Step by Step BitLocker The Why and The How

Posted: 24/07/2011 in Misc
Tags: , , ,

Have you ever lost a laptop ,external hard disk, thump drive (USB/flash stick ) ? this is when you start remembering the critical things on that drive that you did not consider before it might be photos ,critical documents..etc. . think now that was not your  personal laptop its your CEO or your CFO . this could cripple your company if this information got out .

Hacking before was just for fun but now it’s a business .  believe me someone out there cares  about this (your information ) and trying to get it .

this when bitlocker come into play Smile

This learning guide is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for some one that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it and explained any other technology that might be needed in the process.


The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “

What is BitLocker? How does it work?

BitLocker Drive Encryption is a data protection feature available in Windows 7 Enterprise and Windows 7 Ultimate for client computers and in Windows Server 2008 R2. BitLocker provides enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

  • Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is integrated into Windows 7 and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

How BitLocker works with fixed and removable data drives

BitLocker can also be used to protect fixed and removable data drives. When used with data drives, BitLocker encrypts the entire contents of the drive and can be configured by using Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with the following unlock methods for data drives:

  • Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where the operating system drive is encrypted. Removable data drives can be set to automatically unlock on a computer running Windows 7 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.
  • Password. When users attempt to open a drive, they are prompted to enter their password before the drive will be unlocked. This method can be used with the BitLocker To Go Reader on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as read-only.
  • Smart card. When users attempt to open a drive, they are prompted to insert their smart card before the drive will be unlocked.

A drive can support multiple unlock methods. For example, a removable data drive can be configured to be automatically unlocked on your primary work computer but query you for a password if used with another computer.

Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

Why are two partitions required? Why does the system drive have to be so large?

Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. In Windows Vista, the system drive must be 1.5 gigabytes (GB), but in Windows 7 this requirement has been reduced to 100 MB for a default installation. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. Computer manufacturers and enterprise customers can also store system tools or other recovery tools on this drive, which will increase the required size of the system drive. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 300 MB. The system drive is hidden by default and is not assigned a drive letter. The system drive is created automatically when Windows 7 is installed.

Can BitLocker deployment be automated in an enterprise environment?

Yes, you can automate the deployment and configuration of BitLocker with scripts that use the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. How you choose to implement the scripts depends on your environment. You can also use the BitLocker command-line tool, Manage-bde.exe, to locally or remotely configure BitLocker

What happens if the computer is turned off during encryption or decryption?

If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?

It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.

What is BitLocker To Go?

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

How can I authenticate or unlock my removable data drive?

In Windows 7, you can unlock removable data drives by using a password or a smart card. After you’ve started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements.

Can I use BitLocker To Go with computers running Windows XP or Windows Vista?

Yes. By default if the removable data drive is formatted by using the FAT file system and then locked with BitLocker To Go using a computer running Windows 7, it can be unlocked on a computer running Windows XP or Windows Vista. However, the files will available with read-only access on those operating systems and no files will be able to be added to the removable drive from those computers. When you insert the removable drive into a computer running Windows XP or Windows Vista, the only readable file on the drive is the BitLocker To Go Reader application, which is automatically written to the drive when BitLocker protection is turned on for the drive in Windows 7. By running the BitLocker To Go Reader, you will be able to view the files on the BitLocker-protected removable drive.

What happens if I try to open a BitLocker-protected, NTFS-formatted removable drive by using a computer running Windows XP or Windows Vista?

In most cases, Windows XP and Windows Vista will not be able to recognize a BitLocker-protected, NTFS-formatted removable drive. In many situations, the user will be prompted to format the drive. Because of this, it is recommended that removable drives be formatted by using the FAT, FAT32, or exFAT file system when using BitLocker.

If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?

No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.

What is best practice for using BitLocker on an operating system drive?

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

What is a Trusted Platform Module?

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system by using a hardware bus.

Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master "wrapping" key, called the storage root key, which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

Computers that incorporate a TPM can also create a key that has not only been wrapped but is also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting the key is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this sealed key and software such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.

With a TPM, private portions of key pairs are kept separate from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—assurances that define the "trustworthiness" of a system—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on the operating system and is not exposed to vulnerabilities that might exist in the operating system or application software.

Are your computers and drives physically secure?

Some computers, such as desktop computers and servers, are not likely to leave a physically secure location. This can mean that BitLocker protection is less important or that a lower level of protection is appropriate. In comparison, removable drives or portable computers that often leave the secure confines of your organization should be treated differently and with a higher level of protection. For more information about determining levels or protection

How Strong Do You Want the BitLocker Protection?

Determining the strength of BitLocker protection means determining the criteria for unlocking the drive after it is protected. When a BitLocker drive is unlocked, BitLocker authenticates the drive based on the valid key protectors being provided and then authorizes the unlocking of the drive. BitLocker offers a variety of key protectors that permit users to authenticate based on user knowledge, hardware component validation, and software keys as well as a combination of these. The information in this section helps you decide what type of protection you want to use with BitLocker.

Term Description
TPM A hardware device used to help establish a secure root-of-trust. BitLocker supports only TPM version 1.2 and above.
PIN A user-entered numeric key protector that can only be used in addition to the TPM.
Startup key An encrypted file that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.



How Do You Want to Recover BitLocker-Protected Drives?

A recovery method is used when a drive cannot be accessed by using the normal BitLocker unlock method. Unlock can fail on an operating system drive when a PIN is forgotten, a startup key is lost, or if the Trusted Platform Module (TPM) registers changes in the system components that it monitors before allowing the computer to start. For fixed and removable data drives, a recovery method is used when a password is forgotten or a smart card is lost. Consider the following situations when choosing which recovery methods your organization will support

Recovery method Description User configuration options Advantages Disadvantages
Recovery password also known as a recovery key in the graphical user interface and numerical password in the Manage-bde command-line tool. The recovery password is a 48-digit numerical password that can be backed up to Active Directory Domain Services (AD DS). It can also be printed or saved to a text file. The password can be printed or saved to a file by the user. This functionality can be disabled by Group Policy. · Can be backed up to AD DS· Does not require IT physical presence· 48-digit password can be read over the phone by a help desk attendant

· Users can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy

· Not FIPS compliant
Recovery key The recovery key is a 256-bit key that can be saved to a USB flash drive. It is not available by default for removable data drives. It is Federal Information Processing Standard (FIPS) compliant. The location in which to save the recovery key must be specified by the user. · FIPS compliant · Cannot be backed up to AD DS· Users may store USB drives with their computer· If the key to unlock the operating system drive is stored with the computer, the protection is rendered useless

· USB drives could be lost

· If users lose the USB drive with their recovery key, they will not have a recovery method

Data recovery agent The data recovery agent is a public key that is distributed to all BitLocker-protected devices as configured by Group Policy. It is FIPS compliant. Data recovery agents cannot be configured by the user. · FIPS compliant· Automatically applied to drives · IT department personnel must be physically present· The private key must be used to recover the drive· The operating system drive must be installed on another computer running Windows 7 as a data drive


If you choose to support either the recovery password or the recovery key, you can use AD DS to store the recovery information. BitLocker integrates with AD DS to provide centralized key management for recovery information. When the recovery key methods are supported, users can print recovery information, save it to a file, or save it to a USB drive. However, this recovery information is not automatically provided to the system administrators by default, and no recovery information is backed up to AD DS. This means that being able to recover BitLocker-protected drives is solely the responsibility of the user. However, to be able to provide an administrative method to recover BitLocker-protected drives, you can configure Group Policy settings to enable the backup of BitLocker and TPM recovery information. Windows Server 2008 and Windows Server 2008 R2 include support for BitLocker recovery by default. If you are using domain controllers running Windows Server 2003, you must extend the schema first to provide storage locations in AD DS for BitLocker recovery data.

The following recovery data can be saved for each computer object:

  • Recovery password
    A 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.
  • Key package data
    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected drive if the drive is severely damaged. Each key package will only work with the drive it was created on, which can be identified by the corresponding BitLocker identifier.
  • TPM owner password hash
    When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.

Using BitLocker with operating system drives

Using BitLocker on operating system drives works best on computers with a compatible version 1.2 Trusted Platform Module (TPM). When using the TPM with BitLocker, the TPM must be enabled, activated, and owned. These TPM processes are automatically completed if necessary during the BitLocker setup process. For more information about working with the TPM

things you need to know

The system requirements for running BitLocker are slightly different, depending on whether you will be encrypting an operating system drive or a data drive.

To encrypt the drive that Windows is installed on—the operating system drive—BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have one of the following:

  • A computer with a Trusted Platform Module (TPM). If your computer was manufactured with a TPM version 1.2 or higher, BitLocker protects keys with the TPM.
  • A removable USB device, such as a USB flash drive. If your computer does not have a version 1.2 or higher TPM, BitLocker will store its key on the USB device.

To turn on BitLocker Drive Encryption on the operating system drive, your computer’s hard disk must meet the following requirements:

  • The hard disk must contain at least two partitions: the operating system partition and the active system partition. The operating system partition is where Windows is installed and will be encrypted. The active system partition must remain unencrypted so that the computer can be started, and this partition must be at least 100 MB in size. By default in Windows 7, the system partition will not be given a letter and will be hidden from the user. If your computer does not have a separate, active partition, the required partitions will be created for you during BitLocker setup. By default during Windows setup, a separate, hidden system partition is created. It is a best practice for users to run as a standard user to prevent access to the system partition.
  • The operating system and active system partitions must be formatted with the NTFS file system. Other partitions can be formatted with NTFS, FAT, FAT32, or exFAT.
  • The BIOS must be compatible with the TPM or support USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.

You can use BitLocker to encrypt fixed data drives (such as internal hard drives) and removable data drives (such as external hard drives and USB flash drives). To encrypt a data drive, it must be formatted by using the FAT, FAT16, FAT32, or NTFS file system and must be at least 64 MB in size.


BitLocker protection on FAT-formatted removable drives is known as BitLocker To Go. When a BitLocker-protected removable drive is unlocked on a computer running Windows 7, the drive is automatically recognized and the user is either prompted for credentials to unlock the drive or the drive is unlocked automatically if it is configured to do so. Computers running Windows XP or Windows Vista do not automatically recognize that the removable drive is BitLocker-protected.

To allow users of these operating systems to read content from BitLocker-protected removable drives by default, an additional FAT32 drive is created that is hidden on computers running Windows 7 but is visible on computers running Windows XP or Windows Vista. This hidden drive is called the discovery drive. The discovery drive contains the BitLocker To Go Reader. With BitLocker To Go Reader, users can unlock the BitLocker-protected drives by using a password or a recovery password (also known as recovery key).

  • You should make sure that users unlock BitLocker-protected removable drives only on computers they trust. After the drive is unlocked, the contents of the drive and the unlock mechanism you used are exposed to the host computer and could be captured.
  • The discovery drive is formatted as unencrypted (plaintext) and with no free space. User data should not be stored on this drive.
  • The BitLocker To Go Reader is not compatible with the NTFS file system. By default, many external drives are formatted in NTFS by the operating system. If you are planning to use the BitLocker To Go Reader, format the external drives in your organization by using the exFAT file system.

Backing Up BitLocker and TPM Recovery Information to AD DS

You can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each BitLocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to. Optionally, you can also save a package containing the actual keys used to encrypt the data as well as the recovery password required to access those keys.

Using AD DS to store BitLocker recovery information

Backing up recovery passwords for a BitLocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In a default BitLocker installation, recovery information is not backed up and local users must be responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, the administrator cannot easily get access to the drive. To mitigate this situation, administrators can configure Group Policy settings to enable backup of BitLocker and TPM recovery information. Before configuring these settings, as a domain administrator you must ensure that the Active Directory schema has the necessary storage locations and that access permissions have been granted to perform the backup.

You should also configure AD DS before configuring BitLocker on client computers. If BitLocker is enabled first, recovery information for those computers will not be automatically added to AD DS. If necessary, recovery information can be backed up to AD DS after BitLocker has been enabled by using either the Manage-bde command-line tool or the BitLocker Windows Management Instrumentation (WMI) provider. For more information about the WMI provider, see the MSDN topic BackupRecoveryInformationToActiveDirectory Method of the Win32_EncryptableVolume Class (

note :You can save recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object.

Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object because multiple recovery passwords can be associated with a BitLocker-protected drive and multiple BitLocker-protected drives can be associated with a computer.

Before you begin

Download and review the following sample scripts, which are used in the following procedures to configure AD DS for backing up BitLocker recovery information:

First thing we need to do is to add the ACE to the active directory so we have a backup

download the code from ( )

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.

The sample script provided operates under the following assumptions:

  • You have domain administrator privileges to set permissions for the top-level domain object.
  • Your target domain is the same as the domain for the user account running the script.
  • Your domain is configured so that permissions inherit from the top-level domain object to targeted computer objects. since I have one domain (demolab.local windows 2008R2) I will keep the script as its is
  • now open CMD with administrative right and run " cscript <Script Name>.vbs


    lets make sure that everything ok

    open adsiedit


    you should find the following objects

    • CN=ms-FVE-KeyPackage – attributeSchema object
    • CN=ms-FVE-RecoveryGuid – attributeSchema object
    • CN=ms-FVE-RecoveryInformation – classSchema object
    • CN=ms-FVE-RecoveryPassword – attributeSchema object
    • CN=ms-FVE-VolumeGuid – attributeSchema object
    • CN=ms-TPM-OwnerInformation – attributeSchema object



    now your domain ready to backup the TPM Next we create a GPO for bitlocker and configure the needed option for backup

    1-change Choose how BitLocker-protected XX drives can be recovered (we will be doing this for fixed,OS,removable )


    the same configuration are the same across the three




    next thing is to enable that TPM will back up to AD




now my windows 7 machines was migrated from windowsXP and have only one partition so we will be needing BitLocker Drive Preparation Tool to create our active boot drive for us

so we need to run (it will take about 5 Minutes )

BdeHdCfg -target default -size 500 –quiet -restart

for list of Parameter please visit

this is the end results


now personally I always like the end user to do it himself in his own time frame this also will make him create a unique recovery key .

so lets force them to enable bitlocker on both external drives and fixed drives as both can be added after we run our script Smile now back to the bitlockerGPO

and enable deny write access to XX not protected by bitlocker (this will be enabled to fixed,OS,Removable )




this is the end results when plugin a USB


but for this guide I will be using a WMI script to do it (please not that my test machines don’t have a TPM so I will USB drive -I will deactivate the bitlocker enforcement )

so this is additional step only needed if you don’t have a TPM in your machines

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup > Enable



you can find the needed scripts at

so the first thing is to run the command line using SCCM or any other tool (you can use startup script for it but I don’t recommend this )

This sample script is designed to be used for all BitLocker configuration scenarios. It can be run multiple times on a computer. The script automates the following BitLocker configuration settings.
Enable and activate the TPM
Take ownership of the TPM and generate random owner password
Enable BitLocker protection using
TPM only
TPM and Startup Key
USB only
Create additional recovery key
Create recovery password
Specify encryption method
Reset TPM owner information

EnableBitLocker.vbs /on:usb promptuser /l:c:BL.Log

the results


now lets save the recovery key







now if we unplugged the USB the win7 will not start


now lets lunch the recover (winRE ) and give it a look


select our USB



now we can read the HD ok


note : if you received

ERROR – the ProtectKeyWithExternalKey Method failed with the exit code make sure you have working TPM

make sure you have the correct boot order sometimes with docking station things can get missed up

BitLocker Recovery Password Viewer for Active Directory

This tool lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.

Recovery password is a part of Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) you can download it at

after installation enable it


now lets register the needed Dll


regsvr32.exe BdeAducExt.dll


now we have a tab in each computer properties like this


see how bitlocker is easy Smile

  1. Mahmoud Ramadan says:

    I appreciate you Very Much and Respect your Work ,your skills in MS Products and you Show to Simplify the products for every one , Thanks man , i am From Egypt and i am working as a technical Specialist in Wipro in Dubai and all Middle east , you facilitate more things to me , let us work together ,reply your mail.

  2. Joachim says:

    I’m not through yet, but the page looks pretty good already.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s