Group Policy Settings Guide for BitLocker

Turning on TPM Backup to Active Directory

In Computer Configuration > Administrative Templates > System > Trusted Platform Module Service > Turn on TPM backup to Active Directory Domain Services set to Enabled.

Configuring BitLocker Policies Windows 7

The policy settings for specifying the behavior for BitLocker are located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption You must make these modifications in GPMC on a Windows 7 or Windows Server 2008 R2 computer. 1. Choose default folder for recovery password If you wish to back up the recovery password information to a text file on a secure network location, set to Enabled, and specify the network path. 2. Choose drive encryption method and cipher strength AES 256-bit with Diffuser (recommended) 3. Prevent memory overwrite on restart Set to Disabled. This enforces the removal of BitLocker secrets from memory on restart. Now specify the behavior of operating system drives by going to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 1. Require additional authentication at startup Set to Enabled, and if desired, check Allow BitLocker without a compatible TPM and configure further policy options. 2. Choose how BitLocker-protected operating system drives can be recovered DS Set to Enabled, check Allow data recovery agent (possible future use) if desired, Configure user storage of BitLocker recovery information, check Save BitLocker recovery information to AD DS. Under Configure storage of BitLocker recovery information to AD DS select Store recovery passwords and key packages. Check Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 1

3. Configure TPM platform validation profile Set to Enable, and use the recommended defaults except for PCR 10: Boot Manager. BitLocker gets unhappy if you have that option selected, particularly if the system goes into hibernation. It will usually ask for a recovery password when the system wakes from hibernation, or on reboot.

Now configure the corresponding applicable options for fixed data drives and removable data drives under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives and Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives respectively.

Configuring BitLocker Policies Windows Vista

The policy settings for specifying the behavior for BitLocker are located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption You must make these modifications in GPMC on a Windows Vista computer. You will not see the same options from GPMC on Windows 7. 1. Turn on BitLocker backup to AD DS Set to Enable and check Require BitLocker backup to AD DS. Under Select BitLocker recovery information to store select Recovery passwords and key packages. 2. Control Panel Setup: Configure recovery folder If you wish to also back up the recovery password information to a text file on a secure network location, set to Enable, and specify the network path 3. Control Panel Setup: Enable advanced startup options If desired, check Allow BitLocker without a compatible TPM and configure further policy options. 4. Configure encryption method Set the desired encryption algorithm. 5. Prevent memory overwrite on restart Set to Disable. This enforces the removal of BitLocker secrets from memory on restart. 6. Configure TPM platform validation profile Set to Enable, and use the recommended defaults except for PCR 10: Boot Manager. BitLocker gets unhappy if you have that option selected, particularly if the system goes into hibernation. It will usually ask for a recovery password when the system wakes from hibernation, or on reboot.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 2

BitLocker Recovery Information in AD

Delegating Authority to View BitLocker Recovery Information
1. Open Active Directory Users and Computers as an OU Admin. 2. Right click the OU containing your computer objects, and select Delegate Control. 3. Add the AD Group you wish to delegate the ability to, and click next. 4. Select Create a custom task to delegate, and click next. 5. Select Only the following objects in the folder select Computer objects, and msFVERecoveryInformation objects, and then select Create selected objects in this folder, and Delete selected objects in this folder. Click next.

6. Under permissions - select Full Control, and click next. 7. Click Finish.

Viewing BitLocker Recovery Information in AD Using Windows

1. Install the Windows RSAT for Vista or Windows 7. 2. For Vista, Install the BitLocker Password Recovery Viewer. This will add a tab called BitLocker Recovery when you view a computer object's properties in Active Directory Users and Computers. It will also add a context menu item called Find BitLocker Recovery Password when you right click the ad.umn.edu object in Active Directory Users and Computers, where you'll be able to search by Password ID. This is automatically included when RSAT for Windows 7 is installed.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 3

Enabling BitLocker in Windows

Using BitLocker with a computer that has TPM v1.2 hardware is highly recommended. The computer is limited to booting with a USB Flash drive containing the BitLocker information if it does not have TPM v1.2 hardware. The following procedure assumes the existence of TPM v1.2 hardware. BitLocker also requires two separate partitions. If the computer is not already set up for this, you may use the BitLocker Drive Preparation Tool to allocate an additional partition for this purpose. See http://support.microsoft.com/kb/930063 for more information. The required size of this drive has been reduced to 100MB in Windows 7. 1.5GB is needed in Windows Vista.

Enabling the Computer's TPM Hardware

1. Activate the TPM hardware, and turn on the TPM security in the computer's BIOS. 2. Verify the TPM hardware is recognized by the system. Boot into Windows Vista, and log in as an administrator. 3. Launch the TPM management console by typing tpm.msc and then Enter in the Start Search box. You should see an option to initialize the TPM, which you may do now, or BitLocker will do it for you when you turn on BitLocker. If you do not see this option, you may need additional drivers for your TPM hardware, which can be obtained through the computer manufacturer.

Enabling BitLocker
1. 1. Launch BitLocker Drive Encryption from the Control Panel, or from searching in the Start Search box. 2. If the User Account Control prompt appears, verify that the displayed action is what you requested, and then click Continue. 3. Click Turn on BitLocker.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 4

4. At this point you may choose to Use BitLocker without additional keys, Require a PIN at every startup, or Require Startup USB key at every startup if your group policy settings permit these options. 5. You will now be able to save or print the password if your group policy settings permit these options. 6. Click Run BitLocker system check (recommended), and then Continue - The computer will reboot and will begin encrypting if successful. 7. Log in and verify disk encryption is in progress. The encryption process will take several hours depending on the speed of the machine, however the computer may be used as normal. If a computer is shut down or rebooted, it will continue encrypting once it is powered on again.

Storing BitLocker Recovery Information for Previously Encrypted Drives

Adapted from Microsoft TechNet To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority. To create and back up a new BitLocker recovery password:
1. 2. 3. 4. 5. Click Start. Type cmd in the Start Search box. Right-click cmd.exe in the Programs section of the search results. Click Run as administrator. If the User Account Control prompt appears, verify that the displayed action is what you requested, and then click Continue. 6. At the elevated command prompt, type cscript manage-bde.wsf -protectors -delete c: -type recoverypassword where c: is the volume encrypted with BitLocker. This step removes any existing recovery password. 7. At the elevated command prompt, type cscript manage-bde.wsf -protectors -add c: recoverypassword where c: is the volume encrypted with BitLocker. This step creates a new recovery password, and if configured, causes the new recovery password to be backed up to Active Directory Domain Services. 8. Close the Command Prompt window. If you also wish to backup the recovery information to a text file, continue with the steps below: 9. Launch BitLocker Drive Encryption from the Control Panel, or from searching in the Start Search box.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 5

10. If the User Account Control prompt appears, verify that the displayed action is what you requested, and then click Continue. 11. 12. Click Manage BitLocker Keys. 12. 13. Click Duplicate the recovery password. 13. 14. Click Save the password in a folder - The default network location will appear if youve specified that with a policy; otherwise you can navigate to the location of your choice.

Windows 7 BitLocker on Removable Drives / BitLocker To Go

Special Notes About using BitLocker on Removable Drives 1. An external hard drive or flash drive can be encrypted using a standard user account. Use the policies in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives to control overall behavior of this feature. 2. The Active Directory Recovery Key for the removable device is stored under the computer object that encrypts the drive if youve configured that option. Deleting a computer object deletes the recovery key for the computer and any removable drives that were encrypted using that computer. 3. The removable drive must be used on other Windows 7 computers to be read/write accessible. Read only access is available for the device on XP SP 3 and Vista using BitLockerToGo.exe, which is automatically placed on the removable drive when it is encrypted. 4. The computer encrypting the drive must be in communication with the AD domain while you perform the encryption steps below. Encrypting a Removable Drive 1. Right click the removable drive in Windows Explorer and select Turn on BitLocker. 2. Enter a password that will be used to unlock the drive, and retype it to confirm it, and click Next. Group Policy will force you to type a password before proceeding. 3. In the How do you want to store your recovery key? dialog, select Save the recovery key to a file. (optional) 4. Accept the default file name and click Save. (optional) 5. Back in the How do you want to store your recovery key? dialog, click Next. 6. Start encrypting the drive by clicking Start Encrypting. University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 6

Using an Encrypted Drive on a Windows 7 Client 1. Insert the removable drive. A window will appear stating This drive is protected by BitLocker Drive Encryption... Enter the password that was specified in step 2 above. Alternatively, it can be unlocked using the recovery key by clicking I forgot my password. If you wish, you may also select Automatically unlock on this computer from now on to avoid having to type the password in each time. Click Unlock after all of the required information is provided, and you will be able to use the drive normally. Using an Encrypted Drive on a Windows Vista or XP SP 3 Client 1. Insert the removable drive, and open it in Windows Explorer. Launch the BitLockerToGo.exe program located on the removable drive. You'll notice a bunch of other files that were placed on the drive when BitLocker encrypted the drive. Do not modify or delete any of the files. They are needed to access the encrypted data on the drive. 2. Enter the password for the removable drive. 3. You can now drag files or folders from the BitLocker To Go Reader to your a location on your computer in order to open them. Alternatively, double clicking on a file will also give you the option of copying a file to your desktop. Caution: Any files copied to another computer are no longer encrypted when they are copied off of the removable drive unless that computer's drive(s) are also protected by BitLocker or other disk encryption software.

BitLocker Drive Encryption (BDE) Recovering Data

Encrypted drive removed from workstation and attached another system running Windows Vista Enterprise OS.
Method One BitLocker Drive Encryption control panel

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 7

1. Launch BitLocker Drive Encryption control panel. 2. Click Unlock Volume (Volume F: in this case) on the encrypted volume that youre recovering the data from.

3. Select method of enter the BDE recovery password Loading from removable media, or manual input.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 8

a. Load BDE recovery password from removable media.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 9

b. Manually inputting the BDE recovery password.

4. The drive is now temporarily unlocked and available to Windows to recover data. You may now also turn off BitLocker completely and decrypt the drive that was just unlocked through the BDE control panel.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 10

Method Two BitLocker Repair Tool 1. Download BitLocker Repair Tool and copy the appropriate ..\x86\executables, or ..\x64\executables to local location. e.g. - c:\repairbde. 2. Attach empty external storage (Volume G: in this case) This particular process will completely overwrite the G: volume. 3. Open an elevated command prompt, and use repair-bde. 4. In this case: c:\repairbde\repair-bde F: G: -rp [recovery password] lf c:\repairlog.txt 5. After the process is complete, the decrypted contents of the volume (F:) will be copied to the external volume (G:) . You may also send the output to a windows .img file. 6. Use repair-bde /? for a full set of options. For additional data recovery methods using BitLocker Repair Tool see: http://support.microsoft.com/kb/928201.

University of Minnesota - College of Education and Human Development Last Revised February 16, 2010 by Tom Ruddle Page 11