Lesson 1: Managing BitLocker CHAPTER 11 563 The last step before you enable BitLocker on a computer is running the System Check, as shown in Figure 11-8. This check verifies that BitLocker can work with your computer and that there is not a problem with the configured startup key or TPM chip. Although this check takes time, you should run it because all data on the computer may be lost if there is a problem with one of the BitLocker features. For example, if you are using BitLocker without a TPM, this check allows you to discover whether the USB device that you have stored the startup key on is accessible to the computer prior to booting into Windows. Even though the startup key may be present on the device, if the BIOS does not support accessing the USB device at the appropriate time, BitLocker locks out the computer. If that is the case, you cannot use BitLocker on this computer. It is much better to discover this type of problem prior to activating BitLocker than having to go through the BitLocker recovery process. FIGURE 11-8 Run a System Check prior to using BitLocker The system check test involves a reboot. After the test completes successfully, BitLocker begins the encryption process. The encryption process occurs in the background. A user with administrative privileges can pause and resume the encryption process if necessary. BitLocker is not fully active until the encryption process is completed. Quick Check n Which policy must you configure to allow a computer that does not have a TPM chip to use BitLocker with a startup key stored on a compatible USB device? Quick Check Answer n You must configure the Require Additional Authentication At Startup policy to allow a computer that does not have a TPM chip to use BitLocker with a startup key stored on a compatible USB device. 5 6 4 CHAPTER 11 BitLocker and Mobility Options BitLocker To Go BitLocker To Go is a feature that is available in the Enterprise and Ultimate editions of Windows 7. Computers running these editions of Windows 7 can configure a USB device to support BitLocker To Go. Other editions of Windows 7 can read and write data off BitLocker To Go devices, but they cannot configure a device to use BitLocker To Go. BitLocker To Go allows for removable storage devices to be encrypted using BitLocker. BitLocker To Go differs from BitLocker in previous versions of Windows because it allows you to use BitLocker- encrypted removable storage devices on other computers if you have the appropriate password. Although BitLocker in Windows Vista SP1 and later did allow you to encrypt BitLocker removable storage devices, the process of using a BitLocker-encrypted device on another computer was complicated and involved performing BitLocker recovery. BitLocker To Go does not require that the computer have a TPM chip or that Group Policy be configured to allow some other form of authentication such as a startup key. If you configure appropriate policies, devices protected by BitLocker To Go can be used in read-only mode with computers running Windows XP and Windows Vista. BitLocker To Go Policies The Removable Data Drives node of the BitLocker Drive Encryption policy node contains six policies that allow you to manage BitLocker To Go, as shown in Figure 11-9. FIGURE 11-9 Removable drive policies n Control Use of BitLocker On Removable Drives This policy includes two settings that can be enabled. The first setting allows users to apply BitLocker protection to removable drives. The second allows users to suspend and decrypt BitLocker protection on removable drives. If this policy is disabled, users are unable to use BitLocker To Go. n Configure Use Of Smart Cards On Removable Data Drives This policy allows you to enable and/or require use of smart cards to authenticate user access to a removable drive. When this policy is disabled, users cannot use smart cards to authenticate access to removable drives protected with BitLocker. Lesson 1: Managing BitLocker CHAPTER 11 565 n Deny Write Access To Removable Drives Not Protected By BitLocker Configuring this policy allows you to stop users from writing data to removable devices that are not BitLocker-protected. Within this policy, you can enable the Do Not Allow Write Access To Drives Configured In Another Organization setting, which allows you to limit the writing of data to removable devices configured with a specific BitLocker identification string. This string is configured using the Provide The Unique Identifiers For Your Organization Policy that you learned about earlier in this lesson and which was shown earlier in Figure 11-4. When this policy is enabled, users can still read data from removable devices that are not protected by BitLocker or have another organization’s identifier. If this policy is disabled, users can write data to removable devices whether or not they have been configured with BitLocker. n Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions of Windows Use this policy to allow or restrict BitLocker-protected removable devices formatted with the FAT file system from being accessed on previous versions of Windows. This policy does not apply to NTFS-formatted removable devices. You can configure this policy to allow the installation of BitLocker To Go Reader, a program that allows previous versions of Windows read access to BitLocker-protected removable devices. BitLocker To Go Reader must be present on a computer running a previous version of Windows for that computer to be able to read BitLocker-protected removable devices. When this policy is disabled, FAT-formatted BitLocker-protected removable devices cannot be unlocked on computers running previous versions of Windows. n Configure Use Of Passwords For Removable Data Drives This policy determines whether a password is required to unlock a removable data drive protected by BitLocker, as shown in Figure 11-10. The policy allows password complexity requirements to be enforced. If this policy is disabled, users are not allowed to use passwords with removable devices. FIGURE 11-10 Password to access encrypted removable storage 5 6 6 CHAPTER 11 BitLocker and Mobility Options n Choose How BitLocker-Protected Removable Drives Can Be Recovered This policy allows you to specify the methods that can be used to recover BitLocker-protected removable devices. You can configure removable drives to use the DRA specified in the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\ BitLocker Drive Encryption node. You can also configure a recovery password and a recovery key. Using this policy, you can specify whether BitLocker recovery information is stored within AD DS. Once a removable device supports BitLocker To Go, it is possible to manage it either by right-clicking it within Windows Explorer or by clicking Manage BitLocker within the BitLocker Drive Encryption control panel. This opens the dialog box shown in Figure 11-11. This dialog box allows you to change the password assigned to the device, configure the device so that you can unlock it with a smart card, save the recovery key, remove the password from the device, or configure the computer to automatically unlock the device whenever it is connected. FIGURE 11-11 Change BitLocker To Go options BitLocker Recovery Encrypted volumes are locked when the encryption key is not available. When the operating system volume is locked, you can boot only to recovery mode. In recovery mode, you can enter the BitLocker password or you can attach the USB device that has the recovery key stored and restart the computer. Once you enter the recovery password or key, you can boot your computer normally. The following events trigger recovery mode: n The boot environment changes. This could include one of the boot files being modified. n TPM is disabled or cleared. Lesson 1: Managing BitLocker CHAPTER 11 567 n An attempt is made to boot without the TPM, PIN, or USB key being provided. n You attach a BitLocker-encrypted operating system volume to another computer. If you need to perform a task that would normally trigger recovery mode, such as modifying the boot files, it is possible to disable BitLocker temporarily. You should temporarily disable BitLocker when upgrading the computer’s BIOS or making any modification to the startup environment, such as configuring Windows 7 to dual-boot with a virtual hard disk (VHD) installation of the operating system. Once you have finished the configuration changes, you can re-enable BitLocker. The changes that you made when BitLocker was disabled do not trigger recovery mode. Manage-bde.exe Manage-bde.exe is the BitLocker command-line utility. You must use Manage-bde.exe from an elevated command prompt. Manage-bde.exe allows you to unlock locked BitLocker volumes and allows you to modify BitLocker PINs, passwords, and keys. Table 11-1 lists common Manage-bde.exe parameters. You will use Manage-bde.exe in the practice exercise at the end of the lesson. TABLE 11-1 Common Manage-bde.exe Parameters PARAMETER FUNCTION -status Displays BitLocker status -on Encrypts a volume and turns BitLocker on -off Decrypts a volume and turns BitLocker off -pause/-resume Pauses or resumes encryption or decryption -lock Prevents access to BitLocker-protected data -unlock Allows access to BitLocker-encrypted data -SetIdentifier Configures the identifier for a volume -changepin Modifies the PIN for a volume -changepassword Modifies a volume’s password -changekey Modifies a volume’s startup key eXaM tIP Remember which policy to configure to allow computers without TPM chips to use BitLocker. 5 6 8 CHAPTER 11 BitLocker and Mobility Options Practice Configuring BitLocker To Go In this practice, you configure Group Policies so that users are able to write data only to specially prepared removable storage devices that support BitLocker To Go. Implementing similar policies in a real-world environment ensures that data stored on a removable storage device is safe from third-party access if the owner of the removable storage device loses it in a public place. exercise 1 Configuring BitLocker To Go Policies In this exercise, you configure BitLocker To Go–related Group Policy settings. 1. Log on to computer Canberra using the Kim_Akers user account. 2. Ensure that the USB storage device that you will encrypt using BitLocker To Go is attached to the computer. 3. Use the Disk Management console to format the USB storage device with the FAT32 file system. 4. Disconnect the USB storage device from the computer 5. In the Search Programs And Files text box, type gpedit.msc. This opens the local Group Policy Editor. 6. Navigate to the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption node. 7. Edit the Provide The Unique Identifiers For Your Organization policy. Enable the policy and set the BitLocker Identification Field and the Allowed BitLocker Identification Field to ContosoBitLocker, as shown in Figure 11-12, and then click OK. FIGURE 11-12 Configure identifiers Lesson 1: Managing BitLocker CHAPTER 11 569 8. Open the Removable Data Drives node and then set the Deny Write Access To Removable Drives Not Protected By BitLocker policy to Enabled. Then select the Do Not Allow Write Access To Devices Configured In Another Organization check box. Click OK. 9. Enable the Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy. 10. Set the Configure Use Of Passwords For Removable Data Drives policy to Enabled. Select the Require Password For Removable Data Drive check box, set the Configure Password Complexity For Removable Data Drives to Allow Password Complexity, as shown in Figure 11-13, and then click OK. FIGURE 11-13 Removable drive password complexity 11. Close the Local Group Policy Editor and then reboot the computer. exercise 2 Testing the Application of BitLocker To Go Policies In this exercise, you encrypt a removable storage device and verify that it is possible to write data to the device only when the device has been configured with BitLocker. 1. After computer Canberra has rebooted at the end of Exercise 1, log on with the Kim_Akers user account. 2. After you have logged on, connect the USB storage device that you prepared in Exercise 1. Verify that the message displayed in Figure 11-14 appears. 5 7 0 CHAPTER 11 BitLocker and Mobility Options FIGURE 11-14 Removable device warning 3. Click Don’t Encrypt This Drive to dismiss this dialog box. Create a file on the desktop named Test.txt. Using Windows Explorer, attempt to copy this file to the USB storage device. This prompts a message informing you that the disk is write-protected. 4. In the Search Programs And Files text box, type Manage BitLocker. Click the Manage BitLocker item. 5. In the BitLocker Drive Encryption control panel, click the Turn On BitLocker item next to the removable USB drive, as shown in Figure 11-15. FIGURE 11-15 The BitLocker control panel 6. On the Choose How You Want To Unlock The Drive page, enter the password P@ssw0rd twice and then click Next. 7. On the How Do You Want To Store Your Recovery Key? page, click Save The Recovery Key To A File and save the recovery key on the desktop. Click Next. Lesson 1: Managing BitLocker CHAPTER 11 571 8. On the Are You Ready To Encrypt This Drive? page, click Start Encrypting. Windows starts encrypting the drive. 9. When the removable drive has stopped encrypting, open an elevated command prompt and issue the command manage-bde –status e: (where e: is the volume identifier of the USB storage device). Verify that the Identification Field setting matches ContosoBitLocker, as shown in Figure 11-16. FIGURE 11-16 Check BitLocker status 10. Use Windows Explorer to copy the file Test.txt from the desktop to the USB storage device, and verify that you are now able to write data to the device. 11. Disconnect and then reconnect the storage device. Verify that you need to enter a password to access the storage device. Lesson Summary n BitLocker offers full volume encryption and system protection for computers running the Enterprise and Ultimate editions of Windows 7. n TPM chips are required for BitLocker boot integrity protection. TPM PINs can be backed up to AD DS. n BitLocker can use five different modes: TPM-only, TPM with PIN, TPM with startup key, TPM with PIN and startup key, and startup key without TPM. The startup key without TPM mode can be enabled only by configuring Require Additional Authentication At Startup Group Policy. n DRAs can be configured for the recovery of BitLocker-encrypted volumes. n BitLocker To Go provides BitLocker encryption to removable storage devices. Computers running the Enterprise and Ultimate editions of Windows 7 can configure removable devices. Computers running other editions of Windows 7 cannot configure removable devices, but they can read and write data to BitLocker To Go–protected devices. 5 7 2 CHAPTER 11 BitLocker and Mobility Options n BitLocker To Go–protected removable storage devices can be protected with passwords. n BitLocker To Go storage devices can be accessed from computers running Windows Vista and Windows XP through a utility named BitLocker To Go Reader if Group Policy is configured to allow this. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing BitLocker.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Which of the following policies must you configure when setting up a DRA to recover the operating system volume for BitLocker? (Choose all that apply; each answer forms part of a complete solution.) a. Computer Configuration\Administrative Templates\Windows Components\Provide The Unique Identifiers For Your Organization B. Computer Configuration\Administrative Templates\Windows Components\Choose Default Folder For Recovery Password c. Computer Configuration\Administrative Templates\Windows Components\Choose How Users Can Recover BitLocker-Protected Drives D. Computer Configuration\Windows Settings\Security Settings\Public Key Policies\ BitLocker Drive Encryption e. Computer Configuration\Administrative Templates\Windows Components\ BitLocker Drive Encryption\Operating System Drives\Choose How BitLocker- Protected Operating System Drives Can Be Recovered 2. You want to block users from writing data to removable drives if those drives are not BitLocker-protected. Users should not be able to write data to drives configured with BitLocker by organizations other than your own. Which of the following policies must you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution.) a. Control Use Of BitLocker On Removable Drives B. Store BitLocker Recovery Information In Active Directory Domain Services c. Deny Write Access To Removable Drives Not Protected By BitLocker D. Provide The Unique Identifiers For Your Organization . and Ultimate editions of Windows 7. Computers running these editions of Windows 7 can configure a USB device to support BitLocker To Go. Other editions of Windows 7 can read and write data off. 1 1-1 lists common Manage-bde.exe parameters. You will use Manage-bde.exe in the practice exercise at the end of the lesson. TABLE 1 1-1 Common Manage-bde.exe Parameters PARAMETER FUNCTION -status. status -on Encrypts a volume and turns BitLocker on -off Decrypts a volume and turns BitLocker off -pause/-resume Pauses or resumes encryption or decryption -lock Prevents access to BitLocker-protected