2. Integrating BitLocker with Active Directory
Another
requirement you may have with BitLocker is Active Directory
integration. When you integrate BitLocker with Active Directory, you
are able to use the directory service to store BitLocker-related
information including:
Storing
this information in Active Directory makes it much simpler to recover
BitLocker volumes should anything happen to them. However, in order to
be able to store this information in AD, you must extend the AD DS
schema or the AD DS database structure because the default installation
of the directory does not contain the appropriate objects to store this
information.
NOTE
In Windows Server 2008, Active Directory has been renamed to Active Directory Domain Services (ADDS).
Extending
the AD schema is not done lightly and is definitely not done by PC
technicians. If your organization decides to implement BitLocker, then
you will need to work with your directory administrators to ensure that
the AD is prepared properly and can accept BitLocker data.
3. Relying on Group Policy to manage BitLocker
However,
you do not need to modify your directory service to manage BitLocker
and TPM settings through Group Policy though a modification gives you
more control over these features. Several settings support the remote
configuration of both components. You would typically apply these
settings in order to ensure a consistent BitLocker behavior in your
organization. Use the following instructions to do so. You need Group
Policy Creation and Modification access rights to do so.
Begin
by determining if you can apply these settings in an existing Group
Policy or if you need to create a new policy. You must create a new
policy if no policy affecting target computers exists. Because
BitLocker is a function of the computer, not the user, this policy will
be directed towards computer accounts. Ideally, you will already have
regrouped the computer accounts that will be using BitLocker into a
separate OU within the directory.
Launch
the GPMC. Right-click on the target OU containing the PCs that will use
BitLocker and then select Create a GPO in this domain, and link it here.
Name the policy appropriately and click OK. For example, you can name it BitLocker Policy.
Now, right-click on the new policy link and select Edit.
Navigate to Computer Configuration =>
Policies =>
Administrative Templates =>
Windows Components =>
BitLocker Drive Encryption.
Change the following settings if you have made the schema update in Active Directory:
Enable
the Turn on BitLocker Backup to Active Directory Domain Services, check
the Require BitLocker backup to ADDS option, and select to store
Recover passwords and key packages. When you turn on this setting,
BitLocker will require a connection to AD in order to be turned on. If
no connection exists, then BitLocker will not be turned on.
Change the following settings to enable BitLocker options:
Enable Control Panel Setup: Configure recovery folder and assign the path through a variable, for example, %SecureDriveEnvironmentVariable%\BitLockerBackup.
Although this does not force users to accept this location, it does
display this location first as they go through the BitLocker wizard.
Do
not enable Control Panel Setup: Configure recovery options if you have
enabled backup of the recovery components in AD in Step 7. If not, then
enable this setting and require both options. Note that a USB key will
be required to store the 256-bit recovery key.
Enable
Control Panel Setup: Enable advanced startup options and check Allow
BitLocker without a compatible TPM only if your computers do not have a
TPM 1.2 chip. If your computers include a TPM, then Disallow startup
key with TPM and Require startup PIN with TPM. Using a startup key
means that a removable media device must always be present in the
system for it to start. This is used only in the most secure
environments. However, having users enter a 4- to 20-digit PIN adds
additional protection without complicating the boot process.
Consider
whether you need to enable Configure encryption method. By default,
BitLocker users the Advanced Encryption Standard (AES) 128 bit with
Diffuser encryption, but you can increase it to 256 bit. Only the most
secure environments would enable this policy setting.
Do
not set Prevent memory overwrite on restart. Windows overwrites memory
at each reboot by default. This helps prevent the exposure of BitLocker
secrets but it does however take longer to boot BitLocker volumes.
If
your computers include TPM chips, then be very careful about using the
last setting in this area. Configure TPM platform validation profile
affects how the TPM chip determines whether or not it will release the
BitLocker-encrypted volumes. The default configuration is sufficient in
most environments. Changing this value will modify which values the TPM
evaluates before releasing volumes and may affect your ability to
recover information from BitLocker-enabled disks.
Navigate Computer Configuration =>
Policies =>
Administrative Templates =>
System =>
Trusted Platform Module Services and change the following settings to control TPM options:
If
you have modified the AD schema, then enable Turn on TPM backup to
Active Directory Domain Services and check Require TPM backup to ADDS.
When you turn on this setting, BitLocker will require a connection to
AD in order to be turned on. If no connection exists, then BitLocker
will not be turned on.
The next setting,
Configure the list of blocked TPM commands, must be treated very
carefully. By default, Windows blocks a series of TPM commands. These
commands are exposed through the TPM console (tpm.msc). Use this
setting only if you are very comfortable with TPM commands.
Do
not enable Ignore the default list of blocked TPM commands unless you
are very familiar with TPMs and you want a very specific configuration
for your environment.
Do not enable
Ignore the local list of blocked TPM commands unless you are very
familiar with TPMs and you want a very specific configuration for your
environment.
Navigate to Computer Configuration =>
Policies =>
Administrative Templates =>
System =>
Power Management =>
Sleep Settings to disable the following settings.
Disabling these settings will ensure that the only sleep state
available to the PC will be Hibernation which requires an
authentication to restore the computer to an operational state:
Close GPEdit. Your BitLocker policy is now ready.
When
BitLocker is set up, it might be a good idea for you to hide the
BitLocker partition from the Windows Explorer to ensure that users
don't inadvertently copy data to this partition. Do this during setup
as your installers turn on BitLocker.
4. Supporting BitLocker
Of
course, if you use BitLocker, you'll run into situations where you need
to support users that have issues with it. Therefore, you should create
a BitLocker support policy. This policy should include:
Documentation
on all of your BitLocker configurations. Use standard configurations
only. Keep them simple. Ideally, you will have only one or two
configurations at most.
Identification
of who will be your BitLocker Recovery Agents (BRA). If you are already
using EFS, these could be the same as the DRAs. You need at least two
agents.
Determination how you will recover systems:
Remote recovery lets you support users remotely when they have issues, for example, while they travel.
Local recovery lets you address the issue yourself directly on the problematic PC.
Procedural documentation related to the acceptable recovery processes.
Of
these, the remote recovery process is the most complex, and even then
it doesn't need to be. Recovering a BitLocker volume can be done in one
of three ways:
Through the BitLocker Recovery Console, which is launched before Vista boots. This console supports unlocking a system volume.
The BitLocker Control Panel's Recovery Wizard will unlock nonsystem volumes or volumes on other computers.
The
Windows Recovery Environment that can be launched either from the
Windows Installation DVD or through a preinstalled partition includes a
wizard that lets you recover a BitLocker volume.
When
users find themselves in a situation where recovery is necessary, they
or you will need to use the 48-character recovery password to unlock
the BitLocker volume. Ideally, you will have stored these passwords
into Active Directory so that they can be easily obtained. When the
user is in a remote location, you give them the current 48-character
password to unlock the drive after, of course, having validated that
the user is who they say they are. They will need to use this password
to unlock their system until they can come into one of your locations
to have the system repaired.
When the
computer is accessible, then you don't need to give out the password —
just unlock the volume yourself. When you hand out the password to an
end user in a remote location, you have to replace the used password
with a new one.
There are two ways to
obtain the recovery password. First, you can rely on the Get-BitLocker
RecoveryInfo.vbs script which is part of the tools you downloaded to
support your BitLocker deployment. But the easiest way to obtain the
password is to use the interface which can be added to Active Directory
Users and Computers: Find BitLocker Recovery Password. This provides
you with a graphical interface for password location.
