Configure Bitlocker on a TPM Enabled Machine

Introduction:

This guide is based on a detailed article from the Vista TechCenter tested and modified for use on CAMPUS.

BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.

Important thinks to remember before you begin

  • Bitlocker is particularly reccomended to users of Laptops within the University.
  • Backups are more important than ever on enrypted disks as recovery will be all but impossible if the disks hardware fails.
  • Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you sill have it!

Prerequisites

A Machine with a TPM chip
Windows Vista DVD
Windows Vista Business, Enterprise or Ultimate Editions
A USB Key, preferably one you can dedicate to use with Bitlocker.
Access to a Printer

1. Copy the contents of

\\campus\software\ucs\SystemSW\Bitlocker to your USB Key.

2. Boot the new machine from the Windows Vista DVD. It is necessary to do this as the WDS build on the Campus Network will not allow access to the command prompt.

3. Select the locale; accept the license and call-up a command prompt by selecting SHIFT + F10.

4. At this point you can either manually run the DISKPART tool or use the script you copied on to the USB Key in Step 1.

For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labelled C in this document. This volume is encrypted and contains the operating system and user data.

The script you copied to your USB key will automatically:

Select the first disk in the system (Disk 0)
Clean the partition table.
Create a 1.5GB System Partition, sets it as active and assign it the letters S.
Partition the rest of the disk and assigns it the letter C
Quick Format both volumes with the NTFS file system.

IMPORTANT: Running this script will destroy all data on the system.

To run the script, change drive to your USB Key and run bitprep.bat

5. When the script has completed, restart your machine and build the machine using WDS as normal installing Windows on drive C

6. Now would be a good time to enable your TPM in the BIOS if it is not already.. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’

7. When your machine has finished building, installing software and is fully patched you can start to configure Bitlocker. Click Start > Control Panel > Security > BitLocker Drive Encryption.

8. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialised, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.

9. On the Set BitLocker start-up preferences page, select the start-up option you want. You can choose only one of these options:

  • No additional security.
  • Require PIN at every start-up . You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
  • Require Startup USB key at every start-up . You will see the Save your start-up Key page. Insert your USB flash drive, choose the drive location, and then click Save.

In this scenario Bitlocker supports the following security permutations.

TPM only
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key

BL0

BL1

10. On the Save the recovery password page, you will see the following options:

  • Save the password on a USB drive. Saves the password to a USB flash drive.
  • Save the password in a folder. Saves the password to a network drive or other location.
  • Print the password. Prints the password.

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session. You should store recovery passwords apart from the computer for maximum security.

BL3

11. When you have finished backing up your recovery passwords you are ready to Encrypt the volume. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption.

12. If the system passed the checks you will see a ‘Encryption in Progress’ notifier in the system tray.

BL5

13. You can now have an enrypted disk!

BL5

14. If you would like to add more volumes and encrypt them then create the volumes as normal and then turn on Bitlocker for that drive.

BL8

This entry was posted in Backup, FileStore, Mobile, Security, Vista by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Leave a Reply

Your email address will not be published. Required fields are marked *