Step 8. You are returned to the BitLocker Drive Encryption applet, which tracks the progress of encrypting your drive and informs you when the drive is encrypted. Do not disconnect your drive until encryption is completed.
Caution
Do not enable BitLocker To Go on the USB drive containing your BitLocker startup key. Windows 10 currently does not permit this, although a future update or service pack might add this capability.
BitLocker Policies
Besides the policy already mentioned to enable BitLocker on a computer that is not equipped with a TPM, Group Policy has a series of settings that help you to manage BitLocker. You can access these policies from the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption node. This node has three subnodes: Fixed Data Drives, Operating System Drives, and Removable Data Drives, as well as several policies that affect all types of drives. Microsoft provides recommendations for many of these settings at "BitLocker Group Policy Settings" at
http://technet.microsoft.com/en-us/library/jj679890.aspx. Although it references Windows 8.1 and Windows Server 2012, the Group Policy settings have not changed for Windows 10.
Operating System Drives
As shown in Figure 8-20, you can configure a large number of policies that govern BitLocker as used on operating system drives, including the
following:
• Allow Network Unlock at Startup: Introduced for Windows 8 and Windows Server 2012, this policy controls a portion of the behavior of the Network Unlock feature. When enabled, clients using BitLocker are enabled to create the necessary network key protector during encryption.
Figure 8-20. Group Policy Providing Settings for BitLocker Used on Operating System Drives
• Allow Secure Boot for Integrity Validation: This policy controls how BitLocker-enabled system volumes behave in conjunction with Secure Boot.
When enabled, Secure Boot validation takes place during the boot process, verifying Boot Configuration Data (BCD) settings for platform integrity.
• Require Additional Authentication at Startup: As mentioned in the
"Configuring Startup Key Storage" section later in this chapter, this setting enables you to use BitLocker on a computer without a TPM. By enabling this policy, you can also specify whether BitLocker requires additional
authentication including a startup key and/or PIN.
• Require Additional Authentication at Startup (Windows Server 2008 and Windows Vista): Enables similar settings for Windows Vista and Windows Server 2008 computers, except that you cannot utilize both a startup key and PIN.
• Allow Enhanced PINs for Startup: Enables the use of a PIN that contains additional characters, including uppercase and lowercase letters, symbols, numerals, and spaces.
• Configure Minimum PIN Length for Startup: Specifies a minimum length for the startup PIN. You can choose a minimum length of anywhere from 4 to 20 digits.
• Configure Use of Hardware-Based Encryption for Operating System Drives: Enables you to manage use of hardware-based encryption on fixed data drives and specify permitted encryption algorithms.
• Enforce Drive Encryption Type on Operating System Drives: Enables you to specify the encryption type used by BitLocker. You can choose either Full Encryption to require that the entire drive be encrypted, or Used Space Only Encryption to require only the portion of the drive in use to be
encrypted.
• Choose How Users Can Recover BitLocker-Protected Drives: Enables the use of a data recovery agent. We discuss this policy later in this section.
• Configure TPM Platform Validation Profile for BIOS-Based Firmware Configurations: Enables you to specify how the TPM security hardware secures the BitLocker encryption key on computers running Windows Server 2012 R2 or Windows 8.1. The validation profile includes a set of Platform Configuration Register (PCR) indices, each of which is associated with components that run at startup. You can select from a series of indices provided in the policy's options.
• Configure TPM Platform Validation Profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2: Provides a validation profile with a similar set of PCR indices for computers running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
• Configure TPM Platform Validation Profile for Native UEFI Firmware Configurations: Provides a validation profile and PCR indices for Windows 8.1 or Windows Server 2012 R2 computers equipped with UEFI firmware (as opposed to BIOS-based firmware).
Fixed Data Drive Policies
As shown in Figure 8-21, you can configure the following policies that govern BitLocker used on fixed data drives (in other words, internal hard drive partitions containing data but not operating system files).
• Configure Use of Smart Cards on Fixed Data Drives: Enables you to specify whether smart cards can be used to authenticate user access to drives protected by BitLocker. You can optionally require the use of smart cards.
Figure 8-21. Group Policy Providing Settings for BitLocker Used on Fixed Data Drives
• Deny Write Access to Fixed Drives Not Protected by BitLocker: Enables you to require BitLocker protection on writable drives. If enabled, any drives not protected by BitLocker are read-only.
• Configure Use of Hardware-Based Encryption for Fixed Data Drives:
Enables you to manage use of hardware-based encryption on fixed data drives and specify permitted encryption algorithms.
• Enforce Drive Encryption Type on Fixed Data Drives: Enables you to specify the encryption type used by BitLocker. You can choose either Full Encryption to require that the entire drive be encrypted, or Used Space Only encryption to require only the portion of the drive in use to be encrypted.
• Allow Access to BitLocker-Protected Fixed Data Drives from Earlier Versions of Windows: Specifies whether drives formatted with the FAT or FAT32 file system can be unlocked and viewed on computers running earlier Windows versions (back to Windows XP SP2).
• Configure Use of Passwords for Fixed Data Drives: Enables you to specify whether a password is required for unlocking BitLocker-protected fixed data drives. You can optionally specify that a password is required, and you can choose to allow or require password complexity and specify the minimum password length.
• Choose How BitLocker-Protected Fixed Drives Can Be Recovered:
Similar to the corresponding operating system drives policy.
More information on all these policies is available from the Help field in each policy's Properties dialog box. These policies are also available for removable drives (BitLocker To Go) in the Removable Data Drives subnode of Group Policy.
Use of Data Recovery Agents
A data recovery agent (DRA) is a user account that is configured for
recovering data encrypted with BitLocker in a manner analogous to the EFS recovery agent described previously in this chapter. The DRA uses his smart card certificates and public keys to accomplish this action.
To specify a DRA for a BitLocker-protected drive, you must first designate the recovery agent by opening the Local Group Policy Editor and navigating to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption node. Right-click this node and choose Add Data Recovery Agent. This starts a wizard that is similar to that used for creating EFS data recovery agents. You can browse for the required certificates or select them from AD DS in a domain environment.
After you've specified your data recovery agent, you need to access the Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption node of Group Policy and enable the Provide the Unique Identifiers for Your Organization policy (see Figure 8-22). In the text boxes provided, specify a unique identifier that will be associated with drives that are enabled with BitLocker. This identifier uniquely associates the drives with your company or department and is required for BitLocker to manage and update data recovery agents. After
doing so, this identifier will be automatically associated with any drives on which you enable BitLocker.
Figure 8-22. Providing a Unique Identifier to Use a BitLocker DRA
You can add this identifier to drives previously protected with BitLocker by opening an administrative command prompt and typing the following
command:
manage-bde -SetIdentifier drive_letter
Where drive_letter is the drive letter for the BitLocker-protected drive. This utility sets the identifier to the value you've specified in Group Policy and displays a message informing you that this identifier has been set.
After you have specified a DRA and the unique identifiers, you can configure policies in each subnode of the Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption node of Group Policy that choose how BitLocker-protected drives can be recovered.
Each of the three subnodes contains a similar policy setting that is shown for operating system drives in Figure 8-23. Enable each of these policies as required and select the Allow Data Recovery Agent check box. Then configure the following options as required:
• Allow 48-Digit Recovery Password: This drop-down list provides choices to allow, require, or do not allow a 48-digit recovery password. Use of a 48- digit recovery password improves DRA security.
Figure 8-23. Group Policy Providing These Data Recovery Options for Operating System Drives
• Allow 256-Bit Recovery Key: This drop-down list provides choices to allow, require, or do not allow a 256-bit recovery key. Use of a 256-bit recovery key improves DRA security.
• Omit Recovery Options from the BitLocker Setup Wizard: Blocks the appearance of the recovery options previously shown in Figure 8-15; when enabled, these recovery options are determined by policy settings.
• Save BitLocker Recovery Information to AD DS for Operating System Drives: Enables you to choose the BitLocker recovery information that will be stored in AD DS.
• Configure Storage of BitLocker Recovery Information to AD DS:
Determines how much recovery information is stored in AD DS when you have selected the preceding option. You can choose to store recovery passwords and key packages or to store recovery passwords only.
• Do Not Enable BitLocker Until Recovery Information Is Stored to AD DS for Operating System Drives: When enabled, prevents users from enabling BitLocker unless the computer is attached to the domain and BitLocker recovery information can be backed up to AD DS.
Similar options are provided for fixed and removable data drives; the wording of the last policy setting changes to reflect the type of drive being configured.
Note
BitLocker provides several additional DRA management options, including verification of the identification field and listing of configured DRAs. For more information, refer to "Using Data Recovery Agents with BitLocker" at http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx. For additional information on BitLocker as a whole, refer to "BitLocker Frequently Asked Questions (FAQ)" at https://technet.microsoft.com/en- us/itpro/windows/keep-secure/bitlocker-frequently-asked-questions.
Microsoft BitLocker Administration and Monitoring (MBAM)
For large enterprises that need to manage BitLocker encryption across a large number of client devices and workstations in an Active Directory forest, the Microsoft BitLocker Administration and Monitoring (MBAM) tool provides a simplified interface. MBAM is configured through custom Group Policy Templates, allowing organizations to set BitLocker Drive Encryption policies as needed, as well as providing monitoring of the encryption status of
computers and the entire enterprise.
MBAM can be implemented as a component of the System Center
Configuration Manager (SCCM), or as a standalone tool. Deploying MBAM requires a set of server features configured on one or more server computers, based on the size and requirements of the organization. Typically in a large enterprise, the features will be distributed across multiple servers.
• Recovery Database
• Compliance and Audit Database
• Reports Database, including the SQL Server Reporting Services role.
• Administration and Monitoring Server, which runs the Web Server Role for hosting the Administration and Monitoring interface.
• Self-Service Portal, which also runs a Web Server Role and hosts the self- service interface for end-user support.
• Management Workstation running the MBAM client used to configure and manage the MBAM infrastructure components.
With the MBAM infrastructure in place, you can manage BitLocker and the BitLocker enabled computers in your organization. For instance if a user enters the incorrect PIN too many times, he may get locked out of the TPM, and the computer. Using the Administration and Monitoring Website, you can retrieve the TPM password file and reset the TPM lockout.
You can also use MBAM to recover a drive in the event of a hardware
failure, change in personnel, or if the encryption keys for the drive are lost for any reason.
Note
Details of the deployment and operation of MBAM are beyond the scope of this text and the 70-697 and 70-698 exams, but you should know about the concepts and how MBAM can be used to manage BitLocker across enterprise computers. For details of MBAM operations and management, start with
“Operations for MBAM 2.5” at https://technet.microsoft.com/en- us/itpro/mdop/mbam-v25/operations-for-mbam-25.
Configuring Startup Key Storage
In the previous section, we learned about BitLocker drive encryption and using startup keys to unlock the drive for access. TPM is typically used for storing the startup key, but, as mentioned, you can use a USB flash drive or other removable disk instead. In this section we discuss using USB drives for the storage of startup keys for BitLocker, as well as other methods for
securing Windows on a mobile device, and how to protect your data from unauthorized access even when it is lost or stolen.
If the computer does not have a TPM, BitLocker uses either a USB flash drive or smart card containing a startup key. In this case, BitLocker provides encryption, but not the added security of locking keys with the TPM. When you use a USB drive to store your startup key, it is vital that you keep it secure, which means maintaining a backup. If your USB drive becomes corrupt, nonfunctional, or lost, you will permanently lose access to your Windows system.
Preparing a Computer Without a TPM to Use BitLocker
You can use a computer that does not have a TPM module if you have a USB flash drive to store the encryption keys and password. By default, Windows blocks an attempt to enable BitLocker on such a computer and displays the message shown in Figure 8-24.
Figure 8-24. Windows Displaying TPM Error for BitLocker
As mentioned in the error, you need to enable BitLocker without a TPM from Group Policy, as the following procedure describes:
Step 1. Access the Search field and type gpedit.msc into the Search text box.
Then select gpedit.msc from the list that is displayed.
Step 2. In the Local Group Policy Editor, navigate to Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.
Step 3. Double-click Require Additional Authentication at Startup,
enable this policy, select the Allow BitLocker Without a Compatible TPM option, and then click OK.
Step 4. Close the Local Group Policy Editor.
Step 5. In the Search box or Cortana, type Gpupdate /force into the Search field, and then press Enter. This forces Group Policy to apply immediately.
After you've completed this procedure, you are ready to enable BitLocker as described next. The procedure is similar to the procedure in the previous section, but without a TPM available, Windows presents a few different options. Begin the procedure as described in “Enabling BitLocker” in the BitLocker Drive Encryption subsection. Select BitLocker Drive Encryption from the Control Panel, and select Turn on BitLocker for the drive.
Step 1. Windows checks your computer's configuration, and after a few seconds, the BitLocker Drive Encryption setup window appears, informing you that the computer will prepare your drive for BitLocker and then encrypt the drive.
Step 2. Click Next. Windows prepares your drive for BitLocker and informs you that an existing drive or unallocated free space will be used to enable BitLocker.
Step 3. Click Next. You are informed that you will no longer be able to use Windows Recovery Environment unless it is manually enabled and moved to the system drive.
Step 4. Click Next. You receive the Choose How to Unlock Your Drive at Startup window shown in Figure 8-25. Choose to either insert a USB flash drive or enter a password as desired.
Figure 8-25. BitLocker Drive Encryption Applet in Control Panel Offering Two Choices for Unlocking Your Drive at Startup
Step 5. The next step depends on the choice made in Figure 8-25. If you choose to insert a USB flash drive, insert the drive and click Save. If you choose to use a password, type and confirm a strong password when prompted. Then click Next.
Step 6. If you save it to a USB flash drive, you see the dialog box shown in Figure 8-26. Click Save, and then click Next.
Figure 8-26. Selecting the Appropriate USB Drive for Saving Your Password
Step 7. The How Do You Want to Back Up Your Recovery Key? page provides the three options shown previously in Figure 8-25, as well as the additional option to use a USB drive. Use one or more of these options to save the recovery password. If you print it, ensure that you save the printed document in a secure location.
The remainder of the process is the same as using a TPM (see Steps 8–11 in the “Enabling Bitlocker” section), including restarting and encrypting the drive.
After you have completed this procedure, you must have the USB drive to start your computer if you have chosen this option in Step 5 of the previous procedure. Alternately, you can use the Recovery mode and type the recovery password that was automatically created while enabling BitLocker. BitLocker provides the BitLocker Drive Encryption Recovery Console to enable you to insert the USB drive that contains the recovery password. Or press Enter, type the recovery password, and press Enter again.
Caution
Ensure that you do not lose the recovery password. If you lose the recovery password, your Windows installation and all data stored on its partition will be permanently lost. You will need to repartition your hard drive and reinstall Windows. Consequently, you should create at least two copies of the
password as described in the previous procedure and store these in a secure location. Do not leave the startup USB flash drive in your laptop bag; attach it to your key chain, or store it elsewhere on your person. Note that you may end up with two USB drives—one with the startup key and the other with the recovery password.
Syskey Startup Keys
Another method used to protect Windows computers, included in Windows since NT 4.0 SP3, is Syskey. The Syskey utility encrypts the SAM database, which contains all the login credentials and passwords on the local system.
Note that Syskey does not protect your data from access if your computer is stolen or lost, because it encrypts only the SAM database, not your files or the hard drive. Syskey is useful for protecting against casual intrusion, however, by providing a layer of security to your login accounts.
If you have used EFS to encrypt files, or you have saved or cached
credentials, Syskey will also protect that information because your account login is used to unlock EFS files, your credentials stored in Credential Manager, and personal certificates. Syskey will also protect the master key that Windows uses to unlock IPsec keys, computer keys, and SSL certificate