Anda di halaman 1dari 18

JCI BitLocker

BU IT Support Document

GI Operations EUC

Contents
Q & A ............................................................................................................................................................. 2
BitLocker is being deployed to my computer What will I see? ................................................................. 3
Helpdesk Portal ............................................................................................................................................. 7
How to identify if the drive is BitLocker encrypted? .................................................................................... 8
PC shows encrypted but not compliant ........................................................................................................ 8
Before you start ........................................................................................................................................ 8
To turn off BitLocker Drive Encryption ................................................................................................. 8
To suspend BitLocker Drive Encryption on an operating system drive ................................................ 9
TPM not available on PC ............................................................................................................................... 9
China Only ............................................................................................................................................... 10
Error: System Partition not available or large enough ............................................................................ 15
Hardware changes / BIOS Updates ............................................................................................................. 16
Available Reports ........................................................................................................................................ 17
Log Files ....................................................................................................................................................... 17

Q&A
What is the hard drive encryption for?
The encryption for End User PC hard drives is needed to ensure that the local stored data at any lost or stolen PC
cannot be used by non-authorized persons.
Our customer VW and Porsche have requested that hard drive encryption is a 'must' for all suppliers that work
with any confidential VW data on their local PC.
Will there be any additional software required for this initiative?
BitLocker itself is built into the Windows 7 Operating System by default.
The MBAM agent is a small client that will be installed on each users PC.
This client transmits the encryption keys to the MBAM Encryption Server.
This is what allows for the management of the BitLocker environment.
Will there be any additional User ID and / or additional password to use?
No, there will be nothing different. Same like it is today.
What is the duration of encryption process?
The encryption process itself can vary greatly, based on two factors: the speed of the hard drive, and how much
data is on the drive this can take anywhere from 30 minutes to 24 hours
Will this impede general daily work?
No, there will be no impact to daily work, outside of the small performance decrease during the initial encryption.
Ongoing encryption is transparent.
Will this have any impact on my email activity?
No, there will be no impact to daily work like email, the email and the attachment will not be encrypted.
The email sender & receiver will not be impacted in any case.
What if another user logs onto an encrypted PC? Can they still work?
The encryption is done for the entire PC. This includes all users that use or will use the PC, which means that all
data for all users is encrypted on the PC.
That said, however, if a user logs onto an unencrypted PC, the data on that PC will not be encrypted.

BitLocker is being deployed to my computer What will I see?


NOTE: The user will not see the installation of MBAM if the PC was reimaged. Only if MBAM is
assigned to a PC via SMIT, the installation notification is seen.
Make sure that there is at least 15% of free disk space available before assigning MBAM.

MBAM will be assigned for installation to your machine. You will see the following notification appear in the
bottom right corner down by the system clock.
This is to notify you that the program contents have downloaded to your machine and are ready for you to start
the installation
You will have 15 minutes to manually run the program before it is forced.

Upon running the program, you will see progress messages as the sequence is performed.

Once installation has completed (this can take several minutes), you will be prompted to reboot. You will have up
to 1 hour to perform the reboot manually. After the 1 hour time, you will be forced to reboot.

After you have rebooted the PC you should see the following window displayed:
*Important Note* - There might be a delay of up to one business day until this window shows. The Policy
encryption has to be done via the Central Management system. Running the local BitLocker encryption will not
use the JCI Standard settings and therewith the client would get non-compliant.

If the Postpone button is pushed, the window will go away, however, it will reappear the next time that the
policy is enforced, and every time after each policy application.
If the Start button is pushed, you may be prompted to reboot (shown below)

Once you reboot, you should be prompted to enable the TPM Chip (this is required) for BitLocker. This is usually
done by pressing the F1 key (shown below). If you choose the Reject (F2 on the example below), please note
that you will be re-prompted to encrypt your drive each time your PC updates its policies.

If you are not prompted to reboot initially, or you have already rebooted and pressed F1 to enable the TPM, you
will be presented with a new window (below). This should begin automatically. During encryption, you will be
able to work as you normally would. You may experience a temporary performance degradation during the
encryption, but this will pass after the encryption process has completed.

At this point, you can close the window. You can also power off your PC; encryption will resume when you power
your computer back on. Please note, the encryption process can take several hours to complete. When the
process is complete, you should see the following notice:

Your HDD is now fully encrypted.

Helpdesk Portal
Link: https://diskencryption.jci.com/helpdesk/Default.aspx
*Note* Access has to be requested please view MBAM Access Request Procedure

1. A user will call the Service Desk/Local IT letting them know that BitLocker has locked their PC,
and they need assistance in unlocking their computer.
a. Validate that the user is the real user of that PC!
2. On the left side of the Portal website, click the Drive Recovery item.
a. You will not currently need to use any other option on this site.
3. You will need to enter the following information: User Domain, User ID, Key ID, and Reason for
Drive Unlock.
a. Domain : CORPWEB, IFMUK, CGNA, etc
b. User ID : This is the users Global ID
c. Key ID: This is the Recovery Key ID that the user should see on their locked PC (generally
32-digits)
d. Reason for Drive Unlock: Pick the most appropriate reason. If the user gives a reason
that is not listed, select Other (Example below).

4. Once the information is entered, click the Submit button.


5. If all of the entered information was correct, you will then be presented with the users Unlock
code (Example below).

6. This key should be read to the user via phone (or typed in by local IT). The user will likely not
have access to email/chat, as their PC is locked.
7. Once theyve entered the code properly, validate that they were then able to log into Windows.
a. Note, BitLocker does NOT impact Windows logon. If they are unable to log on, there is
another issue not related to BitLocker (locked account, expired/incorrect password,
etc);.

How to identify if the drive is BitLocker encrypted?


As soon as you have followed above steps and BitLocker did not show an error message the drive is encrypted. This
can also be identified via Computer:

PC shows encrypted but not compliant


If the MBAM client and policy got assigned to a PC, but the PC shows as encrypted, but not compliant and with a
128bit encryption (JCI Standard is 256 bit) in the MBAM reporting that means that the user has encrypted the PC
manually without using the policy.
To resolve this follow below steps To turn off Bitlocker Drive Encryption. By doing this the drive will be decrypted
again. With the next run on the policy update the JCI BitLocker Policy will reapply and will kick in using the
correct encryption.
http://technet.microsoft.com/en-us/library/ee424315(v=ws.10).aspx

Before you start


To complete the procedures in this scenario:

You must be able to provide administrative credentials.

The drive must be BitLocker-protected.

Complete one of the following procedures.

To turn off BitLocker Drive Encryption


1.
2.
3.

Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
A message is displayed, informing you that the drive will be decrypted and that decryption may take some
time. Click Decrypt the drive to continue and turn off BitLocker on the drive.

By completing this procedure, you have decrypted the drive and removed BitLocker protection.

To suspend BitLocker Drive Encryption on an operating system drive


1.
2.
3.

Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
Click Suspend Protection for the operating system drive.
A message is displayed, informing you that your data will not be protected while BitLocker is suspended
and asking if you want to suspend BitLocker Drive Encryption. Click Yes to continue and suspend BitLocker
on the drive.

By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption
key to a clear key. To read data from the drive, the clear key is used to access the files. When BitLocker is
suspended, TPM validation does not occur and other authentication methods, such as the use of a PIN or USB key
to unlock the operating system drive, are not enforced. This allows you to make system changes such as updating
the BIOS or replacing a data drive. When you are finished making changes to the computer, click Resume
Protection from the BitLocker Drive Encryption Control Panel item to start using BitLocker Drive Encryption again.

TPM not available on PC


In some cases it happens that the TPM is not activated or even is missing. To verify please follow below steps.

1.
2.
3.
4.
5.
6.

Power Off the PC (reboots may not work on some models)


Power On the PC
Immediately and repeatedly press the F10 key until a BIOS menu selection pops up (The key for most
supported HP hardware is F10, however some models may differ).
From this menu list, select the option that states Computer Configuration.
Once in the BIOS setup, browse to the Security menu (at the top)
Browse to the OS management of Embedded Security Device setting and ensure that says ENABLED

China Only
1. Change the extension of e73248 file to .exe
https://mysite.jci.com/personal/asia_jyangg/Documents/Shared%20with%20Everyone/TPM%20Tools.zip

2. Prepare a USB flash disk(less than 4GB).


Unzip HPUSBFW_boot.rar file:

Follow below steps to make a bootable USB flash disk:


Insert USB flash disk to USB port (recommend USB 2.0 port), double click to execute HPUSBFW.EXE file,
below window pops up:
Set File system to FAT
Input Volume Label
Checked Create a DOS startup disk, browse to the folder where HPUSBFW_boot.rar locate, click ok

Click Start to format USB flash disk and make a bootable disk

Once done, copy e73248.exe to the root directory of USB flash disk

3. Make sure you didnt setup BIOS Administrator Password!


Boot machine and press F10 to enter BIOS menu, Set USB Hard Drive to the first one in boot sequence.
Remember what option is checked in System configuration- Device Configurations SATA Device Mode.

Boot machine from USB flash disk to DOS mode, execute e73248.exe:

4. Press any key to reboot machine, press F10 to enter BIOS setup menu, set USB Hard Drive to the first
one in boot sequence.
You may see below screen during the boot up, just press Enter:

5. Enter DOS mode, execute e73248.exe again:

6 Reboot machine, press F10 to enter BIOS - System configuration- Device Configurations SATA
Device Mode, make sure you select the same option as before

Enter BIOS-Security, youll see TPM Embedded Security show in grey, save and exit:

7. Once complete above steps, after log on Windows, you should see Security Devices in Device
Manager, that mean your TPM already enabled.

Error: System Partition not available or large enough


In some cases the Encryption cannot start due to the above mentioned error that is shown on the
reports of the Helpdesk Portal. This error indicates that the necessary System Partition could not be
created during the MBAM client install.
In most cases this is due to lack of space on the hard disk. The user should make sure that at least 15%
of free disk is available. Then have the MBAM install run again via Run Advertised Programs.
If the disk has enough space. Check the following: (Mainly comes up with SSDs)
-

Disk Defragmenter Service set to manual?


If set to disabled, BitLocker cannot create the necessary System Partition of 300 MB. Have the
service set to manual.
Hibernation or Windows Recovery activated?
Check if the user has hibernation or Windows Recovery activated. If this is the case, have it
disabled. After the 300 MB partition is created you can activate it again.
3rd party tools installed that are managing disk contents?
Check for those kind of tools and make sure they are uninstalled.
Backup software installed?
Backup software might reserve areas of the disk and stops BitLocker from creating the System
Partition.
Pagefile
If the 300 MB System Partition still cannot be created, disable the page file. For that follow
below steps.

1. Go to Computer Management -> Disk Management


2. Shrink drive C:\ so that you get a 320 MB unpartitioned area.
a. If there is no error and disk gets shrinked, use
BdeHdCfg.exe -target c: shrink -size 300 quiet to get System partition created.
b. If this does not work proceed with next step.
3. Go to Control Panel System Advanced System Settings Advanced Tab Performance
Settings Advanced Virtual Memory Change Set to no paging file
4.
5.
6.
7.

Reboot to safe mode and check that page file is gone.


Reboot to Win 7 normally.
Run command from step 2.a.
This should now create the system partition.

Hardware changes / BIOS Updates / Configurations


To make sure that the TPM is always set with the correct configuration on a PC, you should make sure
that before doing any changes to hardware and BIOS that BitLocker Protection is suspended.
1.
2.
3.
4.
5.
6.
7.
8.
9.

Go to Control Panel Bitlocker Drive Encryption


Suspend Protection
Do change
Boot PC and go to Control Panel Bitlocker Drive Encryption
Resume Protection
Reboot
OS will be locked
Enter Recovery Key
TPM will be setup with the correct information

Note BitLocker has to be resumed manually afterwards. Only this will ensure that the TPM is set to a
known status and includes the correct system information/configuration.
Not doing above steps will most likely cause BitLocker to lock the PC on every boot.

Available Reports
http://j201m444/SMSReporting_A01/
MBAM/TPM Report on Site or PC level:

Free Disk Space Report:

MBAM Reports:
Note You will first need to follow the MBAM Console Access Procedure to get access granted to this
report.
https://diskencryption.jci.com/helpdesk/Reports.aspx

Log Files
Identify MBAM_Client_2.0.5301.1_32-64b_EN_R01.log file presence it should be located here:

32-bit PCs - C:\Program Files\JCI Support\AppInstallLogs


64-bit PCs - C:\Program Files (x86)\JCI Support\AppInstallLogs