Posts Tagged ‘Bitlocker’

Have you ever lost a laptop ,external hard disk, thump drive (USB/flash stick ) ? this is when you start remembering the critical things on that drive that you did not consider before it might be photos ,critical documents..etc. . think now that was not your  personal laptop its your CEO or your CFO . this could cripple your company if this information got out .

Hacking before was just for fun but now it’s a business .  believe me someone out there cares  about this (your information ) and trying to get it .

this when bitlocker come into play Smile

This learning guide is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for some one that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it and explained any other technology that might be needed in the process.

 

The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “

 
What is BitLocker? How does it work?

BitLocker Drive Encryption is a data protection feature available in Windows 7 Enterprise and Windows 7 Ultimate for client computers and in Windows Server 2008 R2. BitLocker provides enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

  • Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is integrated into Windows 7 and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

How BitLocker works with fixed and removable data drives

BitLocker can also be used to protect fixed and removable data drives. When used with data drives, BitLocker encrypts the entire contents of the drive and can be configured by using Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with the following unlock methods for data drives:

  • Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where the operating system drive is encrypted. Removable data drives can be set to automatically unlock on a computer running Windows 7 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.
  • Password. When users attempt to open a drive, they are prompted to enter their password before the drive will be unlocked. This method can be used with the BitLocker To Go Reader on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as read-only.
  • Smart card. When users attempt to open a drive, they are prompted to insert their smart card before the drive will be unlocked.

A drive can support multiple unlock methods. For example, a removable data drive can be configured to be automatically unlocked on your primary work computer but query you for a password if used with another computer.

Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

Why are two partitions required? Why does the system drive have to be so large?

Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. In Windows Vista, the system drive must be 1.5 gigabytes (GB), but in Windows 7 this requirement has been reduced to 100 MB for a default installation. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. Computer manufacturers and enterprise customers can also store system tools or other recovery tools on this drive, which will increase the required size of the system drive. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 300 MB. The system drive is hidden by default and is not assigned a drive letter. The system drive is created automatically when Windows 7 is installed.

Can BitLocker deployment be automated in an enterprise environment?

Yes, you can automate the deployment and configuration of BitLocker with scripts that use the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. How you choose to implement the scripts depends on your environment. You can also use the BitLocker command-line tool, Manage-bde.exe, to locally or remotely configure BitLocker

What happens if the computer is turned off during encryption or decryption?

If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?

It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.

What is BitLocker To Go?

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

How can I authenticate or unlock my removable data drive?

In Windows 7, you can unlock removable data drives by using a password or a smart card. After you’ve started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements.

Can I use BitLocker To Go with computers running Windows XP or Windows Vista?

Yes. By default if the removable data drive is formatted by using the FAT file system and then locked with BitLocker To Go using a computer running Windows 7, it can be unlocked on a computer running Windows XP or Windows Vista. However, the files will available with read-only access on those operating systems and no files will be able to be added to the removable drive from those computers. When you insert the removable drive into a computer running Windows XP or Windows Vista, the only readable file on the drive is the BitLocker To Go Reader application, which is automatically written to the drive when BitLocker protection is turned on for the drive in Windows 7. By running the BitLocker To Go Reader, you will be able to view the files on the BitLocker-protected removable drive.

What happens if I try to open a BitLocker-protected, NTFS-formatted removable drive by using a computer running Windows XP or Windows Vista?

In most cases, Windows XP and Windows Vista will not be able to recognize a BitLocker-protected, NTFS-formatted removable drive. In many situations, the user will be prompted to format the drive. Because of this, it is recommended that removable drives be formatted by using the FAT, FAT32, or exFAT file system when using BitLocker.

If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?

No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.

What is best practice for using BitLocker on an operating system drive?

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

What is a Trusted Platform Module?

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system by using a hardware bus.

Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master "wrapping" key, called the storage root key, which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

Computers that incorporate a TPM can also create a key that has not only been wrapped but is also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting the key is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this sealed key and software such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.

With a TPM, private portions of key pairs are kept separate from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—assurances that define the "trustworthiness" of a system—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on the operating system and is not exposed to vulnerabilities that might exist in the operating system or application software.

Are your computers and drives physically secure?

Some computers, such as desktop computers and servers, are not likely to leave a physically secure location. This can mean that BitLocker protection is less important or that a lower level of protection is appropriate. In comparison, removable drives or portable computers that often leave the secure confines of your organization should be treated differently and with a higher level of protection. For more information about determining levels or protection

How Strong Do You Want the BitLocker Protection?

Determining the strength of BitLocker protection means determining the criteria for unlocking the drive after it is protected. When a BitLocker drive is unlocked, BitLocker authenticates the drive based on the valid key protectors being provided and then authorizes the unlocking of the drive. BitLocker offers a variety of key protectors that permit users to authenticate based on user knowledge, hardware component validation, and software keys as well as a combination of these. The information in this section helps you decide what type of protection you want to use with BitLocker.

Term Description
TPM A hardware device used to help establish a secure root-of-trust. BitLocker supports only TPM version 1.2 and above.
PIN A user-entered numeric key protector that can only be used in addition to the TPM.
Startup key An encrypted file that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.

bitlocker1

 

How Do You Want to Recover BitLocker-Protected Drives?

A recovery method is used when a drive cannot be accessed by using the normal BitLocker unlock method. Unlock can fail on an operating system drive when a PIN is forgotten, a startup key is lost, or if the Trusted Platform Module (TPM) registers changes in the system components that it monitors before allowing the computer to start. For fixed and removable data drives, a recovery method is used when a password is forgotten or a smart card is lost. Consider the following situations when choosing which recovery methods your organization will support

Recovery method Description User configuration options Advantages Disadvantages
Recovery password also known as a recovery key in the graphical user interface and numerical password in the Manage-bde command-line tool. The recovery password is a 48-digit numerical password that can be backed up to Active Directory Domain Services (AD DS). It can also be printed or saved to a text file. The password can be printed or saved to a file by the user. This functionality can be disabled by Group Policy. · Can be backed up to AD DS· Does not require IT physical presence· 48-digit password can be read over the phone by a help desk attendant

· Users can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy

· Not FIPS compliant
Recovery key The recovery key is a 256-bit key that can be saved to a USB flash drive. It is not available by default for removable data drives. It is Federal Information Processing Standard (FIPS) compliant. The location in which to save the recovery key must be specified by the user. · FIPS compliant · Cannot be backed up to AD DS· Users may store USB drives with their computer· If the key to unlock the operating system drive is stored with the computer, the protection is rendered useless

· USB drives could be lost

· If users lose the USB drive with their recovery key, they will not have a recovery method

Data recovery agent The data recovery agent is a public key that is distributed to all BitLocker-protected devices as configured by Group Policy. It is FIPS compliant. Data recovery agents cannot be configured by the user. · FIPS compliant· Automatically applied to drives · IT department personnel must be physically present· The private key must be used to recover the drive· The operating system drive must be installed on another computer running Windows 7 as a data drive

bitlocker2_thumb1_thumb[1]

If you choose to support either the recovery password or the recovery key, you can use AD DS to store the recovery information. BitLocker integrates with AD DS to provide centralized key management for recovery information. When the recovery key methods are supported, users can print recovery information, save it to a file, or save it to a USB drive. However, this recovery information is not automatically provided to the system administrators by default, and no recovery information is backed up to AD DS. This means that being able to recover BitLocker-protected drives is solely the responsibility of the user. However, to be able to provide an administrative method to recover BitLocker-protected drives, you can configure Group Policy settings to enable the backup of BitLocker and TPM recovery information. Windows Server 2008 and Windows Server 2008 R2 include support for BitLocker recovery by default. If you are using domain controllers running Windows Server 2003, you must extend the schema first to provide storage locations in AD DS for BitLocker recovery data.

The following recovery data can be saved for each computer object:

  • Recovery password
    A 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.
  • Key package data
    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected drive if the drive is severely damaged. Each key package will only work with the drive it was created on, which can be identified by the corresponding BitLocker identifier.
  • TPM owner password hash
    When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.

Using BitLocker with operating system drives

Using BitLocker on operating system drives works best on computers with a compatible version 1.2 Trusted Platform Module (TPM). When using the TPM with BitLocker, the TPM must be enabled, activated, and owned. These TPM processes are automatically completed if necessary during the BitLocker setup process. For more information about working with the TPM

things you need to know

The system requirements for running BitLocker are slightly different, depending on whether you will be encrypting an operating system drive or a data drive.

To encrypt the drive that Windows is installed on—the operating system drive—BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have one of the following:

  • A computer with a Trusted Platform Module (TPM). If your computer was manufactured with a TPM version 1.2 or higher, BitLocker protects keys with the TPM.
  • A removable USB device, such as a USB flash drive. If your computer does not have a version 1.2 or higher TPM, BitLocker will store its key on the USB device.

To turn on BitLocker Drive Encryption on the operating system drive, your computer’s hard disk must meet the following requirements:

  • The hard disk must contain at least two partitions: the operating system partition and the active system partition. The operating system partition is where Windows is installed and will be encrypted. The active system partition must remain unencrypted so that the computer can be started, and this partition must be at least 100 MB in size. By default in Windows 7, the system partition will not be given a letter and will be hidden from the user. If your computer does not have a separate, active partition, the required partitions will be created for you during BitLocker setup. By default during Windows setup, a separate, hidden system partition is created. It is a best practice for users to run as a standard user to prevent access to the system partition.
  • The operating system and active system partitions must be formatted with the NTFS file system. Other partitions can be formatted with NTFS, FAT, FAT32, or exFAT.
  • The BIOS must be compatible with the TPM or support USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.

You can use BitLocker to encrypt fixed data drives (such as internal hard drives) and removable data drives (such as external hard drives and USB flash drives). To encrypt a data drive, it must be formatted by using the FAT, FAT16, FAT32, or NTFS file system and must be at least 64 MB in size.

Notes

BitLocker protection on FAT-formatted removable drives is known as BitLocker To Go. When a BitLocker-protected removable drive is unlocked on a computer running Windows 7, the drive is automatically recognized and the user is either prompted for credentials to unlock the drive or the drive is unlocked automatically if it is configured to do so. Computers running Windows XP or Windows Vista do not automatically recognize that the removable drive is BitLocker-protected.

To allow users of these operating systems to read content from BitLocker-protected removable drives by default, an additional FAT32 drive is created that is hidden on computers running Windows 7 but is visible on computers running Windows XP or Windows Vista. This hidden drive is called the discovery drive. The discovery drive contains the BitLocker To Go Reader. With BitLocker To Go Reader, users can unlock the BitLocker-protected drives by using a password or a recovery password (also known as recovery key).

  • You should make sure that users unlock BitLocker-protected removable drives only on computers they trust. After the drive is unlocked, the contents of the drive and the unlock mechanism you used are exposed to the host computer and could be captured.
  • The discovery drive is formatted as unencrypted (plaintext) and with no free space. User data should not be stored on this drive.
  • The BitLocker To Go Reader is not compatible with the NTFS file system. By default, many external drives are formatted in NTFS by the operating system. If you are planning to use the BitLocker To Go Reader, format the external drives in your organization by using the exFAT file system.

Backing Up BitLocker and TPM Recovery Information to AD DS

You can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each BitLocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to. Optionally, you can also save a package containing the actual keys used to encrypt the data as well as the recovery password required to access those keys.

Using AD DS to store BitLocker recovery information

Backing up recovery passwords for a BitLocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In a default BitLocker installation, recovery information is not backed up and local users must be responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, the administrator cannot easily get access to the drive. To mitigate this situation, administrators can configure Group Policy settings to enable backup of BitLocker and TPM recovery information. Before configuring these settings, as a domain administrator you must ensure that the Active Directory schema has the necessary storage locations and that access permissions have been granted to perform the backup.

You should also configure AD DS before configuring BitLocker on client computers. If BitLocker is enabled first, recovery information for those computers will not be automatically added to AD DS. If necessary, recovery information can be backed up to AD DS after BitLocker has been enabled by using either the Manage-bde command-line tool or the BitLocker Windows Management Instrumentation (WMI) provider. For more information about the WMI provider, see the MSDN topic BackupRecoveryInformationToActiveDirectory Method of the Win32_EncryptableVolume Class (http://go.microsoft.com/fwlink/?LinkId=167132).

note :You can save recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object.

Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object because multiple recovery passwords can be associated with a BitLocker-protected drive and multiple BitLocker-protected drives can be associated with a computer.

Before you begin

Download and review the following sample scripts, which are used in the following procedures to configure AD DS for backing up BitLocker recovery information:

First thing we need to do is to add the ACE to the active directory so we have a backup

download the code from (http://go.microsoft.com/fwlink/?LinkId=167133 )

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.

The sample script provided operates under the following assumptions:

  • You have domain administrator privileges to set permissions for the top-level domain object.
  • Your target domain is the same as the domain for the user account running the script.
  • Your domain is configured so that permissions inherit from the top-level domain object to targeted computer objects. since I have one domain (demolab.local windows 2008R2) I will keep the script as its is
  • now open CMD with administrative right and run " cscript <Script Name>.vbs

    image_thumb2111_thumb[1]

    lets make sure that everything ok

    open adsiedit

    image_thumb9_thumb[1]

    you should find the following objects

    • CN=ms-FVE-KeyPackage – attributeSchema object
    • CN=ms-FVE-RecoveryGuid – attributeSchema object
    • CN=ms-FVE-RecoveryInformation – classSchema object
    • CN=ms-FVE-RecoveryPassword – attributeSchema object
    • CN=ms-FVE-VolumeGuid – attributeSchema object
    • CN=ms-TPM-OwnerInformation – attributeSchema object

    image_thumb10_thumb[1]

    image_thumb11_thumb[1]

    now your domain ready to backup the TPM Next we create a GPO for bitlocker and configure the needed option for backup

    1-change Choose how BitLocker-protected XX drives can be recovered (we will be doing this for fixed,OS,removable )

    image_thumb4_thumb[1]

    the same configuration are the same across the three

    image_thumb5_thumb[1]

    image_thumb6_thumb[1]

    image_thumb7_thumb[1]

    next thing is to enable that TPM will back up to AD

    image_thumb1_thumb[1]

 

image_thumb211_thumb[1]

now my windows 7 machines was migrated from windowsXP and have only one partition so we will be needing BitLocker Drive Preparation Tool to create our active boot drive for us

so we need to run (it will take about 5 Minutes )

BdeHdCfg -target default -size 500 –quiet -restart

for list of Parameter please visit http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx

this is the end results

image_thumb12_thumb[1]

now personally I always like the end user to do it himself in his own time frame this also will make him create a unique recovery key .

so lets force them to enable bitlocker on both external drives and fixed drives as both can be added after we run our script Smile now back to the bitlockerGPO

and enable deny write access to XX not protected by bitlocker (this will be enabled to fixed,OS,Removable )

image_thumb13_thumb[1]

image_thumb14_thumb[1]

image_thumb15_thumb[1]

this is the end results when plugin a USB

image_thumb16_thumb[1]

but for this guide I will be using a WMI script to do it (please not that my test machines don’t have a TPM so I will USB drive -I will deactivate the bitlocker enforcement )

so this is additional step only needed if you don’t have a TPM in your machines

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup > Enable

image_thumb19_thumb[1]

image_thumb21_thumb[1]

you can find the needed scripts at

http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

so the first thing is to run the command line using SCCM or any other tool (you can use startup script for it but I don’t recommend this )

This sample script is designed to be used for all BitLocker configuration scenarios. It can be run multiple times on a computer. The script automates the following BitLocker configuration settings.
Enable and activate the TPM
Take ownership of the TPM and generate random owner password
Enable BitLocker protection using
TPM only
TPM and PIN
TPM and Startup Key
USB only
Create additional recovery key
Create recovery password
Specify encryption method
Reset TPM owner information

EnableBitLocker.vbs /on:usb promptuser /l:c:BL.Log

the results

image_thumb22_thumb[1]

now lets save the recovery key

image_thumb23_thumb[1]

image_thumb24_thumb[1]

image_thumb25_thumb[1]

image_thumb26_thumb[1]

image_thumb27_thumb[1]

 

now if we unplugged the USB the win7 will not start

image_thumb28_thumb[1]

now lets lunch the recover (winRE ) and give it a look

image_thumb29_thumb[1]

select our USB

image_thumb30_thumb[1]

image_thumb31_thumb[1]

now we can read the HD ok

image_thumb32_thumb[1]

note : if you received

ERROR – the ProtectKeyWithExternalKey Method failed with the exit code make sure you have working TPM

make sure you have the correct boot order sometimes with docking station things can get missed up

BitLocker Recovery Password Viewer for Active Directory

This tool lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.

Recovery password is a part of Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) you can download it at

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

after installation enable it

image_thumb_thumb[1]

now lets register the needed Dll

run

regsvr32.exe BdeAducExt.dll

image_thumb111_thumb[1]

now we have a tab in each computer properties like this

image_thumb2_thumb[1]

see how bitlocker is easy Smile

 

one of the most common comments I receive in bitlocker deployments is how to enforce it on all systems with zero touch ?

MBAM fix this issue Smile 

Overview

Microsoft BitLocker Administration and Monitoring (MBAM) builds on BitLocker in Windows 7 and offers you an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help you simplify BitLocker provisioning and deployment independent or as part of your Windows 7 migration, improving compliance and reporting of BitLocker, and reducing support costs. This document assumes that you already understand Bitlocker and group policies in general, and that you want a tool to more easily manage those security features.

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface to BitLocker drive encryption. MBAM allows you to select BitLocker encryption policy options appropriate to your enterprise, monitor client compliance with those policies, report on the encryption status of the enterprise as well as individual computers, and recover lost encryption keys.

if you feel lost please review my post regarding bitlocker

Architecture Overview

The BitLocker Administration and Monitoring client agent performs the following tasks:

  • Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise
  • Gathers the recovery key for the three BitLocker data drive types, operating system drives, fixed data drives, and removable data drives (that is, USB drives)
  • Gathers compliance data for computer and passes the data to the reporting system

Administration and Monitoring Server :Hosts the Management Console and monitoring web services. The Management Console is used to determine Enterprise Compliance status and audit activity, manage Hardware Capability, and access recovery data (for example, BitLocker Recovery Keys).

Compliance and Audit Database : Stores compliance data for BitLocker Administration and Monitoring client computers.

Recovery and Hardware Database :Stores recovery data that is collected from BitLocker Administration and Monitoring client computers

Compliance and Audit Reports :Uses SQL Server Reporting Services (SRS) to provide BitLocker Administration and Monitoring reports. These reports can be access from the Management Console or directly from the SRS server.

Policy Template :The Group Policy template that specifies the BitLocker Administration and Monitoring implementation of BitLocker drive encryption.

 

Prerequisites

 

Server Operating System Requirements :2008 sp2 or above

 

Prerequisites for Administration and Monitoring Server

The following is a list of the prerequisites for the BitLocker Administration and Monitoring server:

  • · Windows Server Web Server Role
  • · Web Server Role Services

Common HTTP Features:

  • · Static Content
  • · Default Document

Application Development:

  • · ASP.NET
  • · .NET Extensibility
  • · ISAPI Extensions
  • · ISAPI Filters

Security:

  • · Windows Authentication
  • · Request Filtering
  • · Windows Server Features
  • · .NET Framework 3.5.1 features
  • · .NET Framework 3.5.1
  • · WCF Activation
  • · HTTP Activation
  • · Windows Process Activation Service
  • · Process Model
  • · .NET Environment Configuration APIs

Prerequisites for the Compliance and Audit Reports Server

The Compliance and Audit Reports Prerequisites include the Reporting Services feature from Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition.

Prerequisites for the Recovery and Hardware Database Server

The Recovery and Hardware Database Prerequisites: includes the following:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter or Developer edition.

· SQL Server must have Database Engine Services and Full-Text Search features installed.

Prerequisites for the Compliance Status Database Server

The Compliance Status Database Prerequisites include:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition

· SQL Server must have Database Engine Services and Full-Text Search features installed.

 

MBAM Client Operating System Requirements

Operating System

Edition

Service Pack

System Architecture

Windows 7

Enterprise Edition

None, SP1

x86 or x64

Windows 7

Ultimate Edition

None, SP1

x86 or x64

· Trusted Platform Module (TPM) v1.2 capability

· The TPM chip must be turned on in the BIOS and be resettable from the operating system. Look in the BIOS documentation for more information.

BitLocker Administration and Monitoring server components can be installed in one of three server configurations.

· Single computer configuration
All BitLocker Administration and Monitoring features are installed on a single server. This configuration is supported, but only recommended for testing purposes.

· Three-computer configuration
Server features are installed in the following configuration

  • · Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server
  • · Administration and Monitoring Server feature is installed on a server
  • · Group Policy template is installed on a server or client computer.

· Five-computer configuration
Each server feature is installed on dedicated computers:

  • · Recovery and Hardware Database
  • · Compliance Status Database
  • · Compliance and Audit Reports
  • · Administration and Monitoring Server
  • · Group Policy Template is installed on a server or client computer

A 3 or 5 computer configuration is recommended for production environments.

 

now lets install

image

accept

image

I will be using one server to hold all roles in it

image

the wizard will make sure that everything its needs are installed

image

ofcource in production you will need to encrypt it

image

select the recovery and hardware  database

image

Compliance audit database

image

 

select your reporting server

image

select the website for MBAM

image

if you having a website using the same port it will not accept

image

select if you want update or not

image

ready

image

you can setup one by one if your setup failed

image

now lets set the needed users roles

  • MBAM System Administrators have access to all BitLocker Administration and Monitoring features. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Hardware Users have access to the Hardware Capability features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Helpdesk Users have access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Report Users have access to the Compliance and Audit reports from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Reports Server, and Compliance Status Database Server.
  • · MBAM Advanced Helpdesk Uses have increased access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.

 

image

MBAM create all below user groups

image

now for the configuration .

MBAM integrates with the Group policy as you see below

image

now test the following to see if its working or not

http://<machinname&gt;:<port>/default.aspx and confirm each of the links for navigation and reports

· http://<machinname&gt;:<port>/MBAMAdministrationService/AdministrationService.svc

· http://localhost/MBAMComplianceStatusService/StatusReportingService.svc

· :/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">http://<machinename>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc

the expected results should be

image

 

image

 

image

as you can see you

image

 

now to deploy the client we will be deploying it through the GPO  (just like any MSI ) and the configuration will be received through the group policy

so we create a share and place both clients in it

  • MBAMClient-32bit.msi
  • MBAMClient-64bit.msi

 

now under software installation we add both clients

image

now we rename them and remove the ability to install x86 application on x64 bit OS because we have client for x64

image

click advanced

image

remove make this 32bit …etc.

image

 

after agent installation you should find the following service up and running

image

now back to the GPO lets set basic configuration

Under MDOP MBAM under data recovery

enable and configure MBAM backend services

image

the backend URL

http://mbam01:8080/MBAMRecoveryAndHardwareService/CoreService.svc

now under reports

enable the reporting URL

image

 

image

http://mbam01:8080/MBAMComplianceStatusService/StatusReportingService.svc

now lets have an over view about the policy options

image

image

image

image

image

image

image

 

Global Policy Definitions

This section describes Global Policy definitions for BitLocker Administration and Monitoring.

Policy Name

Overview and Suggested Policy Setting

Prevent memory overwrite on restart

This policy setting is the same as the BitLocker policy.

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

Suggested Configuration: Not configured

When the policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

This policy setting is the same as the BitLocker policy.

Configure this policy to use smartcard certificate-based BitLocker protection.

Suggested Configuration: Not configured When policy is not configured, a default object identifier “1.3.6.1.4.1.311.67.1.1” is used to specify a certificate.

Provide the unique identifier for your organization

This policy setting is the same as the BitLocker policy.

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

Suggested Configuration: Not configured

When policy is not configured, the Identification field is not used.

Choose drive encryption method and cipher strength

This policy setting is the same as the BitLocker policy.

Configure this policy to use a specific encryption method and cipher strength.

Suggested Configuration: Not configured

When policy is not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Data Recovery Policy Definitions

This section describes MBAM Data Recovery Policy Definitions

Policy Name

Overview and Suggested Policy Setting

Configure key recovery service

This policy setting lets you manage the key recovery service to back up BitLocker recovery information. The setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss because of the lack of key information.

Suggested Configuration: Enabled when Key recovery information to backup is set to Recovery Password and key package.

When this policy setting is enabled, the recovery password and key package will be automatically and silently backed up to configured key recovery server location.

Operating System Drive Policy Definitions

This section describes MBAM Operating System Drive Policy Definitions.

Policy Name

Overview and Suggested Policy Setting

Operating system drive encryption settings

This policy setting determines whether the operating system drive will be encrypted.

Configure this policy to do the following:

· Enforce BitLocker protection for the operating system drive.

· Configure PIN usage to use a TPM PIN for operating system protection.

· Configure enhanced startup PINs to allow the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces.

If you enable this policy setting, the user will have to secure the operating system drive using BitLocker.

If you do not configure or if you disable the setting, the user will not have to secure the operating system drive with BitLocker.

Suggested configuration: Enabled

When enabled, this policy setting requires that the user secures the operating system by using BitLocker protection and drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive. For higher security requirements, use “TPM + PIN”, allow enhanced PINs, and set the minimum PIN length to 8.

Choose how BitLocker-protected operating system drives can be recovered

This policy setting is the same as the BitLocker policy.
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).
Suggested Configuration: Not configured
When this policy is not configured, the data recovery agent is allowed, recovery information is not backed up to AD DS, and the recovery options, including the recovery password and recovery key, can be specified by the user.

Configure TPM platform validation profile

This policy setting is the same as the BitLocker policy.

This policy setting lets you configure how the Trusted Platform Module (TPM) security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Suggested Configuration: Not configured

When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script.

Fixed Data Drive Policy Definitions

This section describes MBAM Fixed Data Drive Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Fixed data drive encryption settings

This policy setting let you manage whether the fixed data drive must be encrypted or not.

When enabling this policy, you must not disable the “Configure use of password for fixed data drives” policy.

If the Enable auto-unlock fixed data drive option is checked, the OS volume must be encrypted

If you enable this policy setting, the user will have to put all fixed data drives under BitLocker protection and the drives will be encrypted.

If you disable this policy setting, then it is not required to put fixed data drive under BitLocker protection.

If you do not configure this policy setting, then it is not required to put fixed data drive under BitLocker protection.

Suggested Configuration: Enabled; and check the Enable auto-unlock fixed data drive option.

Deny write access to fixed drives not protected by BitLocker

This policy setting is the same as the BitLocker policy.

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

Suggested Configuration: Not configured

When the policy is not configured, all fixed data drives on the computer will be mounted with read and write access.

Allow access to BitLocker-protected fixed data drive from earlier versions of Windows

This policy setting is the same as the BitLocker policy.

Enable this policy to allow fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested configuration: Not configured

When the policy is not configured, fixed data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for fixed data drives

This policy setting is the same as the BitLocker policy.

Enable this policy to configure password protection on fixed data drives.

Suggested configuration: Not configured

When the policy is not configured, passwords will be supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected fixed drives can be recovered

This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When policy is not configured, the BitLocker data recovery agent is allowed, the recovery options, including the recovery password and recovery key, can be specified by the user, and recovery information is not backed up to AD DS

Removable Data Drive Policy Definitions

This section describes MBAM Removable Data Drive Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Control use of BitLocker on removable drives

This policy setting is the same as the BitLocker policy.

This policy controls the use of BitLocker on removable data drives.

Check the Allow users to apply BitLocker protection on removable data drives option to let the user run the BitLocker setup wizard on a removable data drive.

Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker drive encryption from the drive or suspend the encryption while maintenance is performed.

Suggested configuration: Enabled

Deny write access to removable drives not protected by BitLocker

This policy setting is the same as the BitLocker policy.

Enable this policy to only allow write access to BitLocker protected drives.

Suggested Configuration: Not configured

When this policy is not configured, all removable data drives on the computer will be mounted with read and writes access.

Allow access to BitLocker-protected removable data drive from earlier versions of Windows

This policy setting is the same as the BitLocker policy.

Enable this policy to allow for fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested Configuration: Not configured

When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for removable data drives

This policy setting is the same as the BitLocker policy

Enable this policy to configure password protection on removable data drives.

Suggested configuration: Not configured

When this policy is not configured, passwords are supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected removable drives can be recovered

This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When not configured, the data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Report Policy Definitions

This section describes the MBAM Report Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Configure status reporting service

This policy setting establishes a location for collecting compliance status reports and sets the time between the generating of reports.

If you enable this policy setting, status report and updated key recovery information will be automatically and silently send to configured report server location.

If you do not configure or disable this policy setting, the status report and updated key recovery information will not be saved.

Suggested Configuration: Enabled

When it is enabled, this policy provides an administrative method of generating a compliance report.

The default is set to every 720 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Client Management Policy Definition

This section describes MBAM Client Management Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Configure client checking frequency in minutes

This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer.

If you enable this policy setting, the client will check the BitLocker protection policies and status on the client computer at the configured frequency.

If you do not configure or disable this policy setting, the client checks the BitLocker protection policies and status on the client computer every 90 minutes.

Suggested Configuration: Enabled

The default is set to every 90 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Allow hardware compatibility checking

This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer.

When enabling this policy, the administrator has to make sure that Microsoft BitLocker Administering and Monitoring service is installed with the “Hardware Capability” sub-feature.

When enabling this policy you must enable the “Configure Key Recovery service” policy and have it configured.

If you enable this policy setting, the model of the computer will be validated against the hardware compatibility list before it enables BitLocker protection on drives of a computer to ensure the model is BitLocker-capable

If you disable or do not configure this policy setting, the computer model will not be validated against the hardware compatibility list.

Suggested Configuration: Enabled

Enable this if your enterprise has older computer hardware or computers that do not support TPM. If this is the case, enable Hardware Compatibility checking to make sure that MBAM is only applied to computer models that support it. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured.

Configure user exemption policy

This policy allows configuring a URL, email address, or telephone number that will instruct users how to request exemption from BitLocker protection.

If you enable this policy setting and provide a URL, mailing address, or telephone number, the user will able to apply for exemption and see a dialog for instruction on how to apply exemption form the BitLocker protection.

If you disable or do not configure this policy setting, the user will not see a message for instructions on how to apply for an exemption from BitLocker protection. The request exemption form will not be available to the user.

Suggested Configuration: Not Configured

Enable this policy if your organization wants to let a user or computer be exempted from BitLocker protection.

User-Based Group Policy Definitions

This section describes user-based MBAM Group Policy definitions.

Policy Name

Overview and Suggested Policy Settings

Allow the user to be exempted from BitLocker encryption

This policy lets MBAM to be configured to exempt a user from BitLocker encryption.

If you enable this policy setting, the specified user is exempted from BitLocker encryption.

If you disable this policy setting, the specified user is denied exemption from BitLocker encryption. Also, the exemption is not available to the user.

If you do not configure this policy setting, the user is not exempted from BitLocker encryption, and the exemption option is not available to the user.

Suggested Configuration: Not configured

 

How to Grant User Exemptions

Microsoft BitLocker Administration and Monitoring (MBAM) can grant two forms of exemption from BitLocker protection, computer exemption and user exemption. Because BitLocker policy is applied to the computer, we recommend that you control BitLocker protection by exempting computers. Your organization can also manage BitLocker protection by exempting users.

To exempt users from BitLocker protection, an exempt user is added to a security group for Group Policy. When members of this security group sign on to a computer, the user Group Policy shows that the user is exempted from BitLocker protection. The user policy overwrites the computer policy, and the computer will remain exempt from BitLocker protected. However, if the computer is already BitLocker-protected, the user exemption policy has no effect.

The following table shows how BitLocker protection is applied based on how exemptions are set.

User Status

Computer Not Exempt

Computer exempt

User not exempt

BitLocker protection is enforced on computer

BitLocker protection is not enforced on computer

User exempt

BitLocker protection is not enforced on computer

BitLocker protection is not enforced on computer

List of Log Files for MBAM

The following article describes the locations for the log files used by Microsoft BitLocker Administration and Monitoring (MBAM) during setup and operation.

Setup

In order to get setup log files, you must install BitLocker Administration and Monitoring using msiexec package with the /L <location> option. Log files will be created in the location specified.

Application and Monitoring

BitLocker uses the IIS logs by default for its websites and services. These are located under $systemdrive$inetpublogsw3svc

Client

For the BitLocker client, the Admin and Operational log files are located in Event Viewer, under Application and Services Logs / Microsoft / Windows / BitLockerManagement.

this is the final look of the console

if you found something missing make sure you are in the users group

image

image

 

image

image

 

one of the reports

image