Enable BitLocker, Automatically save Keys to Active Directory

Author by Shannon Fritz

Companies have always been concerned about the security of data on their mobile users' computers.  What happens if the computer is lost or stolen?  How can you be sure that the "stuff" on that computer does not fall into the wrong hands?  The answer is encryption, and there have been various options like GuardianEdgeCheckPoint Pointsec and TrueCrypt, but now with Windows 7 Enterprise and Ultimate, Microsoft has introduced a new alternative called BitLocker and BitLocker to Go that is built right into the Operating System.  Let me tell you about it and how to use it.
  1. About BitLocker
  2. Enable and Activate TPM chip
  3. Boot Order
  4. Enable BitLocker
  5. Automatically Store Keys in AD
  6. Access the BitLocker Recovery Keys
  7. BitLocker to Go (encrypt removable media)

About BitLocker

Before getting started, let me briefly cover just what BitLocker is.  Microsoft describes it as a way to protect your data from being lost or stolen by "putting a virtual lock on your files".  While this is basically true, it is more than just locking the files, it's really locking the file system that the files exist on, not just the files themselves.  That's because BitLocker is a "full disk encryption" suite (FDE) that secures an entire partition and not just contents of directories like EFS does (Encrypted File System). It can also be called "Full Volume Encryption" (FVE) as it is actually encrypting a partition on the disk. To boil it down further, encryption is just a way of scrambling data by using a secret code or "key" that would make that data unintelligible without that key.  Maybe think of it as something like Pig Latin for data, except that no one can decipher it unless they have your secret decoder key.  That key is usually stored in your computer in a place called a TPM chip (a "Trusted Platform Module") that is built into most modern laptops, and if the hard drive is ever removed from the computer, or if the computer boots from something other than that hard drive (like a CD/DVD or USB drive) then the data on the disk cannot be read or copied - it is protected by BitLocker! Here's a brief video to tell you more. BitLocker can also be used to encrypt removable media like a USB drive using "BitLocker to Go".  The drive can then be used on any Windows 7 computer by simply plugging it in and entering the password you created when you encrypted it.  Earlier versions of Windows like Vista and XP can also read the disk (if it's FAT, not NTFS).  When they attach the encrypted media, if they don't already have it, they will be prompted to install the BitLocker to Go Reader which is included on the drive, and then they can copy files from the encrypted disk but are not able to write to it.  PCMAG has a nice and brief article on it too. Here's another video about BitLocker and this one is all about BitLocker to Go.

Enable and Activate TPM

As I mentioned earlier, in order to decrypt a "BitLocked" drive you must have the decryption key.  This key can be entered manually, which would be very cumbersome, or it can be presented from a USB flash drive that you connect to the computer, but better yet, the key can be stored in a TPM chip that is built in to the computer.  Microsoft has a nice overview of how keys are secured within TPM if you'd like some more details.  Before you can use the TPM chip, you must Enable it AND Activate it.  Most of the laptops I have done this on have required two reboots into the BIOS but you only need to do this the first time you want to enable BitLocker and then leave it alone. For example, here's how you do it on a Dell Latitude laptop.  Boot the laptop and press F2 (sometimes Delete) to enter the BIOS, then navigate to Security and select TPM Security.  The first time you open this you'll only have the option to Enable TPM security by checking the box.  If you've been here before you may see additional options but the main thing is to ensure that the box IS checked.  You'll be told that you need to restart for the changes to take effect so click OK, save your changes and restart. You'll want to enter the BOIS again so hit F2 (or Delete) to get into the BIOS System Setup and navigate back to TPM Security again.  This time you can Activate the chip.  Again, save your settings and reboot. If you don't have a TPM chip, you can still use BitLocker, but for this guide I will assume you will be using TPM.  HowToGeek has a nice guide on using a USB Startup Key for BitLocker instead of using TPM.

Set the Boot Order

It may not be obvious, but the way the TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.  This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first.  If the computers tries to boot from CD/DVD or USB first then you the TPM chip will not release the keys to decrypt the drive and you'll end up being unable to boot your system without manually entering the key.  It's by design. If later you want to boot from other media you can still hit F12 or change the BIOS setting, just know that the disk will not automatically unlock and you will need the decryption key in order to access it. I have seen it work fine when a "Diskette Drive" is listed first in the boot order, but laptops don't have those anymore so the HDD ends up being first by natural selection. I find it best practice to force the HDD to be first by definition. Why? For example, if a user has a bootable disc in their computer like a Windows DVD, when their computer boots and reads from the DVD the user is prompted to "press any key to boot" from that disc. If they do not press any key the machine moves to the next boot option, presumably the hard drive, but I have seen some computers try booting next from the encrypted partition and not from the boot partition. This prompts the user to enter the decryption key and results in a call to tech support. If they remove the DVD and boot normally it works fine. So, new rule: Set the BIOS boot order to load the HDD first. If you need to boot something else press F12 while booting to manually select it at that time.

Enable BitLocker

There isn't really anything to "enable" in order to start using BitLocker itself on Windows 7, just right click any hard drive that you want to encrypt and select "Turn on BitLocker..." Note: If you want to use BitLocker on Windows Server 2008 R2 computer, you do need to install the "BitLocker Drive Encryption" Feature as it is not there by default. This will start up the wizard that'll first check for a TPM chip. If all goes well you should see this screen.  If not then you may need to step back and Activate your TPM chip in the BIOS. You should now be able to click Next through the following couple of pages while the wizard does some setup for you. When asked to save your key, I find it easiest to just save it to a file someplace (it just generates a text file), the catch is you cannot save it to the drive that you are encrypting!  You can put it on a different local drive if you have one, a network share or even put it on a USB flash drive if you like.  So click on Save the recovery key to a file and put it someplace.  It'll tell you that the key has been saved and then you can continue. At this point you are ready to encrypt your drive.  It's a good idea however to run the BitLocker system check.  It will make sure that the TPM chip can present the decryption keys and you won't have any issues after the drive is encrypted.  Running the check has helped me catch a few computers with a strange boot order or other problems before I got too deep. Once your computer reboots, if the check passes you'll see a balloon pop up from the system tray indicating that the disk is being encrypted.  Now you can just sit back, let BitLocker do it's thing, and you are done!  If it fails, you might see something like this instead indicating that BitLocker can not be enabled, in which case you'll have some troubleshooting to do. While it is encrypting the drive you CAN shutdown or reboot your computer and it will resume the encryption without giving you any hassle.  Also, you may notice that the disk appears to be nearly full until the encryption is complete.  That's nothing to worry about as once it is complete it will display the true free space of the drive. The process does take a while and you may notice some slower than normal performance until it's done, but once the disk is encrypted you should not notice any performance degradation.  In fact, a BitLocker disk should have less than a 5% difference when compared to performance statistics when it is not encrypted which is very comparable to other encryption solutions. At this point you can call it a day for this computer.  You've got BitLocker working and the drive is encrypted.  If you are planning a moree wide-scale deployment of BitLocker, then read on...

Store Keys in AD

If you are looking at implementing or supporting BitLocker in a corporate environment, one of the most important things is to have possession of the BitLocker Recovery Keys.  If that computer ever dies or if you need to pull that hard drive from it's current hardware then you will need that key in order to decrypt and read it.  Also, unless you configure a Group Policy to prevent it, users can enable BitLocker on their own, purposly or not, and they likely would never think to give you the key.  Rest assured that you can create a domain policy that will require the computer to store it's key in Active Directory as a property of the computer account and it's all done automatically! Microsoft has a very comprehensive guide on how to do this on TechNet.

Prepare Active Directory

If you already have a Domain Controller running Windows 2008 or newer then you already have the ability to store this information in Active Directory.  If you do not, then you cna either add a 2008 DC which will update the schema for you, or just extend the AD schema to include BitLocker information.  If you are not sure, you can check if the required schema objects already exist or not. If you want to store information about the TPM chip as well as BitLocker, StarrAndersen has provided a script that adds an access control entry (ACE) so that backing up TPM recovery information is possible.  Just log in to one of your Domain Controllers with a domain Administrator account and run the script (cscript Add-TPMSelfWriteACE.vbs). One last thing to do is to delegate write permissions on the msTPM-OwnerInformation object to the "SELF" account.  Tom Acker has a great article on how to do this on the TechNet blog.  Essentially what you need to do is open the AD Users and Computers MMC, right click the OU where your computers are (or the domain root) and Delegate rights to the SELF account using a "custom task" to only the Computer objects.  You grant General, Property-specific and Create/deletion to the "Write msTPM-OwnerInformation" attribute.

Create Group Policy

Now that Active Directory is ready to store the BitLocker and TPM information, we need a policy that will cause the computers to actually write that information.  Below are the steps to configure Windows 7 and 2008 R2, but if you need Vista or 2008 you'll find the instructions on TechNet here. Create a new Group Policy and navigate to Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption.  There you will see three more folders that contain the settings for how Windows 7 and 2008 R2 manage the BitLocker information for three different kinds of drives: Fixed, Operating System and Removable. The core settings for all three are pretty similar, just Double click the Choose how BitLocker-protected drives can be recovered setting and Enable it.  Specify that you want to store Recovery passwords and key packages and check the option for Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives.  This prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. You can repeat this for the other types of drives as well.  Read the included Help text to determine what is appropriate for your environment. In the same Policy, now navigate to Computer ConfigurationAdministrative TemplatesSystemTrusted Platform Module Services. Double-click Turn on TPM backup to Active Directory Domain Services, enable it and make sure Require TPM back to AD DS is checked.  This prevents the TPM owner password from being set or changed unless the computer is connected to the domain and AD DS backup succeeds. When you're done just close the Policy editor and link the GPO someplace in AD that you feel is appropriate.  Now you can test it out by making sure the policy is being applied to a new test workstation (gpresult /h res.htm && res.htm) and then enable BitLocker on it as described at the beginning of this article.  You should no longer be promoted for a place to save the Recovery key as it'll automatically be stored in Active Directory. Note: Computers that already have BitLocker enabled prior to getting these policies will not store their recovery keys or TPM information into AD because that only happens at the time of TPM Activation and when you actually enable BitLocker.  You can manually force a computer to store it's information by using manage-bde -protectors -get c: to find the "numerical password" for the drive, then manage-bde -protectors -adbackup c: -id {NumericalPasswordGoesHere}. New activations will automatically store into AD, so you could disable BitLocker and then re-enable it to cause automatic storage.

Access the BitLocker Recovery Keys

To see the information that is being stored in AD, you need to install the BitLocker Recovery Password Viewer which is a component of Remote Server Administration Tools (RSAT). On your 2008 R2 Domain Controller(s) you simply start the "Add a feature" wizard and navigate to the RSAT/Feature Administration Tools and select the BitLocker Drive Encryption Administration Utilities. Once the Viewer has been added, you can now open the Active Directory Users and Computers MMC and open the Properties page of any computer account to see the BitLocker recovery tab. There you will see all of the Recovery ID's and Passwords that have been generated for all drives encrypted by that computer. But what happens if you have a hard drive that has been encrypted but you do not know what computer it came from? When you attach the disk to a machine and attempt to read it, you’ll be presented with a message that says it’s encrypted and you’ll need the Recovery Password. It will also tell you what the Password ID is. You can then Search Active Directory for this ID to find the Recovery Password. If the drive was encrypted by a computer in your domain, it'll find the Recovery Password that you can use to be able to read/write to the encrypted partitions on that disk.

BitLocker to Go

Microsoft is well aware that not all data is going to be stored safely on your locally encrypted hard drives and that potentially sensitive data could be placed on a removable device like a USB Thumb drive.  For those cases, you can still use BitLocker to protect that data using what is being called BitLocker To Go (or BTG in some cases).  You can use Group Policy to allow or require removable drives to be encrypted with BTG, and instead of needing a TPM chip to access the contents, the user need only remember the password that they define.  And you can still store that password in Active Directory in case they forget it. Rather than go into much detail on it here, you should check out Rocky Hacker's MSDN Blog post on BitLocker to Go. In case you are wondering, non-Windows 7 users can still access drives that are protected with BTG, but they use a utility called "BitLockerToGo Reader" which is included on the unencrypted portion of the removable drive, and this only allows them to read or copy contents from the device, not write to it.  This adds some security and is pretty convenient too.

Summary

I think Microsoft has done a great job with BitLocker to give users an easy and transparent way to protect data on their computers and removable drives.  It may require a little leg work on the part of the IT staff to set up the ideal environment to support it, but it is plausible to have the whole thing up and running in a matter of just a few hours. For those of use (wisely) using SCCM to deploy your Windows 7 workstations, you can also enable BitLocker as a step in your OSD Task Sequence. For details, check out Teh Wei King's blog post. And if you are using MDOP (Microsoft Desktop Optimization Pack) you should look into the pending release of MBAM (Microsoft BitLocker Administration and Monitoring), currently available in Beta on Microsoft Connect. Yay Automation!
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead