Friday, January 6, 2012

Bitlocker Drive Encryption Operations Guide


Bit locker is an integral security feature in Windows Vista, 7, 2008 and 2008 R2 that helps protect data stored on fixed and removable data drives and operating system drives.

Bit Locker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a Bit Locker protected computer that has the proper keys. bit Locker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM.

This option requires that the computer have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM.

TPM: TPM is a chip installed on a system that stores cryptographic keys that protect information.
The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and you will need a recovery password or recovery key to regain access to the data.

To backup recovery keys in Active directory


We can backup recovery and TPM keys of a system in active directory using group policy. We need to extend the Active directory schema, set the required permissions for backing up TPM password information and configure group policy to enable backup of bitlocker and TPM recovery information.

Extending Active directory schema


We need to use ldifde command line tool to extend the schema on DC that serves as the schema operations master. The schema extension file is located at http://technet.microsoft.com/en-us/library/ee424299(WS.10).aspx

“ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=test,dc=net" -k -j .”
This command should be entered as one line. The trailing period (.) is part of the command.

Set the permission for backing up TPM password information


A client computer running Windows 7 can back up BitLocker recovery information under the computer object's default permission. However, a client computer running Windows 7 cannot back up TPM owner information unless this additional ACE is added. The script is located at http://technet.microsoft.com/en-us/library/ee424299(WS.10).aspx

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.
Go to the command prompt and type cscript Add-TPMSelfWriteACE.vbs

Configure group policy to backup bitlocker and TPM recovery information

 To backup recovery keys from computers running Windows 2008 R2 or Windows 7:

1.        Go to Group policy management, In the console tree under Computer Configuration\Policies\Administrative Templates\Windows Components, click BitLocker Drive Encryption

2.        In details pane, double click Fixed Data Drives double click “choose how BitLocker-protected fixed drives can be recovered” select enabled

3.        Make sure Allow data recovery agent, Save bitlocker recovery information to AD DS for fixed data drives and Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives is checked.

4.        Leave other fields as default.

5.        Now we have to repeat the same steps for Operating system drives i.e. step three and four.

6.        In the console tree under Computer Configuration\Administrative Templates\System, click Trusted Platform Module Services.

7.        Double-click Turn on TPM backup to Active Directory Domain Services and Click Enabled.

8.        The Require TPM back to AD DS check box is selected by default. When this option is selected, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup succeeds.

To backup recovery keys to a shared location:

  1. Go to Group policy management, In the console tree under Computer Configuration\Policies\Administrative Templates\Windows Components, click BitLocker Drive Encryption 
  2. Click on “”Choose default folder for recovery password” and enable it. Give the shared location below.
  3. It will backup bitlocker recovery key and TPM owner information.

How to Enable BitLocker

We will be using BitLocker with two-factor authentication as all our laptops are running on windows 7 and DC running on W2k8 R2. Majority of laptops in Cvent have TPM chip installed.
  • First, we need to enable TPM in BIOS. Go to System BIOSàSecurityàTPM SecurityàCheck the box “TPM Security”
  • To enable bitlocker, Go to Control PanelàBitLocker Drive Encryption and turn ON bitlocker for drive as per the requirement.
  • It will ask for restart after checking prerequisites. After restart, it will prompt to press F10 to enable TPM.
  •  It will ask you to save the recovery key. Click on “Save the recovery key to file”
  •  Check Run Bitlocker system check and restart it.
  •  The whole process requires 1.00 – 1.30 Hours

To view recovery keys in Active directory

In order to view bitlocker recovery password in AD console, we need to install BitLocker password recovery viewer using RSAT in windows 7/windows 2K8.