Enabling BitLocker for Windows 7

by Ed Fisher on 2009-11-02

in Security

One of the best things about Windows 7 Ultimate or Enterprise is that it comes with BitLocker; a solution for whole disk encryption that can be managed through Active Directory. The ISV space has several great options, including PGP and PointSec, but I like BitLocker for several reasons, including ease of deployment, cost, and centralised management of recovery keys. Here is a quick guide on how to implement it.

If you are running AD on Server 2008, you should be all set, but if you are still using Windows 2003, extend your schema to version 44 using a Server 2008 disc. See this post (link coming as soon as I write that post) on how to do that if you are not sure.

  1. Create an link a GPO to the appropriate OU for testing. I named mine BitLockerKeyEscrow
  2. Edit the GPO as follows…
        Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered
    image
  3. Ensure the policy replicated to domain controllers, and is applied to your workstation.

Then using a laptop with a TPM that is enabled in the BIOS, here are the steps to enable BitLocker encryption.

  1. Start by installing Windows 7 Enterprise or Ultimate, or deploy the corporate image of Windows 7 Enterprise.
  2. Join the workstation to the domain if not already a member.
  3. While connected to the domain, log on using a domain account that is also an administrator of the workstation. The account used to encrypt the drive does not have to be the account that will use the drive.
  4. Launch Computer Management, Device Manager, and verify under Security Devices that a TPM exists.
    image
  5. Select Disk Management, and verify that a BDE partition exists.
    image
  6. Open Computer, right-click the C: drive, and click "Turn on BitLocker…"
    image 
    This will start the actual encryption process.
  7. BitLocker first initialises the TPM, which takes a few moments.
  8. You will need to click Next so that BitLocker can Prepare your drive for BitLocker.
  9. You are prompted that BitLocker will move the Windows Recovery Environment to your recovery drive.
    image
    Click Next.
  10. A moment later, you will be prompted to click Next to encrypt the drive.
  11. In addition to storing the recovery information in Active Directory, BitLocker must save the key to a flash drive. If you know of a way to skip this step, please let me know in the comments. It is a small but annoying redundancy I’d just as soon do without.
    image
    Click "Save the recovery key to a USB flash drive, then click Next.
  12. You are then prompted to run a BitLocker check, which will require a reboot. You can do this, or skip it, as your comfort level dictates. I have done this often enough that I skip this and click Start Encrypting.
  13. The PC can be used while the drive is encrypting. On my Dells with the 160GB drive, this will take a little over an hour. Avoid doing any disk intensive operations while the drive is encrypting, and you will notice that the amount of free space decreases temporarily while the drive is encrypting, but once it is done, the encryption is transparent to the user, and disk space available is back to normal.At some point after the drive begins encrypting (you do not have to wait for it to complete) you should check AD to ensure that the encryption recovery information has been archived to AD
  14. Launch adsiedit.msc.
  15. Select the default naming context(domain,) and browse the domain down to the OU.
  16. In the console tree (left most pane,) select the PC you are encrypting, and you should see a container object CN=string that starts with a date of Class msFVE-RecoveryInformation. This is the archive of the recovery data.
    image

That’s all there is to it. With this enabled, your laptop users should have no problems nor notice any performance degradation, but if a laptop is lost, the data on the drive will be inaccessible unless a malicious user has legitimate credentials to access the machine, or is able to compromise it over the network. To avoid the former, you should make certain that all laptop users have strong passwords and know not to write them down. To avoid the latter, you should enable the Windows firewall whenever the machine is not connected to the domain network, and always stay up to date on patches and antivirus.

Or course, I bet you want to know how to recover data from a drive by mounting it on another BitLocker capable system, and using the recovery key stored in AD. To do that…

  1. Using a Windows 7 Enterprise or Ultimate, install the RSAT tools from this link.
  2. Go to Control Panel, Programs and Features, and click "Turn Windows features on or off."
  3. Scroll down to "Remote Server Administration Too
    ls" and turn on all of them, or at least make sure you enable BitLocker Password Recovery Viewer under "Feature Administration Tools."
    image
  4. Here’s the bit most documents forget…you have to register the dill by pressing WIN-R, "regsvr32.exe BdeAducExt.dll" [enter]
  5. Launch ADUC, browse down to the computer object that you need to recover, and right-click it, choosing Properties.
  6. On the BitLocker Recovery tab, you will see the Recovery Password for the drive.
    image
  7. Using a SATA to USB adapter, mount the drive from the problem computer on another Windows 7 Enterprise or Ultimate machine. It does not have to have an encrypted drive.
  8. You will be prompted to enter the Recovery Password to access the drive.
    image
  9. Note that the recovery key is identified by a hex string, that matches the starting string of the Password ID in AD.
  10. Click "Type the recovery key" and enter the key in the field that comes up next. You can copy and paste from ADUC.
    image
  11. If you used the right key, you will have access to the drive for the duration of the session. You can also choose to turn off BitLocker, or change the key on this drive.
    image

That should be it…data protected, data recovered, and one company that will NOT make the evening news for having lost confidential data due to a stolen or lost laptop. I hope this helps someone else out there.

keywords BitLocker, BitLocker for Dummies, BitLocker recovery Windows 7, BitLocker Windows 7

You might also enjoy:

  1. howto://upload BitLocker keys to Active Directory
  2. Enabling hyperlinks for remote connections in Windows
  3. Enabling IPSec VPN connections to ISA 2006
  4. Dude, what happened to my Windows Disc Image Burner?

Tagged as: active directory, howto

{ 2 comments… read them below or add one }

yagnesh 2011-05-07 at 08:51

thank for giving me a help………….
i m so happy that u helped me out this trouble of bit locker…..

Reply

Ed Fisher 2011-05-07 at 15:44

Hi Yags,
Glad you found it useful. Cheers!
Ed

Reply

Leave a Comment

Previous post:

Next post: