bitlocker step by step

My Collection

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without

notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use

this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.© 2012 Microsoft. All rights reserved.Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)

http://technet.microsoft.com/en-us/default.aspx

Table Of ContentsChapter 1

BitLocker Drive Encryption Step-by-Step Guide for Windows 7

Scenario 1: Turning On BitLocker Drive Encryption on an Operating System Drive (Windows 7)

Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)

Scenario 3: Upgrading a BitLocker-Protected Computer from Windows Vista to Windows 7 (Windows 7)

Scenario 4: Configuring How BitLocker Is Supported on Previous Versions of Windows (Windows 7)

Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)

Scenario 6: Specifying How to Unlock BitLocker-Protected Operating System Drives (Windows 7)

Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)

Scenario 8: Specifying How BitLocker-Protected Drives Can Be Recovered (Windows 7)

Scenario 9: Configuring the Encryption Method and Cipher Strength (Windows 7)

Scenario 10: Configuring the BitLocker Identification Field (Windows 7)

Scenario 11: Recovering Data Protected by BitLocker Drive Encryption (Windows 7)

Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)

Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)

Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)

Scenario 15: Using the BitLocker Active Directory Recovery Password Viewer to View Recovery Passwords

Scenario 16: Using the BitLocker Repair Tool to Recover a Drive

http://technet.microsoft.com/en-us/library/dd835565(d=lightweight,l=en-us,v=ws.10).aspx

http://technet.microsoft.com/en-us/library/ee424299(d=lightweight,l=en-us,v=ws.10).aspx
















Chapter 1

Note

BitLocker Drive Encryption Step-by-Step Guide for Windows 7

Updated: September 18, 2009

Applies To: Windows 7

This stepbystep guide provides the instructions you need to use BitLocker™ Drive Encryption in a Windows® 7 test environment. We recommend thatyou first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows 7operating system features without accompanying documentation and should be used with discretion as a stand-alone document.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is an integral security feature in the Windows 7 operating system that helps protect data stored on fixed and removable datadrives and the operating system drive. BitLocker helps protect against "offline attacks," which are attacks made by disabling or circumventing theinstalled operating system or made by physically removing the hard drive to attack the data separately. For fixed and removable data drives, BitLockerhelps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart cardcredentials, or are using the data drive on a BitLocker-protected computer that has the proper keys. If your organization includes computers runningprevious version of Windows, the BitLocker To Go™ Reader can be used to allow those computers to read BitLockerprotected removable drives.

BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personalidentification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. UsingBitLocker with a TPM provides enhanced protection for your data and helps assure early boot component integrity. This option requires that thecomputer have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible BIOS must support the TPM andthe Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM

Specifications section of the Trusted Computing Group Web site1 (http://go.microsoft.com/fwlink/?LinkId=72757).

The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and theuser logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and you will need a recoverypassword or recovery key to regain access to the data.

In this guide

The purpose of this guide is to help IT professionals become familiar with the BitLocker Drive Encryption feature of Windows 7. These steps are fortesting only. This guide should not be the only resource you use to deploy Windows Server® 2008 R2 or Windows 7 features. Review the followingsections to familiarize yourself with the basic information and procedures that you need to start configuring and deploying BitLocker in your organization.

Scenario 1: Turning On BitLocker Drive Encryption on an Operating System Drive (Windows 7)2

Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)3

Scenario 3: Upgrading a BitLocker-Protected Computer from Windows Vista to Windows 7 (Windows 7)4

Scenario 4: Configuring How BitLocker Is Supported on Previous Versions of Windows (Windows 7)5

Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)6

Scenario 6: Specifying How to Unlock BitLocker-Protected Operating System Drives (Windows 7)7

Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)8

Scenario 8: Specifying How BitLocker-Protected Drives Can Be Recovered (Windows 7)9

Scenario 9: Configuring the Encryption Method and Cipher Strength (Windows 7)10

Scenario 10: Configuring the BitLocker Identification Field (Windows 7)11

Scenario 11: Recovering Data Protected by BitLocker Drive Encryption (Windows 7)12

Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)13

Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)14

Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)15

Scenario 15: Using the BitLocker Active Directory Recovery Password Viewer to View Recovery Passwords16

Scenario 16: Using the BitLocker Repair Tool to Recover a Drive17

Requirements for BitLocker Drive Encryption

The hardware and software requirements for BitLocker are:

A computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.

Windows Server 2008 R2 includes BitLocker Drive Encryption as an optional feature.

A computer that meets the minimum requirements for Windows 7 or Windows Server 2008 R2.

A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot componentsand storage of the BitLocker master key. If the computer does not have a TPM, a USB flash drive may be used to store the BitLocker key.


http://go.microsoft.com/fwlink/?LinkId=72757

http://technet.microsoft.com/en-us/library/ee424299(v=ws.10).aspx
















Note

Important

© 2012 Microsoft. All rights reserved.

A Trusted Computing Group (TCG)-compliant BIOS for use with BitLocker on operating system drives.

A BIOS setting to start up first from the hard drive, not the USB or CD drives.

For any scenario that includes using a USB flash drive to provide a BitLocker key (such as a startup key or a recovery key), your BIOS mustsupport reading USB flash drives at startup.

We strongly recommend that you do not run a kernel debugger while BitLocker is enabled, because encryption keys and other sensitive data can beaccessed with the debugger. However, you can enable kernel debugging before you enable BitLocker. If you enable kernel debugging or bootdebugging (kernel debugging with the bcdedit /debug option), after you have enabled BitLocker the system will automatically start the recoveryprocess every time you restart the computer.

Additional resources

For help with BitLocker Drive Encryption, choose one of the support options listed on the Microsoft Help and Support Web site18

(http://go.microsoft.com/fwlink/?LinkId=76619).

For additional documentation about BitLocker, see BitLocker Drive Encryption19 (http://go.microsoft.com/fwlink/?LinkId=76553).

For more information about User Account Control, see User Account Control20 (http://go.microsoft.com/fwlink/?LinkId=66018).

Links Table

1http://go.microsoft.com/fwlink/?LinkId=72757

2http://technet.microsoft.com/en-us/library/ee424299(v=ws.10).aspx






















http://technet.microsoft.com/en-us/cc300389

http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx


http://social.msdn.microsoft.com/Forums/en-US/libraryfeedback/threads

Note

Important

Warning

Scenario 1: Turning On BitLocker Drive Encryption on anOperating System Drive (Windows 7)

Updated: August 9, 2010


This scenario provides the procedure for turning on BitLocker Drive Encryption protection on an operating system drive of a computer with a TPM. Afterthe drive is encrypted, the user logs on to the computer normally.

Before you start

To complete the procedure in this scenario:

You must be able to provide administrative credentials.

You must be able to configure a printer if you want to print the recovery key.

Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive

Encryption Step-by-Step Guide for Windows 71.

To turn on BitLocker Drive Encryption on an operating system drive

1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

2. Click Turn On BitLocker for the operating system drive. BitLocker will scan your computer to make sure that it meets the BitLocker systemrequirements. If your computer meets the requirements, BitLocker will inform you of the next steps that need to be taken to turn on BitLocker,such as drive preparation, turning on the TPM, and encrypting the drive.

If you have a single partition for your operating system drive, BitLocker will prepare the drive by shrinking the operating system drive and creatinga new system partition to use for system files that are required to start or recover the operating system and that cannot be encrypted. This drivewill not have a drive letter to help prevent the storing of data files on this drive inadvertently. After the drive is prepared, the computer must berestarted.

If your TPM is not initialized, the BitLocker setup wizard will instruct you to remove any CDs, DVDs, or USB drives from the computer and restartthe computer to begin the process of turning on the TPM. You will either be prompted to enable the TPM before the operating system boots or insome cases you will need to navigate to the BIOS options and enable the TPM manually. This behavior depends on the BIOS of the computer. Afteryou confirm that you want the TPM enabled, the operating system will start and the Initializing the TPM security hardware progress indicatorwill be displayed.

If your computer does not have a TPM, you can still use BitLocker, but you will be using the Startup key only authentication method. All of therequired encryption key information is stored on a USB flash drive, which the user must insert into the computer during startup. The key stored onthe USB flash drive unlocks the computer. Using a TPM is recommended because it helps protect against attacks made against the computer'scritical startup process. Using the Startup key only method only encrypts the drive; it does not provide any validation of the early bootcomponents or hardware tampering. To use this method, your computer must support the reading of USB devices in the preboot environment andyou must enable this authentication method by selecting the check box Allow BitLocker without a compatible TPM in the Group Policy settingRequire additional authentication at startup, which is located in the following location in the Local Group Policy Editor: ComputerConfiguration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

If you have configured the Group Policy settings in your organization to back up BitLocker and TPM recovery information to Active Directory®Domain Services (AD DS), the computer must be able to connect to the domain to complete this process.

3. After the TPM is initialized, the BitLocker setup wizard prompts you to choose how to store the recovery key. You can choose from the followingoptions:

Save the recovery key to a USB flash drive. Saves the recovery key to a USB flash drive.

Save the recovery key to a file. Saves the recovery key to a network drive or other location.

Print the recovery key. Prints the recovery key.

Use one or more of these options to preserve the recovery key. For each option that you select, follow the wizard steps to set the location forsaving or printing the recovery key. When you have finished saving the recovery key, click Next.

The recovery key is required if the encrypted drive is moved to another computer or changes are made to the system startup information. Thisrecovery key is so important that it is recommended that you make additional copies of the key and store the key in safe places so that youcan readily find the key if needed to recover access to the drive. You will need your recovery key to unlock the encrypted data on the drive ifBitLocker enters a locked state. This recovery key is unique to this particular drive. You cannot use it to recover encrypted data from anyother BitLocker-protected drive.

For maximum security, you should store recovery keys apart from the computer.

4. The BitLocker setup wizard asks if you are ready to encrypt the drive. Confirm that the Run BitLocker system check check box is selected, andthen click Continue.

5. Confirm that you want to restart the computer by clicking Restart now. The computer restarts, and BitLocker checks if the computer meetsBitLocker requirements and is ready for encryption. If it is not, you will see an error message alerting you to the problem after you have logged on.


http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx


One of the items that BitLocker checks is the configuration of the system partition. BitLocker requires a minimum system partition size of 100MB, and the Windows Recovery Environment requires 200 MB. When the operating system is installed, the system partition is automaticallycreated by the setup process with a default size of 300 MB. However, this default partition size can be changed by computer manufacturers orsystem administrators when they install the operating system. If the system partition is exactly 100 MB, BitLocker setup assumes that you havea Windows Recovery DVD for use with your computer and the system check is completed without any errors. However, if you have a systempartition size between 101 MB and 299 MB, the following error message will be displayed: "You will no longer be able to use Windows RecoveryEnvironment unless it is manually enabled and moved to the system drive." If you have a Windows 7 DVD that contains the Windows RecoveryEnvironment or you have another system recovery process in place, you may disregard this message and continue with BitLocker setup.Otherwise, you should check your system partition and verify that you have at least 200 MB of free space on your system partition so that theWindows Recovery Environment can be retained on the system drive along with the BitLocker Recovery Environment and other files thatBitLocker requires to unlock the operating system drive. For more information about the Windows Recovery Environment, see Windows Recovery

Environment2.

6. If it is ready for encryption, the Encrypting status bar is displayed, which shows the progress of the drive encryption. You can monitor theongoing completion status of the disk drive encryption by moving the mouse pointer over the BitLocker Drive Encryption icon in the notificationarea, at the far right of the taskbar. Encrypting the drive will take some time. You can use your computer during encryption, but performancemight be slower. A completion message is displayed when encryption is finished,

By completing this procedure, you have encrypted the operating system drive and created a recovery key that is unique to this drive. The next time youlog on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start thecomputer from a disk to circumvent the operating system, the computer will switch to recovery mode and prevent Windows from starting.

Links Table

1http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx







Caution

Note

Important

Scenario 2: Turning On BitLocker Drive Encryption on a Fixed orRemovable Data Drive (Windows 7)



This scenario provides the procedure for turning on BitLocker Drive Encryption protection on a fixed or removable data drive on a computer.

When encrypting a removable drive, do not suddenly remove the drive. If you need to remove a drive before encryption is complete, pause theencryption process and then use either the Safely Remove Hardware icon from the notification area or the Eject command from Windows Explorerto remove the drive. Removing the drive during the encryption process without pausing and intentionally removing the device can cause the data onthe drive to be corrupted.

Before you start


You must be able to provide administrative credentials to turn on BitLocker for fixed data drives. Standard user accounts can turn on BitLocker ToGo on removable data drives.

You must be able to configure a printer if you want to print the recovery key.



To turn on BitLocker Drive Encryption on a fixed or removable data drive


2. Click Turn On BitLocker for the fixed or removable data drive that you want to encrypt.

If you have configured the Group Policy settings in your organization to back up BitLocker recovery information to Active Directory DomainServices (AD DS), the computer must be able to connect to the domain to complete this process.

3. The BitLocker setup wizard will ask you how you want to unlock this drive. Fixed data drives can be configured to automatically unlock when theoperating system drive is encrypted, to unlock after a password is supplied, or to unlock after a smart card is inserted. Removable data drives canbe configured to unlock after a password is supplied or to unlock after a smart card is inserted. If you want the removable data drive toautomatically unlock, you can specify that option after encryption has occurred by clicking Manage BitLocker from the BitLocker DriveEncryption Control Panel item or by selecting the Automatically unlock on this computer from now on check box when you unlock the drive.

4. Before BitLocker encrypts the drive, the BitLocker setup wizard prompts you to choose how to store the recovery key. You can choose from thefollowing options:

Save the recovery key to a USB flash drive. Saves the recovery key to a USB flash drive. This option cannot be used with removabledrives.

Save the recovery key to a file. Saves the recovery key to a network drive or other location.

Print the recovery key. Prints the recovery key.

Use one or more of these options to preserve the recovery key. For each option that you select, follow the wizard steps to set the location forsaving or printing the recovery key. When you have finished saving the recovery key, click Next.

The recovery key is required when a BitLocker-protected fixed data drive configured for automatic unlocking is moved to another computer, orthe password or smart card associated with unlocking the fixed or removable drive is not available, such as when a password is forgotten or asmart card is lost. You will need your recovery key to unlock the encrypted data on the drive if BitLocker enters a locked state. This recoverykey is unique to this particular drive. You cannot use it to recover encrypted data from any other BitLocker-protected drive.

For maximum security, you should store recovery keys apart from the drives they are associated with.

5. The BitLocker setup wizard asks if you are ready to encrypt the drive. Click Start Encrypting.

6. The Encrypting status bar is displayed. You can monitor the ongoing completion status of the drive encryption by moving the mouse pointer overthe BitLocker Drive Encryption icon in the notification area, at the far right of the taskbar.

By completing this procedure, you have encrypted a fixed or removable data drive, associated a key protector with an unlock method for the drive, andcreated a recovery key that is unique to this drive.

Links Table





Scenario 3: Upgrading a BitLocker-Protected Computer fromWindows Vista to Windows 7 (Windows 7)



This scenario describes the process of upgrading a BitLocker-protected computer from Windows Vista to Windows 7.

Before you start



The operating system drive must be BitLocker-protected.

To manually upgrade BitLocker Drive Encryption

1. On a computer running Windows Vista, click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

2. Click Turn Off BitLocker, and then select the Disable BitLocker check box. Do not decrypt the drive.

3. Install Windows 7 on the same drive.

4. After Windows 7 is installed, click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.

Click Resume Protection. Your operating system drive is now protected with BitLocker. If you want to use the new recovery key protectionoption—data recovery agents—you must also upgrade the BitLocker version information stored in the BitLocker metadata to the Windows 7 version.This is accomplished by using the Manage-bde.exe command-line tool.

5. To upgrade the BitLocker metadata so that you can use the new Windows 7 BitLocker features, click Start, click All Programs, clickAccessories, right-click Command Prompt, and click Run as administrator. If the User Account Control dialog box appears, confirm that theaction it displays is what you want, and then click Yes. At the command prompt, type the following command, replacing Volume with theappropriate drive letter:

managebde.exe –upgrade Volume :

By completing this procedure, you have upgraded BitLocker from the Windows Vista version to the Windows 7 version.






Scenario 4: Configuring How BitLocker Is Supported on PreviousVersions of Windows (Windows 7)



This scenario provides procedures to use the Windows 7 Group Policy settings to control the use of BitLocker on computers running Windows Vista orWindows Server 2008.

Before you start



Your computer must be part of a domain.

To configure how BitLocker is supported on previous versions of Windows

1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLockerDrive Encryption, click Operating System Drives.

4. To use multifactor authentication methods or to allow BitLocker to be used on computers without a TPM, in the details pane, double-click Requireadditional authentication at startup (Windows Server 2008 and Windows Vista) to open the policy setting.

5. Click Enabled, and then select the startup authentication methods that you want to support on computers running Windows Vista and WindowsServer 2008 in your organization. This policy setting provides the following authentication methods:

Allow BitLocker without a compatible TPM. This check box enables BitLocker to be used on computers that do not have a TPM hardwarechip. In this situation, a USB flash drive must be used that will store the encryption key for the drive.

Configure TPM startup key. This option can be used to require that a USB key be used in addition to the TPM to protect the drive. Tounlock the drive, the USB key must be present. The BIOS of the computer needs to be able to read data from a USB drive before starting theoperating system. If you do not want users to be able to use USB keys with BitLocker or if you will require that users type a PIN to unlockBitLocker-protected operating system drives, select Do not allow startup key with TPM.

Configure TPM startup PIN. This option can be used to require that a PIN be used in addition to the TPM to protect the drive. To unlockthe drive, the PIN must be entered by the user. If you do not want users to be able to use PINs with BitLocker or if you will require thatusers insert USB keys to unlock BitLocker-protected operating system drives, select Do not allow startup PIN with TPM.

After you have made your choices, click Apply to apply the settings, and then close the dialog box.

6. To configure Active Directory recovery options for computers running Windows Vista or Windows Server 2008 in your organization, in the consoletree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click BitLocker DriveEncryption to show the global policy settings.

7. To store recovery information in Active Directory Domain Services (AD DS), in the details pane, double-click the Store BitLocker recoveryinformation in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting, click Enabled, and then selectthe Require BitLocker backup to AD DS check box. When this check box is selected, BitLocker will verify the presence of a domain controllerbefore encrypting the drive. If the domain controller cannot be found, the user will not be able to turn on BitLocker.

After making this selection, you must choose the recovery information to back up. You can choose to back up only recovery passwords or you canchoose to back up recovery passwords and key packages. Key packages are necessary if you need to recover a drive that has been damaged insuch a way that the encryption key is no longer readable by BitLocker recovery.


8. To configure local computer recovery options for computers running Windows Vista or Windows Server 2008 in your organization, double-click theChoose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) policy setting, and then clickEnabled.

You can then configure whether the user is allowed to select the BitLocker-generated 48-digit recovery password or select the 256-bit recoverykey as the recovery method when they turn on BitLocker. By default, both options are allowed when this setting is disabled or not configured. TheBitLocker recovery key is saved as a key when written to a USB drive or is saved as a password when saved to a file or printed. This policy settingshould be enabled if you want to require the use of one recovery method and prevent the use of another method. If you want recovery to occuronly by administrators who can read the recovery password from AD DS, you can disallow the use of both of these methods after you haveconfigured the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)policy setting.


9. To control whether computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with ServicePack 2 (SP2) can access removable drives protected by the Windows 7 version of BitLocker, in the console tree under Local ComputerPolicy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable DataDrives, and then in the details pane, double-click the Allow access to BitLocker-protected removable data drives from earlier versions ofWindows policy setting.

By default when a removable drive is protected with BitLocker, the BitLocker To Go Reader is copied to the drive, providing read-only access whenthe drive is accessed from computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, if the userhas the required password to unlock the drive. To require that the computer that opens the drive be running either Windows 7 or have theBitLocker To Go Reader installed, click Enabled, and select the Do not install BitLocker To Go Reader on FAT formatted removable drivescheck box. If you do not want computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 to be usedto read BitLocker-protected, FAT-formatted removable drives, click Disabled.



Note


A similar policy setting is available for use with fixed data drives.

10. Close the Local Group Policy Editor.

11. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box,and then press ENTER. Wait for the process to finish.

By completing this procedure, you have set policy to control the use of BitLocker on computers running Windows Vista or Windows Server 2008 in yourorganization.





Note


Scenario 5: Requiring BitLocker Protection on Data Drives(Windows 7)



This scenario describes how to configure Windows 7 Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker ToGo be used with removable data drives before data can be written to the drive.

Before you start



To require BitLocker protection on data drives before permitting data to be saved on them



3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLockerDrive Encryption, click Fixed Data Drives.

4. To require BitLocker protection on fixed data drives before allowing users to save data to them, in the details pane, double-click Deny writeaccess to fixed drives not protected by BitLocker to open the policy setting.

5. Click Enabled, click Apply to apply the setting, and then close the dialog box.

6. Restart the computer.



9. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLockerDrive Encryption, click Removable Data Drives.

10. To require the use of BitLocker To Go on removable data drives before allowing users to save data to them, in the details pane, double-click Denywrite access to removable drives not protected by BitLocker to open the policy setting.

11. Click Enabled, click Apply to apply the setting, and then close the dialog box.

Enabling this policy setting means that you cannot support the use of startup keys, recovery keys, or BitLocker protection of operating systemdrives without a TPM because these features require an unencrypted removable data drive on which to store the BitLocker key.


13. If any removable drives are inserted in the computer when this policy setting is enabled, they must be removed and reinserted before this policysetting is applied to them.

By completing this procedure, you have specified Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Gobe used with removable data drives before data can be written to the drive. If users attempt to write data to a drive that is not protected by BitLocker,they will be prompted to turn on BitLocker.






Note

Note


Scenario 6: Specifying How to Unlock BitLocker-ProtectedOperating System Drives (Windows 7)



This scenario describes how you can use Group Policy settings to control which unlock methods can be used with operating system drives in yourorganization. By default, a TPM is required to turn on BitLocker and no additional unlock methods are required. If you want to use BitLocker without aTPM or to require an additional authentication method with the TPM, use the steps in this scenario to configure the settings to support those unlockmethods.

Before you start



To specify how to unlock BitLocker-protected operating system drives




4. To configure authentication methods in addition to the TPM, in the details pane, double-click Require additional authentication at startup toopen the policy setting, and then click Enabled.

5. To support BitLocker on computers running Windows 7 that do not have a TPM, select the Allow BitLocker without a compatible TPM checkbox.

6. To configure operating system drive startup options for computers with a TPM, the following options are available:

Configure TPM startup. You can choose to allow, require, or not allow the use of the TPM with BitLocker.

Configure TPM startup PIN. You can choose to allow, require, or not allow the use of the TPM in combination with a PIN with BitLocker.

Configure TPM startup key. You can choose to allow, require, or not allow the use of the TPM in combination a key stored on a removabledevice, such as a USB flash drive with BitLocker.

Configure TPM startup key and PIN. You can choose to allow, require, or not allow the use of the TPM in combination with both a keystored on a removable device, such as a USB flash drive with BitLocker, and a PIN.

If you choose to require a startup option, the other startup options must be disallowed.

If you require removable drives to be BitLocker-protected, you cannot use a startup key with your operating system drive.

If you require the use of a TPM, a startup key, and a PIN to unlock the operating system drive, you must use the Manage-bde.exe command-line tool to choose that authentication method and enable BitLocker. Use the following command to add the TPM, PIN, and startup keyauthentication method, replacing VolumeName with the drive letter of the operating system drive and RemovableDriveLetter with the letter ofthe removable drive where you will be storing the startup key:

manage-bde -protectors -add -tpsk VolumeName: -tsk RemovableDriveLetter:

Use the following command to turn on BitLocker and encrypt the drive, replacing VolumeName with the drive letter of the operating systemdrive:

manage-bde -on VolumeName:

7. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

8. If you are using PINs for authentication along with the TPM, you may want to enable the use of enhanced PINs to allow for increased complexity ofPINs. Enhanced PINs support the use of characters, including uppercase and lowercase letters, symbols, numbers, and spaces. Not all computerssupport these characters before the operating system starts, so we recommend that users perform a system check during BitLocker setup to verifythat their computer will support the BitLocker settings they have selected before encrypting the drive. Double-click the Allow enhanced PINs forstartup policy setting, and click Enabled to provide the option of using enhanced PINs with BitLocker-protected operating system drives. If thispolicy setting is disabled or not configured, enhanced PINs cannot be used.




By completing this procedure, you have configured Group Policy settings to control which unlock methods can be used with operating system drives inyour organization.






Note

Scenario 7: Specifying How to Unlock BitLocker-Protected Fixedor Removable Data Drives (Windows 7)



In this scenario, you will determine which unlock methods for fixed and removable drives can be used by configuring the appropriate Group Policysettings.

Before you start

To complete the procedures in this scenario:


Your test computer must be part of a domain if you want to test password complexity requirements.

You must have separate fixed data drives and removable drives available.

You must boot from a BitLocker-protected operating system drive to use the automatic unlock method with fixed data drives.

You must have deployed a public key infrastructure (PKI) architecture for use with smart cards.



If BitLocker is enabled on the operating system drive, when you turn on BitLocker for a fixed data drive, you will have the option of allowing the driveto be automatically unlocked when the operating system drive is unlocked. The following procedure assumes that the fixed data drive was BitLocker-protected previously and the automatic unlock method was not selected. Removable data drives must have either a password or a smart card unlockmethod in addition to the automatic unlock method. Automatic unlocking cannot be directly specified by policy settings.

To configure a BitLocker-protected fixed or removable data drive to automatically unlock

1. Click Start, click Computer, and then right-click the BitLocker-protected fixed or removable data drive that you want to automatically unlock.

2. Click Manage BitLocker, click Automatically unlock this drive on this computer.

To specify password usage for BitLocker-protected fixed or removable data drives




4. By default, passwords can be used with BitLocker to protect fixed data drives. The default settings do not enforce any password complexityrequirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configureuse of passwords for fixed data drives to open the policy setting.

5. Click Disabled to prevent the use of passwords with fixed data drives, or click Enabled, and configure the following settings:

Select the Require password for fixed data drive check box if you want to require the user to enter a password to turn on BitLocker on afixed data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.

Under Configure password complexity for fixed data drives, you can choose to allow, require, or not allow password complexity ruleenforcement with BitLocker fixed data drive passwords.

If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policysetting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. In addition, thecomputer must be connected to the domain when the BitLocker password is set for the drive (such as when BitLocker is turned on or when apassword is changed) so that the domain controller can validate that the password specified for the drive meets the complexity rules.

If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if aconnection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password iscompliant with the complexity rules defined by the password policy.

If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is acomplex password.

Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the passwordspecified for the drive must be. Passwords must always be at least 8 characters.



8. By default, passwords can be used with BitLocker to protect removable data drives. The default settings do not enforce any password complexityrequirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configureuse of passwords for removable data drives to open the policy setting.

9. Click Disabled to prevent the use of passwords with removable data drives, or click Enabled, and configure the following settings:

Select the Require password for removable data drive check box if you want to require the user to enter a password to turn on BitLocker




on a removable data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock thedrive.

Under Configure password complexity for removable data drives, you can choose to allow, require, or not allow password complexityrule enforcement with BitLocker removable data drive passwords.

If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policysetting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, and thecomputer must be connected to the domain when BitLocker is turned on so that the domain controller can validate that the passwordspecified for the drive meets the complexity rules.

If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if aconnection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password iscompliant with the complexity rules defined by the password policy.

If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is acomplex password.

Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the passwordspecified for the drive must be. Passwords must always be at least 8 characters.




To specify smart card usage for BitLocker-protected fixed or removable data drives




4. By default, smart cards can be used with BitLocker to protect fixed data drives. To require or prevent the use of smart cards, in the details pane,double-click Configure use of smart cards on fixed data drives to open the policy setting.

5. Click Disabled to prevent the use of smart cards with fixed data drives.

6. Click Enabled, and select the Require use of smart cards on fixed data drives check box if you want to require the user to insert a smart cardto turn on BitLocker.

If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.


8. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, clickBitLocker Drive Encryption

9. If you have multiple smart card certificates, you can specify which smart card certificates can be used with BitLocker. To do this, in the detailspane, double-click the Validate smart card certificate usage rule compliance policy setting.

By default, BitLocker uses smart card certificates that have the enhanced key usage (EKU) attribute equal to the BitLocker object identifier of1.3.6.1.4.1.311.67.1.1, but BitLocker does not require the EKU attribute to be present for the certificate to be used with BitLocker. However,you can set this policy to Enabled and type a value in Object identifier to require that a certificate have a certain EKU attribute before it is usedwith BitLocker. If you set this policy to Disabled or Not Configured, the default object identifier is used.



12. By default, smart cards can be used with BitLocker to protect removable data drives. To require or prevent the use of smart cards, in the detailspane, double-click Configure use of smart cards on removable data drives to open the policy setting.

13. Click Disabled to prevent the use of smart cards with removable data drives.

14. Click Enabled, and select the Require smart card for removable data drive check box if you want to require the user to insert a smart card toturn on BitLocker.




By completing the procedures in this scenario, you have specified which methods users can use to unlock BitLocker-protected drives. These policies areenforced on drives when BitLocker is turned on.

Links Table






Note

Scenario 8: Specifying How BitLocker-Protected Drives Can BeRecovered (Windows 7)



If an unlock method fails, such as if the TPM detects a change in boot components or a password is forgotten, users will need to use a recovery methodto access their data. Before going through the recovery process, you should verify that the drive was not tampered with and isolate the computer fromthe network until any risk presented by the system is determined. This scenario includes procedures for setting the recovery options available foroperating system drives, fixed data drives, and removable data drives. The procedures in this scenario describe how to configure the appropriate GroupPolicy settings to support the recovery options available to users in your enterprise. You can require that users save recovery keys or recovery files,enable the use of a data recovery agent, or require that all recovery information be backed up to Active Directory Domain Services (AD DS) and preventusers from creating and saving recovery passwords and keys.

If access to an operating system drive is recovered by using the recovery console after a change in the computer configuration, suspend and thenresume BitLocker protection before shutting down or putting the computer in hibernation. Otherwise, the conditions that caused BitLocker to startthe operating system drive in recovery mode will be detected again and the recovery information will be required to start the operating system.

Before you start



Your test computer must be part of a domain.

Complete the following procedures to specify the recovery methods for each type of drive.

To specify how BitLocker-protected operating system drives can be recovered




4. To configure recovery options for operating system drives, in the details pane, double-click Choose how BitLocker-protected operating systemdrives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supportedfor BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key whenthey turn on BitLocker, and recovery information is not backed up to AD DS.

5. To specify different recovery options, click Enabled, and then configure the following settings as appropriate:

Select the Allow data recovery agent check box to allow specified accounts to be used to recover BitLocker-protected drives. To use adata recovery agent, the account must be configured and added to the following location in Group Policy: ComputerConfiguration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption. For more information about

setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the check box if you do not want to allow datarecovery agents to be used with BitLocker.

Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or notallowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker. If one user storage option is required,the other must be disallowed. If you want to provide users the option of using either a recovery password or a recovery key, you shouldselect both Allow 48-digit recovery password and Allow 256-bit recovery key. If you do not want users to be able to store or printrecovery information, select both Do not allow 48-digit recovery password and Do not allow 256-bit recovery key

Select the Save BitLocker recovery information to AD DS for operating system drives check box, and then select whether you want toStore recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allowssystem administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recoverypassword or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery keyfile cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bdecommand-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from thedrive is not possible.

Select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box to ensurethat the recovery information for all BitLocker-protected operating system drives in your organization is stored in AD DS. Recoveryinformation is generated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When thischeck box is selected, users must be connected to the domain when they turn on BitLocker.

Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlledby this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of theadministrative recovery settings Save BitLocker recovery information to AD DS for operating system drives or Allow data recoveryagent to ensure that the BitLocker-protected drive can be recovered.



To specify how BitLocker-protected fixed data drives can be recovered






4. To configure recovery options for fixed data drives, in the details pane, double-click Choose how BitLocker-protected fixed drives can berecovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supported for BitLockerrecovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key when they turn onBitLocker, and recovery information is not backed up to AD DS.



setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the Allow data recovery agent check box if youdo not want to allow data recovery agents to be used with BitLocker.

Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or notallowed to create a 48-digit recovery password or 256-bit recovery key when they turn on BitLocker.

Select the Save BitLocker recovery information to AD DS for fixed data drives check box, and then select whether you want to Storerecovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allows systemadministrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recovery password orrecovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery key file cannot beaccessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bde command-line toolto recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from the drive is not possible.

Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box to ensure that therecovery information for all BitLocker-protected fixed data drives in your organization is stored in AD DS. Recovery information is generatedwhen the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box is selected,users must be connected to the domain when they turn on BitLocker.

Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlledby this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of theadministrative recovery settings Save BitLocker recovery information to AD DS for fixed data drives or Allow data recovery agent toensure that the BitLocker-protected drive can be recovered.



To specify how BitLocker-protected removable data drives can be recovered




4. To configure recovery options for removable data drives, in the details pane, double-click Choose how BitLocker-protected removable datadrives can be recovered to open the policy setting. If this policy setting is disabled or not configured, the default recovery options are supportedfor BitLocker recovery. By default, a data recovery agent is allowed, the user can choose to create a recovery password or a recovery key whenthey turn on BitLocker, and recovery information is not backed up to AD DS.



setting up data recovery agents, see Using Data Recovery Agents with BitLocker1. Clear the check box if you do not want to allow datarecovery agents to be used with BitLocker.

Under Configure user storage of BitLocker recovery information, you can choose whether or not a user is allowed, required, or notallowed to create a 48-digit recovery password or 256-bit recovery key when they turn-on BitLocker. By default, recovery keys are not usedwith removable data drives.

Select the Save BitLocker recovery information to AD DS for removable data drives check box, and then select whether you want toStore recovery passwords and key packages in AD DS or Store recovery passwords only. Storing recovery passwords in AD DS allowssystem administrators to provide recovery passwords to users or recover BitLocker-protected drives when the user-stored recoverypassword or recovery key is not available (for example, when a user loses the recovery password printout or when the stored recovery keyfile cannot be accessed). Storing the key packages in addition to the recovery passwords enables administrators to use the Repair-bdecommand-line tool to recover a BitLocker-protected drive that has been damaged in such a way that reading the encryption key from thedrive is not possible.

Select the Do not enable BitLocker until recovery information is stored to AD DS for removable data drives check box to ensure thatthe recovery information for all BitLocker-protected removable data drives in your organization is stored in AD DS. Recovery information isgenerated when the drive is first encrypted and is not automatically sent to AD DS after encryption has occurred. When this check box isselected, users must be connected to the domain when they turn on BitLocker.

Select the Omit recovery options from the BitLocker setup wizard check box if you want the choice of recovery method to be controlledby this policy setting and not show the recovery options to the user. To enable this option, you must select one or both of theadministrative recovery settings Save BitLocker recovery information to AD DS for removable data drives or Allow data recoveryagent to ensure that the BitLocker-protected drive can be recovered.




By completing the procedures in this scenario, you have configured the Group Policy settings establishing the recovery options available for operatingsystem drives, fixed data drives, and removable data drives.




Links Table







Scenario 9: Configuring the Encryption Method and CipherStrength (Windows 7)



This scenario describes how to modify the encryption method and cipher strength used by BitLocker Drive Encryption to encrypt operating system drives,fixed data drives, and removable data drives. BitLocker supports 128-bit and 256-bit encryption keys. Longer encryption keys provide a more enhancedlevel of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryptionand decryption of data. In addition, BitLocker supports a Diffuser algorithm to help protect the system against ciphertext manipulation attacks, a class ofattacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses.

This Group Policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or ifencryption is currently in progress. The encryption method must be changed before you encrypt the drive with BitLocker for the method you selectedcan be used on the drive.

By default, BitLocker uses Advanced Encryption Standard (AES) encryption with 128-bit encryption keys and Diffuser. Most organizations do not need tomodify this setting, but in some situations—for example, if your organization is Federal Information Processing Standard (FIPS) compliant—you wouldneed to modify the encryption method to not use Diffuser. If you are in a highly secure environment, you may need to use the 256-bit encryptionalgorithm with Diffuser to provide a higher level of encryption.

Before you start



To configure the BitLocker encryption method and cipher strength



3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, clickBitLocker Drive Encryption.

4. To change the default encryption algorithm used by BitLocker, in the details pane, double-click Choose drive encryption method and cipherstrength to open the policy setting.

5. If this setting is disabled or not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser. The Diffuser is anadditional encryption method applied when the drive is encrypted and decrypted to provide additional protection to the data as it moves fromplaintext to encrypted form.

6. To change the encryption method and cipher strength, click Enabled for the policy setting. Under Select the encryption method, select AES256-bit with Diffuser to choose a stronger encryption algorithm. If your organization has formal requirements to use only government-approvedencryption algorithms, you can select either AES 128-bit or AES 256-bit; otherwise, using these encryption methods is not recommended.




By completing this procedure, you have modified the encryption method and cipher strength used by BitLocker to encrypt operating system drives, fixeddata drives, and removable data drives.






Note


Scenario 10: Configuring the BitLocker Identification Field(Windows 7)



BitLocker in Windows 7 can use identification fields to determine whether or not a BitLocker-protected drive belongs to your organization and can use asecondary identification field to determine if the drive belongs to a trusted external organization. Identification fields are validated when data recoveryagents are enabled and when BitLocker To Go is turned on.

Data recovery agents will be updated as necessary to ensure that the drive can be recovered by authorized individuals and the BitLocker To Go Readerapplication will be updated as necessary on a removable drive. If the identification field is not configured, the drive is treated as if it belongs to yourorganization. If the identification field is configured on a drive, it must match the identification field or allowed identification field specified in this policybefore BitLocker can update data recovery agent information or the BitLocker To Go Reader on the drive.

Before you start



To configure the BitLocker identification field



3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, clickBitLocker Drive Encryption.

4. In the details pane, double-click the Provide the unique identifiers for your organization policy setting, and then click Enabled.

In Identification field, type the unique identifier for your organization.

In Allowed identification field, type the unique identifiers for any trusted external organizations that may have BitLocker-protectedremovable drives that are accessed by computers in your organization.

5. If you do not want to use identification fields, set this policy to Disabled or Not Configured. After you have made your choices, click Apply toapply the settings, and then close the dialog box.



Identification fields are added to BitLocker-protected drives when BitLocker is turned on. If you have already deployed BitLocker and you want to addan identification field, you can use the following Manage-bde command to associate an identifier with the drive, replacing Volume with the letter ofthe drive:

manage-bde -SetIdentifier Volume:

By completing this procedure, you have configured the identification field that will be applied to drives in your organization when BitLocker is turned on.






Caution

Scenario 11: Recovering Data Protected by BitLocker DriveEncryption (Windows 7)



This scenario describes the process for recovering your data after BitLocker has entered recovery mode. BitLocker locks the computer when a diskencryption key is not available. The following is a list of likely causes:

An error related to TPM validation occurs on an operating system drive.

The password for a BitLocker-protected fixed data drive is forgotten.

The smart card used to lock a removable data drive is lost.

When recovery of a drive is necessary, you must use the recovery key from a USB flash drive, type a recovery password, or have a data recovery agentrecover the drive. When the operating system drive needs to be recovered, you will use a recovery console session running from the BIOS to enterrecovery information. Some systems use the function keys to enter digits in this environment. In this case, F1 through F9 represent the digits 1 through9, and F10 represents 0.

When in the operating system drive recovery console session, the accessibility features of Windows are not available. If you require accessibilityfeatures, consider what you will do in the event of recovery. For example, you might consider data recovery agents to support drive recovery ordesignate a trusted person who can store the recovery key and provide it if necessary.

Before you start



You must have a USB flash drive with the recovery key.

You must have the recovery password.



To test data recovery on a operating system drive

1. Click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User AccountControl dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. Type bcdedit /debug on to enable kernel debugging for the operating system drive.

3. Close all open windows.

4. If the USB flash drive that contains your recovery key is inserted into the computer, use the Safely Remove Hardware icon in the notificationarea to remove it from the computer.

5. Click Start, and then click Shut Down to turn off your computer.

When you restart the computer, you will be prompted for the recovery password, because the startup configuration has changed since youencrypted the drive.

6. Turn on your computer.

7. The BitLocker Drive Encryption Recovery Console will appear.

8. You will be prompted to insert the USB flash drive that contains the recovery key.

If you have the USB flash drive with the recovery key, insert it, and then press ESC. Your computer will restart automatically. You do notneed to enter the recovery password manually.

If you do not have the USB flash drive with the recovery key, press ENTER. You will be prompted to enter the recovery password. Type the48-digit recovery password, and then press ENTER.

9. After the drive has been unlocked, the operating system will start. To restore your computer to its normal operating profile, click Start, type cmdin the Search programs and files box, right-click cmd.exe, and then click Run as administrator. If the User Account Control dialog boxappears, confirm that the action it displays is what you want, and then click Yes. Type bcdedit /debug off to disable kernel debugging for theoperating system drive.

To test data recovery on a password-protected fixed data drive

1. Click Start, and then click Computer to display the drives on the computer.

2. Double-click a BitLocker-protected data drive. The BitLocker Drive Encryption dialog box is displayed, prompting you to type your password tounlock the drive.

3. Click I forgot my password. You are prompted to Unlock this drive using your recovery key. Select either Type the recovery key or Get thekey from the USB flash drive, depending on which recovery method was configured for the drive.

4. After providing the recovery key, the drive is unlocked. You can then click Manage BitLocker, and reconfigure the unlock method as necessary.

You will be able to use the new unlock method to unlock the drive the next time the drive is locked.




By completing the procedures in this scenario, you have used data recovery to reestablish access to a BitLocker-protected drive.

Links Table







Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)



This scenario describes how to either suspend BitLocker Drive Encryption or turn off BitLocker Drive Encryption and decrypt the drive.

When you have encrypted an operating system drive, you can choose to either suspend BitLocker temporarily or turn off BitLocker on an operatingsystem drive and decrypt the drive. You can suspend BitLocker on an operating system drive to make TPM changes and operating system upgrades. On adata drive, you simply decrypt the drive. Decrypting the drive means that the drive will once again be readable and that all the keys are discarded. Aftera drive is decrypted, you must generate new keys by completing the encryption process again.

Before you start



The drive must be BitLocker-protected.

Complete one of the following procedures.

To suspend BitLocker Drive Encryption on an operating system drive


2. Click Suspend Protection for the operating system drive.

3. A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspendBitLocker Drive Encryption. Click Yes to continue and suspend BitLocker on the drive.

By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption key to a clear key. To read data fromthe drive, the clear key is used to access the files. When BitLocker is suspended, TPM validation does not occur and other authentication methods, suchas the use of a PIN or USB key to unlock the operating system drive, are not enforced. This allows you to make system changes such as updating theBIOS or replacing a data drive. When you are finished making changes to the computer, click Resume Protection from the BitLocker Drive EncryptionControl Panel item to start using BitLocker Drive Encryption again.

To turn off BitLocker Drive Encryption


2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.

3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive tocontinue and turn off BitLocker on the drive.

By completing this procedure, you have decrypted the drive and removed BitLocker protection.






Scenario 13: Locking a Data Drive with a Smart Card (Windows 7)

Updated: November 11, 2009


This scenario describes how to use smart cards with a self-signed certificate to encrypt a data drive by using BitLocker Drive Encryption. When deployingBitLocker along with smart cards, we recommend that a certification authority be used. As a best practice, self-signed certificates should only be usedfor limited testing scenarios. By default, BitLocker cannot be used with self-signed certificates.

Before you start





Complete the following procedures in order.

To enable BitLocker to use self-signed certificates

1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the UserAccount Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.

3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.

4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.

5. Right-click SelfSignedCertificates, and then click Modify.

6. In Value data, type 1.

BitLocker can now use self-signed certificates.

To obtain a self-signed certificate to test BitLocker and smart cards

1. Open a text editor such as Notepad, and paste the following information into a new file:

[NewRequest]

Subject = "CN=BitLocker"

KeyLength = 2048

ProviderName = "Microsoft Smart Card Key Storage Provider"

KeySpec = "AT_KEYEXCHANGE

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

RequestType = Cert

SMIME = FALSE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.4.1.311.67.1.1

2. Save the file with the name blcert.txt.

3. Insert a smart card into the smart card reader of the computer.


5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreq –new blcert.txt to request a newcertificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may be prompted toenter your smart card PIN.

6. When prompted to save the request file, type a file name, and click Save.

You now have a smart card certificate that is appropriate for use with BitLocker.

To use BitLocker with a smart card to protect a data drive

1. If you want to protect a removable drive, insert it into the computer.

2. Click Start, and then click Computer to display the drives on your computer.

3. Right-click the drive you want to protect, and then click Turn on BitLocker to start the BitLocker setup wizard.

4. On the Choose how you want to unlock this drive wizard page, click Use my smart card to unlock the drive.

5. Insert your smart card into the smart card reader, and click Next.

6. On the Save the recovery key wizard page, select either Save the key to a file to save your recovery key to a network drive or other locationor select Print the recovery key to print the 48-digit recovery password, and then click Next.

7. On the Are you ready to encrypt this drive page, confirm that you want to use a smart card to encrypt the drive, and click Start Encrypting.

8. When the drive is ready for encryption, the Encryption in Progress status bar is displayed. When you are notified that encryption is complete,click Close.




By completing the procedures in this scenario, you have a drive that is now protected by BitLocker and ready to use. Whenever the drive is inserted intoa computer running Windows 7, a dialog box will prompt users to insert their smart card to unlock the drive.

Links Table






Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7)



This scenario describes how to use a data recovery agent to recover data from a BitLocker-protected drive. Data recovery agents are individuals whosepublic key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlockBitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removabledata drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drivefor the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated afterencryption occurs.

Before you start





Complete the following procedures in order.

To enable BitLocker to use self-signed certificates

1. Click Start, type regedit in the Search programs and files box, right-click regedit.exe, and then click Run as administrator. If the UserAccount Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In Registry Editor, navigate to \HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.

3. On the Registry Editor menu, click Edit, point to New, and then click DWORD (32-bit) Value.

4. Type SelfSignedCertificates, and then press ENTER to create the SelfSignedCertificates key value.

5. Right-click SelfSignedCertificates, and then click Modify.

6. In Value data, type 1.

BitLocker can now use self-signed certificates.

To obtain a self-signed certificate to test BitLocker and data recovery agents

1. Open a text editor such as Notepad, and paste the following information into a new file:

[NewRequest]

Subject = "CN=BitLockerDRA"

KeyLength = 2048

ProviderName = "Microsoft Smart Card Key Storage Provider"

KeySpec = "AT_KEYEXCHANGE”

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"

KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"

RequestType = Cert

SMIME = FALSE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.4.1.311.67.1.2

2. Save the file with the name bldracert.txt.

3. Insert a smart card into the smart card reader of the computer.


5. In the Command Prompt window, navigate to the location where you saved the blcert.txt file, and type certreq –new bldracert.txt to request anew certificate based on the parameters identified in the file. There may be a slight delay while the request is carried out, and you may beprompted to insert your smart card and type your PIN.

6. When prompted to save the request file, type a file name, and click Save.

You now have a data recovery agent smart card certificate that is appropriate for use with BitLocker.

To export a BitLocker DRA certificate

1. Click Start, and then type certmgr.msc to open the Certificates snap-in.

2. In the console tree, expand Personal, and then click Certificates.

3. Double-click the BitLockerDRA certificate to display the certificate properties sheet.

4. Click the Details tab, and then click Copy to File to start the Certificate Export Wizard.

5. On the Welcome to the Certificate Export Wizard page, click Next.

6. On the Export Private Key page, verify that No, do not export the private key is selected, and then click Next.




7. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.

8. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLockerDRA. In Save as type, verify thatDER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page. The File name box on the wizard pageshould now display the path to the BitLockerDRA.cer file in your document library. Click Next.

9. On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.

10. When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export wassuccessful. Click Close to close the dialog and the wizard.

To add a BitLocker data recovery agent and unlock a drive



3. In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.

4. On the Select Recovery Agents page, click Browse Folder to select the BitLockerDRA.cer file you exported in the previous procedure. If youdid not need to export a certificate because you already had deployed a PKI with the necessary certificates, click Browse directory to choose acertificate from Active Directory Domain Services.

5. If you are prompted to install the certificate, click Yes. You can repeat this process as necessary to add multiple data recovery agents. After alldata recovery agent certificates you want to use have been specified, click Next.

6. On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent.

7. If you have not configured the Group Policy setting to specify the BitLocker identification field, complete Scenario 10: Configuring the BitLocker

Identification Field (Windows 7)2 before continuing with this scenario.

8. Encrypt a data drive as described in Scenario 2: Turning On BitLocker Drive Encryption on a Fixed or Removable Data Drive (Windows 7)3. For adata recovery agent to be able to unlock a drive, the BitLocker identification field must be present and match the identification field defined foryour organization.

9. To put the drive into a locked state so that you can test the data recovery agent, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action itdisplays is what you want, and then click Yes. Type the following command, replacing Volume with the drive letter of the BitLocker-protecteddrive you want to lock:

Managebde –lock Volume :

Do not close the Command Prompt window.

10. Now that the drive is locked, you can unlock it by using the data recovery agent. First, you need the certificate thumbprint of the data recoveryagent. To find this, at the command prompt, type the following command, replacing Volume with the drive letter of the BitLocker-protected driveyou want to unlock:

Managebde –protectors –get Volume :

The key protectors identified for the drive are displayed. Find the key protector identified as Data Recovery Agent (Certificate Based), andrecord the certificate thumbprint.

11. To unlock the drive, type the following command, replacing CertificateThumbprint with the actual certificate thumbprint of the data recoveryagent recorded in the previous step:

Managebde –unlock Volume : cert –ct CertificateThumbprint -PIN

12. Enter your smart card PIN when prompted. The drive is unlocked.

By completing the procedures in this scenario, you have assigned data recovery agents to BitLocker and used a data recovery agent to unlock aBitLocker-protected drive.

Links Table











Scenario 15: Using the BitLocker Active Directory RecoveryPassword Viewer to View Recovery Passwords



The BitLocker Active Directory Recovery Password Viewer tool is an optional feature included with the Remote Server Administration Tools (RSAT) forWindows Server 2008 R2 that you can install by using the Add Feature wizard in the RSAT management console. This tool lets you locate and viewBitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on adrive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active DirectoryUsers and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's Properties dialog box to viewthe corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery passwordacross all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).

Before you start


You must have domain administrator credentials.

Your test computers must be joined to the domain.

On the test computers, BitLocker must have been turned on after joining the domain.

The following procedures describe the most common tasks performed by using the BitLocker Active Directory Recovery Password Viewer.

To view the recovery passwords for a computer

1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click ActiveDirectory Users and Computers. In Active Directory Users and Computers, locate and then click the container in which the computer is located.

2. Right-click the computer object, and then click Properties.

3. In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the computer.

To copy the recovery passwords for a computer

1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.

2. On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then clickCopy Details.

3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.

To locate a recovery password by using a password ID

1. In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.

2. In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8characters) box, and then click Search.

By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate arecovery password.






Note


Scenario 16: Using the BitLocker Repair Tool to Recover a Drive



The BitLocker Repair Tool (Repair-bde) is a command-line tool included with Windows 7 and Windows Server 2008 R2. This tool can be used to accessencrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker Drive Encryption. Repair-bde can reconstruct critical partsof the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. The Repair-bde command-line tool is intended for use when the operating system does not start, or when you cannot start the BitLocker Recovery Console. If a drive has beenphysically damaged, it may not be recoverable.

Before you start


Your test computer must have a BitLocker-protected drive.


You must have at least one of the following:

Recovery password

Recovery key file location

Recovery package file location and the corresponding recovery password

Recovery package file location and the corresponding recovery key file location

You must have an empty output volume of equal or larger size than the BitLocker-protected drive (whose contents will be completely overwrittenafter the repair operation).

The following procedure provides the command-line syntax for using each type of recovery information with the Repair-bde tool. For this procedure, werecover access to the data stored on drive C: and write the recovered data to an output volume on Z: by using the parameters in the following table.

Recovery information Value

Recovery password 062612-026103-175593-225830-027357-086526-362263-513414

Recovery key file location F:\RecoveryKey.bek

Recovery package file location F:\ExportedKeyPackage

Replace these parameters as appropriate for your test environment.

To repair a BitLocker-protected drive by using Repair-bde

1. Open a Command Prompt window as an administrator.

a. To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.

b. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. At the command prompt, type one of the following commands, depending on which recovery information you want to use:

a. To repair using a recovery password:

repair-bde C: Z: -rp 062612-026103-175593-225830-027357-086526-362263-513414

b. To repair using a recovery key:

repair-bde C: Z: -rk F:\RecoveryKey.bek

c. To repair using a recovery package and the corresponding recovery password:

repair-bde C: Z: -kp F:\ExportedKeyPackage -rp 062612-026103-175593-225830-027357-086526-362263-513414

d. To repair using a recovery package and the corresponding recovery key:

repair-bde C: Z: -kp F:\ExportedKeyPackage -rk F:\RecoveryKey.bek

If the path to the key package is not specified, Repair-bde will search the drive for a key package. However, if the hard drive has beendamaged, the tool may not be able to find the package and will prompt you to provide the path. We recommend that you include the keypackage in the Active Directory key storage so that you can export the key package if needed.

By completing this procedure, you have used the Repair-bde command-line tool to repair a damaged BitLocker-protected drive.






bitlocker step by step

Documents

removable data drive

windows vista

removable data drives

bitlocker protection

hard drive

smart card windows

cipher strength windows

bitlocker repair tool