I have had many questions about BitLocker so I thought I would answer them in this blog post.
What is BitLocker and Why Should I Care?
BitLocker is a Trusted Platform Module (TPM) component that allows you to protect data on hard drives. BitLocker is the name given to the encryption component that works on hard disk drives. BitLocker To Go is the exact same thing but it works on removable drives such as USB drives. If the drive is seen by windows as a physical drive it will show up under BitLocker. If it shows as a removable media drive it will be listed under BitLocker To Go. (See Graphic Below)
Why? … If you or someone at your company has ever “lost” a laptop or USB drive with sensitive data on it, you will know why. These types of losses can be catastrophic depending on the business and what data is lost. Consider as an example a small insurance company. The office manager or owner wants to do some “number crunching” and dumps their customer database into an Excel file and puts it onto a USB hard drive (or laptop) to take home and work on it over the weekend. They stop at the store to get a loaf of bread and leave the drive on the seat of the car. Now, 3 mins later, they come out to the car and it is gone! Oh No! Now what? Well the client database was on that unencrypted drive (or laptop if you prefer) and now it is out in the public. After sweating for a while they just hope and pray someone does not do anything with the data? We are not that lucky in this scenario.
It was a kid that took it (or a competitor) and he posts the information on the web (complete with social security numbers). It gets out to the public. Before morning the office has dozens of people calling about it. By the following day the local community paper has written an article about the loss and the breach. Do you think there is much chance that this company will keep their customers? Do you think there is any chance they will be able to replace the customers they lost? Not likely … This is a catastrophic situation for this customer.
There are a number of other scenarios I could easily cover on this topic. Consider medical information that might be in that database from car accident or home fire, or whatever. The vulnerability is not only real, it is very likely. Remember Murphy’s Law: Anything that can go wrong, will go wrong! If the data is encrypted… it is not a problem. so you lose the drive or the laptop. Oh well. You lose the data.. lights out! Yeah, BitLocker really is that good!
Does BitLocker only work on Windows Vista and Windows 7?
Does Bitlocker work with Windows XP?
Does Bitlocker work with Other versions of Windows?
BitLocker was introduced with Windows Vista. It is not available on all versions of Vista or Windows 7. You have to be on Enterprise or Ultimate with Windows Vista or with Windows 7. The Enterprise and Ultimate SKU’s will support BitLocker, other SKU’s will will not have the feature. Once a drive is encrypted with BitLocker it can no longer be read by any machine that does not have the “key”. The “key” could be a password or other form of authentication that was defined when the drive was encrypted. Windows XP SP3 and later OS’s can READ the drive (if they have the key) but they cannot write to it.
Where do I go if I want to learn more about BitLocker or BitLocker To Go?
Check out the BitLocker Center on Technet this page has talks about BitLocker and all the detail. Make sure you do not miss the FAQ’s which talk about:
- Overview and Requirements
- Deployment and Administration
- Key Management
- Active Directory Domain Services
Does BitLocker supports Multi-Factor Authentication?
Yes, you can use a smartcard, password, embedded TPM module, etc to unlock an BitLocker encrypted drive.
How do I Install and configure Bitlocker and BitLocker To Go?
You can install/configure BitLocker by going into “Control Panel” and Selecting “System and Security”
then Select “BitLocker Drive Encryption”
“Manage BitLocker” allows you to change or print the recovery key of the encrypted drive. It has slightly different options if it is the boot drive.
“Turn Off BitLocker” allows you to decrypt the drive so that it is no longer protected
“Turn On BitLocker” Allows you to encrypt a drive. Make sure you have some available time when you encrypt a drive. It could take a while. I also strongly recommend you do not allow your computer to fall asleep, suspend, lose power, etc while it is encrypting a drive. According to the specification even if this happens, BitLocker will just pick up where it left off on the next boot. But hey, why chance it? It takes a while to encrypt but reading data and writing data after the initial encryption is VERY FAST! On my Lenovo T61P I encrypted my OS partition and literally did not notice any negative impact.
As an administrator, how can I make sure I have the keys in case users lose them?
Can I force BitLocker on Drives?
Yes to both Questions… You can use group policy to enforce BitLocker and/or you can store the keys in AD. Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information. You need have a windows server 2003 SP1 or later AD infrastructure and server OS. It may work on older versions but it is not supported so you are on your own if you try that.
Where are the Group Policy Settings for BitLocker (on the local computer) and what settings are available?
From the Local Group Policy (mmc.exe; Add Remove Snap-in; Group Policy Object Editor; Current Computer)
Local Computer Policy
— Computer Configuration
— Administrative Templates
— Windows Components
— BitLocker Drive Encryption
- Fixed Data Drives
- Configure use of smart cards on fixed data drives
- Deny write access to fixed drives not protected by BitLocker
- Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
- Configure use of passwords for fixed data drives
- Choose how BitLocker-protected fixed drives can be recovered
- Operating System Drives
- Require additional authentication at startup
- Require additional authentication at startup (Windows Server 2008 and Windows Vista)
- Allow enhanced PINs for startup
- Configure minimum PIN length for startup
- Choose how BitLocker-protected operating system drives can be recovered
- Configure TPM platform validation profile
- Removable Data Drives
- Control use of BitLocker on removable drives
- Configure use of smart cards on removable data drives
- Deny write access to removable drives not protected by BitLocker
- Allow access to BitLocker-protected removable data drives from earlier versions of Windows
- Configure use of passwords for removable data drives
- Choose how BitLocker-protected removable drives can be recovered
- Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista)
- Choose default folder for recovery password
- Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista
- Choose drive encryption method and cipher strength
- Provide the unique identifiers for your organization
- Prevent memory overwrite on restart
- Validate smart card certificate usage rule compliance
How can I get Windows 7 RC so I can play with BitLocker?
You can download Windows 7 RC from the TechNet download center. At some point the ability to download the bits will expire so if you want it, you probably should get it pretty quickly. Additionally, you want to play with BitLocker or other Windows Server 2008 R2 or Windows 7 features, let me know and I will add you to the “Momentum” early adopter program so you can gain access to the bits.
Do you know of any Video’s that can walk me through the process of enabling BitLocker?
I have on my list to do a step-by-step recording of this process in the next few weeks. If you are interested in that, check back at my blog. I will try put a link to that blog post here when it is done. If you are in dire need for the information let me know and I will try to move it up the priority list.
Please let me know what you think about this post.
Windows Server 2008, Vista, Group Policy, Security, Beta, Windows 7, Windows Server 2008 R2, GURU-Tip, Dan Stolts
10 Sep 2009 2:44 PM
You have explicitly answered questions frequently asked about BitLocker.
As far as I know, Microsoft is forcing their users to use BitLocker on their work computers.
I just wonder how difficult it is to estimate the password ?
I presume you are implying that you work for Microsoft and your employer is forcing the use of Bitlocker 🙂 If “estimating the password” means “guessing the password” …. that all depends on how simple your password is. If you set it to something that anyone could guess then it is pretty easy. If you use standard password restictions Upper Alpha, Lower Alpha, Numbers, Symbols and no birthdates, pets, friends or family names etc. it can be pretty difficult.
You should have the key stored in a SAFE (litterally) place.
If you mean how to I retrieve a lost password… It should also be stored in Active Directory so your helpdesk should be able to help you with unlocking it or changing the key.
Mark21 Sep 2009 5:24 AM
Thank you Dan for this information.
Do you know if there is a group policy to force encryption on Operating System drives? The challenge we have is all our users are local admins on their machine (this is a requirement we cannot escape), so at any time, users can go to Control Panel and simply decrypt their drive.
Alternatively, is there any way through group policy to disable users from suspending/decrypting their drive – we only use a single partitioned disk – so OS/data reside on same partition.
Thanks in advance
Hi Mark, Yes. Group PolicyComputer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encription. Under this key, you will see you can control different types of drives. OS, Data, Removable.
26 Oct 2009 7:21 PM
we are using windows 7 ultimate on company laptops that are on the road, not connected to a PDC. I have followed the Technet example by bitlocker keeps reporting no suitable certificate. Any idea’s on what I need to do to create a self-signed certificate that works?
Richs25 May 2010 2:52 PM
Thank you Dan.
I enabled a Bitlocker and TPM GPO to save to AD on 2008 Domain and applied it to a Windows 7 Ultimate workstation. When I look at the gpresult on the workstation I can see that the Bitlocker GPO was applied, but the local Gpedit settings for these 2 are NOT Configured and the key does not get saved in AD when I execute the cscript enablebitlocker.vbs.
Should the Local GPO show the 2 settings enabled??