6. Setting up and managing BitLocker Drive Encryption
You can configure and enable BitLocker Drive Encryption on both
system volumes and data volumes. When you encrypt system volumes, you
must unlock the computer at startup, typically by using a TPM and
Network Unlock when connected to the domain as well as a TPM, a
startup key, a startup PIN, or any required or optional combination of
these. To enforce the strictest and highest security possible, use all
three authentication methods.
In the current implementation of BitLocker, you do not have to
encrypt a computer’s system volume prior to encrypting a computer’s data volumes. When you use
encrypted data volumes, the operating system mounts BitLocker data
volumes as it would any other volume, but it requires either a
password or a smart card with a valid certificate to unlock the
drive.
The encryption key for a protected data volume is created and
stored independently from the system volume and all other protected
data volumes. To allow the operating system to mount encrypted
volumes, the key chain protecting the data volume is stored in an
encrypted state on the operating-system volume. If the operating
system enters Recovery mode, the data volumes are not unlocked until
the operating system is out of Recovery mode.
Setting up BitLocker Drive Encryption is a multistep process that
involves the following:
-
Partitioning a computer’s hard disks appropriately, and
installing the operating system (if you are
configuring a new computer). Windows Setup
partitions the drives for you automatically. However, the volume
where BitLocker data is stored must always be the active, system
volume.
-
Initializing and configuring a computer’s TPM (if
applicable).
-
Turning on the BitLocker Drive Encryption feature (as
necessary).
-
Checking firmware to ensure that the computer is set to
start first from the disk containing the active, system partition
and the boot partition, not from USB or CD/DVD drives (which is
applicable only when you encrypt system volumes).
-
Turning on and configuring BitLocker Drive
Encryption.
After you turn on and configure BitLocker encryption, you can
use several techniques to maintain the environment and perform
recovery. When you are using a Microsoft account on a
non-domain-joined computer, you have an additional save option. You
can save the recovery key to the Windows Live SkyDrive. The user’s
SkyDrive account will then contain a BitLocker folder with a separate
file for each saved recovery key.
6.1 Configuring and enabling BitLocker Drive Encryption
As discussed previously, BitLocker Drive Encryption can be
used in a TPM or non-TPM configuration. Both configurations require
some preliminary work before you can turn on and configure BitLocker
Drive Encryption.
With Windows Vista, Windows 7, and Windows 8 editions designed
for business, BitLocker Drive Encryption and BitLocker Network
Unlock should be installed by default.
With Windows Server 2008 and later, you can install BitLocker
Drive Encryption, BitLocker Network Unlock, or both as features
using the Add Roles And Features Wizard. Alternatively, on a server,
you can install BitLocker Drive Encryption by entering the following
command at an elevated PowerShell prompt:
add-windowsfeature -name bitlocker, bitlocker-networkunlock -includemanagementtools
With either approach, you need to restart the computer to
complete the installation process.
After you install BitLocker, you can determine the readiness
status of a computer by accessing the BitLocker Drive Encryption console. In Control Panel,
tap or click System And Security, and then tap or click BitLocker
Drive Encryption. If the system isn’t properly configured yet,
you’ll see an error message either when you open BitLocker Drive
Encryption or when you try to encrypt a drive.
If you see this message on a
computer with an incompatible TPM or no TPM, you need to change the
computer’s Group Policy settings so that you can turn on BitLocker
Drive Encryption without a TPM.
You can configure policy settings for BitLocker encryption in
Local Group Policy or in Active Directory Group Policy. For local
policy, you apply the desired settings to the computer’s Local Group
Policy Object. For domain policy, you apply the desired settings to
a Group Policy Object processed by the computer. While you are
working with domain policy, you can also specify requirements for
computers with a TPM.
To configure the way BitLocker can be used with or without a
TPM, follow these steps:
-
Open the appropriate Group Policy Object for editing in
the Group Policy Management Editor.
-
Double-tap or double-click the setting Require Additional
Authentication At Startup in the Administrative Templates for
Computer Configuration under Windows Components\BitLocker Drive
Encryption folder\Operating System Drives.
-
In the Require Additional Authentication At Startup dialog
box, shown in Figure 16, define the
policy setting by selecting Enabled. Note that there are several
versions of this policy and they are operating-system specific.
Configure the version or versions of this policy that are
appropriate for your working environment and the computers to
which the policy will be applied. The options for each related
policy are slightly different because the TPM features supported
are slightly different for each operating system.
-
Do one of the following:
-
If you want to allow BitLocker to be used without a
compatible TPM, select the Allow BitLocker Without A
Compatible TPM check box. This changes the policy setting so
that you can use BitLocker encryption with a startup key on
a computer without a TPM.
-
If you want to require BitLocker to be used with a
TPM, clear the Allow BitLocker Without A Compatible TPM
check box. This changes the policy setting so that you can
use BitLocker encryption on a computer with a TPM by using a
startup PIN, a startup key, or both.
-
For computers with compatible TPMs, several authentication
methods can be used at startup to provide added protection for
encrypted data. These authentication methods can be not allowed,
allowed, or required. The methods available depend on the
specific operating-system version of the policy you are working
with.
-
Tap or click OK to save your settings. This policy is
enforced the next time Group Policy is applied.
-
Close the Group Policy Object Editor. To force Group
Policy to apply immediately to this computer, tap or click
Start, type gpupdate.exe /force
in the Search box, and then press Enter.
Computers that have a startup key or a startup PIN also have a
recovery password or certificate. The recovery
password or certificate is required in the following
circumstances:
-
Changes are made to the system startup information.
-
The encrypted drive must be moved to another
computer.
-
The user is unable to provide the appropriate startup key
or PIN.
The recovery password or certificate should be managed and
stored separately from the startup key or startup PIN. Although
users are given the startup key or startup PIN, administrators
should be the only ones with the recovery password or certificate.
As the administrator, you will need the recovery password or
certificate to unlock the encrypted data on the volume if BitLocker enters a locked state. Generally, unless you
use a common data-recovery agent, the recovery password or
certificate is unique to this particular BitLocker encryption. You
cannot use it to recover encrypted data from any other
BitLocker-encrypted volume—even from other BitLocker-encrypted
volumes on the same computer. To increase security,
you should store startup keys and recovery data apart from the
computer.
When you install BitLocker Drive Encryption and configure
policy (if necessary), the BitLocker Drive Encryption console
becomes available in Control Panel. When you are configuring BitLocker encryption, the configuration
options you have depend on whether the computer has a TPM, as well as how you configured Group
Policy.
