Deploying BitLocker Drive Encryption
Deploying BitLocker Drive Encryption in an enterprise changes the way administrators and users work with computers. A computer with BitLocker Drive Encryption normally requires user intervention to boot
to the operating system—a user must enter a PIN, insert a USB flash
drive containing a startup key, or use a smart card with a valid
certificate. Because of this requirement, after you deploy BitLocker
Drive Encryption, you can no longer be assured that you can perform
remote administration that requires a computer to be restarted without
having physical access to the computer—someone might need to be
available to type the required PIN, insert the USB flash drive with the
startup key, or use a smart card with a valid certificate.
To work around this issue, you can configure network unlock on your
trusted, wired networks. Before you use BitLocker Drive Encryption, you
should perform a thorough evaluation of your organization’s computers.
You need to develop plans and procedures for the following:
-
Evaluating the various BitLocker authentication methods and applying them as appropriate
-
Determining whether computers support TPM, and thus whether you must use TPM or non-TPM BitLocker configurations
-
Storing, using, and periodically changing encryption keys, recovery
passwords, and other validation mechanisms used with BitLocker
You need to develop procedures for items such as these:
-
Performing daily operations with BitLocker-encrypted drives
-
Providing administrative support for BitLocker-encrypted drives
-
Recovering computers with BitLocker-encrypted drives
These procedures need to take into account the way BitLocker
encryption works and the requirements to have PINs, startup keys, smart
cards, and recovery keys available whenever you work with
BitLocker-encrypted computers. After you evaluate your organization’s
computers and develop basic plans and procedures, you need to develop a
configuration plan for implementing BitLocker Drive Encryption.
Several implementations of BitLocker Drive Encryption are available: BitLocker
Drive Encryption originally released with Windows Vista, an updated
version released with Windows Server 2008 and Windows 7, and an updated
version released with Windows Server 2012 and Windows 8. Although
computers running Windows 8 and Windows Server 2012 can work with any
of the available versions, earlier versions of Windows can’t
necessarily work with the latest version of BitLocker. For example, you
might need to configure Group Policy to allow access from earlier
versions of Windows.
To turn on BitLocker Drive Encryption on the drive containing the
Windows operating system, the drive must have at least two partitions:
-
The first partition is for BitLocker Drive Encryption. This
partition, designated as the active partition, holds the files required
to start the operating system and is not encrypted.
-
The second is the primary partition for the operating system and
your data. This partition is encrypted when you turn on BitLocker.
With implementations of BitLocker prior to Windows 7, you need to
create the partitions in a certain way to ensure compatibility. This is
no longer the case in Windows 7 and later. When you install Windows 7
and later, an additional partition is created automatically during
setup. By default, this additional partition is used by the Windows
Recovery Environment (Windows RE). However, if you enable BitLocker on
the system volume, Windows usually moves Windows RE to the system
volume and then uses the additional partition for BitLocker.
You can use local Group Policy and Active Directory–based Group
Policy to help manage and maintain TPM and BitLocker configurations. Group Policy settings for TPM
Services are found in Administrative Templates policies for Computer
Configuration under System\Trusted Platform Module Services. Group
Policy settings for BitLocker are found in Administrative Templates
policies for Computer Configuration under Windows Components\BitLocker
Drive Encryption. There are separate subfolders for fixed data drives,
operating system drives, and removable data drives.
Policies you might want to configure include the following:
-
Trusted Platform Module Services policies
-
Configure The Level of TPM Owner Authorization Information Available To The Operating System
-
Configure The List Of Blocked TPM Commands
-
Ignore The Default List Of Blocked TPM Commands
-
Ignore The Local List Of Blocked TPM Commands
-
Standard User Individual Lockout Threshold
-
Standard User Lockout Duration
-
Standard User Total Lockout Threshold
-
Turn On TPM Backup To Active Directory Domain Services
-
BitLocker Drive Encryption policies
-
Choose Default Folder For Recovery Password
-
Choose Drive Encryption Method And Cipher Strength
-
Prevent Memory Overwrite On Restart
-
Provide The Unique Identifiers For Your Organization
-
Validate Smart Card Certificate Usage Rule Compliance
-
Fixed Drive policies
-
Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows
-
Choose How BitLocker-Protected Fixed Drives Can Be Recovered
-
Configure Use Of Hardware-Based Encryption For Fixed Data Drives
-
Configure Use Of Passwords For Fixed Data Drives
-
Configure Use Of Smart Cards On Fixed Data Drives
-
Deny Write Access To Fixed Drives Not Protected By BitLocker
-
Enforce Drive Encryption Type On Fixed Data Drives
-
Operating System Drive policies
-
Allow Enhanced PINs For Startup
-
Allow Network Unlock At Startup
-
Allow Secure Boot For Integrity Validation
-
Choose How BitLocker-Protected Operating System Drives Can Be Recovered
-
Configure Minimum PIN Length For Startup
-
Configure TPM Platform Validation Profile For BIOS-Based Firmware Configurations
-
Configure TPM Platform Validation Profile For Native UEFI Firmware Configurations
-
Configure TPM Platform Validation Profile (Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2)
-
Configure Use Of Passwords For Operating System Drives
-
Disallow Standard Users From Changing The PIN Or Password
-
Enforce Drive Encryption Type On Operating System Drives
-
Enable User Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates
-
Require Additional Authentication At Startup
-
Reset Platform Validation Data After BitLocker Recovery
-
Removable Data Drive policies
-
Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows
-
Choose How BitLocker-Protected Removable Drives Can Be Recovered
-
Configure Use Of Hardware-Based Encryption For Removable Data Drives
-
Configure Use Of Passwords For Removable Data Drives
-
Configure Use Of Smart Cards On Removable Data Drives
-
Control Use Of BitLocker On Removable Drives
-
Deny Write Access To Removable Drives Not Protected By BitLocker
-
Enforce Drive Encryption Type On Removable Data Drives
Active Directory includes TPM
and BitLocker recovery extensions for Computer objects. For TPM, the
extensions define a single property of the Computer object, called
ms-TPM-OwnerInformation. When the TPM is initialized or when the owner
password is changed, the hash of the TPM ownership password can be
stored as a value of the ms-TPM-OwnerInformation attribute on the
related Computer object. For BitLocker, these extensions define
Recovery objects as child objects of Computer objects and are used to
store recovery passwords and associate them with specific
BitLocker-encrypted volumes.
By default, Windows 8 stores the full TPM owner authorization, the
TPM administrative delegation blob, and the TPM user delegation in the
registry. Because of this change, you no longer have to save this
information separately to Active Directory for backup and recovery
purposes.
To ensure that BitLocker recovery information is always available, you can configure Group Policy to save recovery information in Active Directory as follows:
-
With Choose How BitLocker-Protected Fixed Drives Can Be Recovered,
enable the policy and accept the default options to allow data recovery
agents and save the recovery information in Active Directory.
-
With Choose How BitLocker-Protected Operating System Drives Can Be
Recovered, enable the policy and accept the default options to allow
data recovery agents and save the recovery information in Active
Directory.
-
With Choose How BitLocker-Protected Removable Drives Can Be
Recovered, enable the policy and accept the default options to allow
data recovery agents, and then save the recovery information in Active
Directory.
Note
For Federal
Information Processing Standard (FIPS) compliance, you cannot create or
save BitLocker recovery passwords. Instead, you need to configure
Windows to create recovery keys. The FIPS setting is located in the
Security Policy Editor at Local Policies\Security Options\System
Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing,
And Signing.
To configure BitLocker to use recovery keys, enable the
security option System Cryptography: Use FIPS Compliant Algorithms For
Encryption, Hashing, And Signing in local Group Policy or Active
Directory–based Group Policy as appropriate. With this setting enabled,
users can only generate recovery keys.
