenciaSalvavidas Fundación para el Desarrollo de la Libertad Ciudadana

There isn’t really anything to “enable” to be able to start using BitLocker itself on Windows 7, good click any hard drive that you just want to encrypt and select “Turn on BitLocker. ” Note: If you want to use BitLocker on Windows Server 2008 R2 laptop, you do want to set up the “BitLocker Drive Encryption” Feature as it’s not there by default. This will start off the wizard that’ll first check for a TPM chip. If all goes well you should definitely see this screen. If not then you may wish to step back and Activate your TPM chip in the BIOS. You should now be able to click Next throughout the following couple of pages while the wizard does some setup for you.

When asked to avoid wasting your key, I find it best to just put it aside to a file someplace it just generates a text file, the catch is you can not reserve it to the drive that you’re encrypting!You can put it on a different local drive when you have one, a community share or even put it on a USB flash drive if you like. So click on Save the healing key to a file and put it somewhere. It’ll let you know that the key has been saved after which that you would be able to continue. At this point you’re able to encrypt your drive. It’s a good idea though to run the BitLocker system check.

It will be sure that the TPM chip can present the decryption keys and you will not have any issues after the drive is encrypted. Running the check has helped me catch a few desktops with a strange boot order or other problems before I got too deep. Once your computing device reboots, if the check passes you’ll see a balloon pop up from the system tray indicating that the disk is being encrypted. Now you can just sit back, let BitLocker do it’s thing, and also you are done!If it fails, you could see something like this instead indicating that BitLocker can’t be enabled, wherein case you will have some troubleshooting to do. While it is encrypting the drive you CAN shutdown or reboot your laptop and it will resume the encryption without providing you with any hassle. Also, you can notice that the disk appears to be nearly full until the encryption is comprehensive.


That’s not anything to stress about as once it is finished it is going to reveal the true free space of the drive. The manner does take ages and you may notice some slower than normal performance until it’s done, but once the disk is encrypted you aren’t notice any functionality degradation. In fact, a BitLocker disk must have below a 5% change when in comparison to functionality statistics when it is not encrypted which is extraordinarily corresponding to other encryption solutions. At this point that you could call it a day for this desktop. You’ve got BitLocker working and the drive is encrypted. If you are making plans a moree wide scale deployment of BitLocker, then read on.

If you are searching at implementing or supporting BitLocker in a corporate atmosphere, probably the most crucial things is to have ownership of the BitLocker Recovery Keys. If that computing device ever dies or if you want to pull that hard disk from it’s latest hardware you then will need that key with the intention to decrypt and browse it. Also, unless you configure a Group Policy to keep away from it, users can enable BitLocker on their very own, purposly or not, and they likely would never think to give you the important thing. Rest confident that you should create a website policy that can require the laptop to store it’s key in Active Directory as a belongings of the computing device account and it’s all done automatically!Microsoft has a very comprehensive guide on how to do this on TechNet. If you have already got a Domain Controller running Windows 2008 or newer then you definitely have already got the means to store this suggestions in Active Directory.

If you do not, then you cna either add a 2008 DC that may update the schema for you, or simply extend the AD schema to come with BitLocker assistance. If you are not sure, that you may check if the required schema objects exist already or not. If you want to store suggestions concerning the TPM chip as well as BitLocker, StarrAndersen has offered a script that adds an access handle entry ACE so that backing up TPM restoration assistance is feasible. Just log in to one of your Domain Controllers with a site Administrator account and run the script cscript Add TPMSelfWriteACE. vbs. One last item to do is to delegate write permissions on the msTPM OwnerInformation object to the “SELF” account.

Tom Acker has an excellent article on how to do this on the TechNet blog. Essentially what you need to do is open the AD Users and Computers MMC, right click the OU where your desktops are or the domain root and Delegate rights to the SELF account using a “custom task” to only the Computer items. You grant General, Property real and Create/deletion to the “Write msTPM OwnerInformation” attribute. Now that Active Directory is able to store the BitLocker and TPM suggestions, we need a policy that may cause the desktops to definitely write that suggestions. Below are the stairs to configure Windows 7 and 2008 R2, but if you need Vista or 2008 you’ll find the commands on TechNet here.

See also  Ad Planning for Retailers: Black Friday Versus Cyber Monday Blue Fountain Media

Create a new Group Policy and navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption. There you will see three more folders that comprise the settings for the way Windows 7 and 2008 R2 manage the BitLocker advice for 3 alternative types of drives: Fixed, Operating System and Removable. The core settings for all three are pretty identical, just Double click the Choose how BitLocker protected drives can be recovered surroundings and Enable it. Specify that you simply want to store Recovery passwords and key programs and check the choice for Do not enable BitLocker until recuperation suggestions is stored in AD DS for fixed data drives. This keep away from users from allowing BitLocker unless the desktop is connected to the domain and the backup of BitLocker restoration tips to AD DS succeeds.

You can repeat this for the other types of drives as well. Read the integrated Help text to determine what is acceptable on your atmosphere. In an identical Policy, now navigate to Computer ConfigurationAdministrative TemplatesSystemTrusted Platform Module Services. Double click Turn on TPM backup to Active Directory Domain Services, enable it and confirm Require TPM back to AD DS is checked. This prevents the TPM owner password from being set or changed unless the computer is connected to the domain and AD DS backup succeeds. When you’re done just close the Policy editor and link the GPO somewhere in AD that you feel is applicable.

Now which you could test it out by ensuring the policy is being utilized to a new test workstation gpresult /h res. htm andand res. htm and then enable BitLocker on it as defined at the beginning of this article. You should no longer be promoted for a spot to save lots of the Recovery key as it’ll automatically be stored in Active Directory. Note: Computers that have already got BitLocker enabled prior to getting these guidelines will not store their recuperation keys or TPM counsel into AD because that only happens at the time of TPM Activation and should you actually enable BitLocker. You can manually force a pc to store it’s suggestions by using manage bde protectors get c: in finding the “numerical password” for the drive, then manage bde protectors adbackup c: id .

New activations will automatically store into AD, so that you could disable BitLocker and then re enable it to cause automatic storage. To see the advice that is being stored in AD, you need to set up the BitLocker Recovery Password Viewer that is an element of Remote Server Administration Tools RSAT. On your 2008 R2 Domain Controllers you simply start the “Add a function” wizard and navigate to the RSAT/Feature Administration Tools and choose the BitLocker Drive Encryption Administration Utilities. Once the Viewer has been added, that you can now open the Active Directory Users and Computers MMC and open the Properties page of any computing device account to see the BitLocker healing tab. There you’ll see all of the Recovery ID’s and Passwords that have been generated for all drives encrypted by that computing device. But what occurs if you have a harddisk that has been encrypted but you do not know what computer it came from?When you attach the disk to a device and attempt to read it, you’ll be offered with a message that says it’s encrypted and also you’ll need the Recovery Password.

It will also let you know what the Password ID is. You can then Search Active Directory for this ID find the Recovery Password. If the drive was encrypted by a computer in your domain, it’ll find the Recovery Password so you might use to be in a position to read/write to the encrypted partitions on that disk. Microsoft is easily aware that not all data is going to be stored safely on your domestically encrypted hard drives and that doubtlessly sensitive data can be put on a detachable device like a USB Thumb drive. For those cases, you could still use BitLocker to protect that data using what is being called BitLocker To Go or BTG now and again.

You can use Group Policy to allow or require removable drives to be encrypted with BTG, and instead of wanting a TPM chip to access the contents, the user need only be aware the password that they define. And you could still store that password in Active Directory in case they forget it. Rather than go into much detail on it here, make sure to have a look at Rocky Hacker’s MSDN Blog post on BitLocker to Go. In case you’re considering, non Windows 7 users can still access drives which are protected with BTG, but they use a utility called “BitLockerToGo Reader” which is integrated on the unencrypted part of the detachable drive, and this only permits them to read or copy contents from the device, not write to it. This adds some protection and is pretty convenient too. I think Microsoft has done a good job with BitLocker to present users an easy and transparent way to offer protection to data on their computer systems and detachable drives.

It may require a bit leg work on the part of the IT staff to set up the perfect environment to assist it, but it is plausible to have the whole thing up and running in a question of just a few hours. For those of use wisely using SCCM to deploy your Windows 7 workstations, you can also enable BitLocker as a step in your OSD Task Sequence. For details, check out Teh Wei King’s blog post. And when you are using MDOP Microsoft Desktop Optimization Pack be sure to check out the pending unlock of MBAM Microsoft BitLocker Administration and Monitoring, presently available in Beta on Microsoft Connect.