Secure your desktop with Bitlocker

Configure Bitlocker

Secure your desktop with BitLocker

Today, mobility means securing your workstations. BitLocker functionality has been integrated into operating systems for many years. This functionnalitty permit to ensures data confidentiality in the event of computer is loss or theft.

BitLocker and secure platform module (TPM)

It’s strongly recommended to use a secure platform module (TPM) version 1.2 or later with BitLocker. This platform is a hardware component present on most recent computers. It’s integrated by the manufacturer. Using BitLocker with the TPM chip ensures the integrity of the operating system. If the motherboard is changed, the system must be recovered. Indeed, the unlocking key will no longer be present in the TPM chip of the new motherboard. For computers without this chip, it’s possible to use a USB key instead of the TPM chip. In order to start the workstation, the USB key must be inserted. It’s interesting to note that the integrity of the boot is not ensured with this scenario.

Features provided by Windows 10

Windows 10 provides many improvements to BitLocker :

  • XTS-AES encryption: Only for Windows 10, not compatible with older operating systems.
  • Recovery key in Azure AD: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
  • Group policy: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
  • New group policy settings : appeared with Windows 10 (message customization in the recovery window, …)

Prerequisites

BitLocker will require the following prerequisites :

  • A TPM 1.2 chip or higher (strongly recommended) or a USB key
  • Hard disk partitioned with at least 2 drives. Operating system drive formatted in NTFS and system drive (recommended size 350 MB, BitLocker does not encrypt this partition).

Configure GPO for configure BitLocker

To configure BitLocker, a group policy must be created. This GPO allows to indicate the algorithm to use, the encryption (complete, …), recovery method, … From the domain controller, access the Group Policy Management console.

Create Group Policy on Group Policy Management Console

Right-click Group Policy Object and from the context menu select New. Enter the name of the new GPO and click to OK.

Edit Group Policy for configure Bitlocker parameter

Right-click the previously created group policy and select Edit. The Group Policy Editor console appears. All parameters to be configured are present in Computer configuration / Policies / Administrative templates / Windows Components / BitLocker Drive Encryption. The examples below is one of the configurations I usually use in my projects. It may be necessary to adapt them to your needs. Parameter for Operating System Drives Operating System Drives / Allow Secure Boot integrity validation : Enabled

Allow Secure Boot for integrity validation

Operating System Drives / Require additional authentification at startup : Enabled

  • Allow BitLocker without a compatible TPM : disabled
  • Configure TPM Startup : AllowTPM
  • Configure TPM startup PIN : Allow startup PIN with TPM
Require additional authentification

Operating System Drives / Configure minimum PIN lenght for startup : Enabled

  • Minimum characters: 4
Configure minimum Pin length

Operating System Drives / Enforce drive encryption type on operating system drives : Enabled

  • Select the encryption type : Full encryption
Enforce drive encryption type

Operating System Drives / Choose how BitLocker protected operating system drives can be recovered : Enabled

  • Allow data recovery agent : Enabled
  • Save BitLocker recovery information to AD DS for operating system drives : Enabled
  • Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled
Choose how Bitlocker protected operating system

Parameter for Fixe data Drives Fixed Data Drives / Deny write access to fixed drives not protected by Bitlocker : Enabled

Deny Write access to fixed drives

Fixed Data Drives / Enforce drive encryption type on fixed data drives : Enabled

  • Select the encryption type : Used Space Only encryption
Enforce encryption

Fixed Data Drives / Configure use of passwords for fixed date drives : Enabled

  • Require password for fixed data drive : Enabled
  • Configure password complexity for fixed data drives : Do not allow password complexity
  • Minimum password length for fixed data drive : 8
Configure use password

Fixed Data Drives / Choose how BitLocker protected fixed drives can be recovered : Enabled

  • Allow data recovery agent : Enabled
  • Save BitLocker recovery information to AD DS for operating system drives : Enabled
  • Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled
Choose how bitlocker protected fixed drive

Root folder BitLocker Drive Encryption / Store BitLocker recovery information in Active Directory Services : Enabled

  • Require BitLocker Backup to AD DS : Enabled
  • Select BitLocker recovery information to store : Recovery passords and key packages
Store bitlocker recovery information

Root folder BitLocker Drive Encryption / Choose how users can recover BitLocker protected drives : Enabled

  • Configure 48-digit recovery : Require recovery password
  • Configure 256-bits recovery key : Require recovery key
Choose how users can recover Bitlocker

Root folder BitLocker Drive Encryption / Disable new DMA devices when this computer is locked : Enabled

Disable new DMA devices

Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength : Enabled

  • Select the encryption method : AES 256 bits
Choose drive encryption method

Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength (for Windows 10) : Enabled

  • Select the encryption method for Operating system drives : XTS-AES 256 bits
  • Select the encryption method for fixed data drives : XTS-AES 256 bits
  • Select the encryption method for removable data drives : XTS-AES 256 bits
Choose drive encryption method

Root folder BitLocker Drive Encryption / Prevent memory overwrite on restart : Enabled

Prevent memory overwrite
  • %SYSTEMROOT%\system32\manage-bde.exe -protectors -add LetterOfOSPartition: -tp %BitLockerPinCode% -rp
  • %SYSTEMROOT%\system32\Manage-bde -on LetterOfOSPartition:
Configure protectors key
Activate Bitlocker

Restart your computer and enter PIN code. After restart encryption is started.

in code ask on reboot
Encryption of the disk start

Run the following commands for activate BitLocker on data partition :

  • %SYSTEMROOT%\system32\Manage-bde -protectors -add LetterOfDataPartition: -recoverypassword
  • %SYSTEMROOT%\system32\Manage-bde -on LetterOfDataPartition: -rp -pw -UsedSpaceOnly
Configure protectors key bitlocker for data partition
Activate Bitlocker on data partition

Recovery Password Viewer

In order to view the recovery keys present in Active Directory, it’s necessary to add the Recovery Password Viewer feature to the domain controller. From the DC, go to the Server Manager console and click Add roles and features.
In the Feature Selection window, select the BitLocker Drive Encryption. After installing the feature, restart the server and access the Users and Computers AD console. Double click on the computer account then on the BitLocker Recovery tab. The recovery key is present.

View recovery key bitlocker on Active Directory
Enter on Recovery mode on computer

Recovery Key is present, the same ID is present in the AD directory.

Recovery key ID

So we can know the recovery key to use.

Retrieve recovery key present on Active Directory

Store recovery Key on Azure

For device that are not attached to the Active Directory, it’s not possible to store the key in AD. Since Windows 10 version 1511, it’s possible to store the key in Azure AD. For that, it’s necessary that the computer is joined to Azure AD.

Azure AD Join on computer

On drive C, right-click and from the context menu, select Turn BitLocker On.

Activate Bitlocker

A wizard launches, select Save to your cloud domain account option.

Save recovery key on Azure

Validate the different windows of the wizard then proceed to encryption. The recovery key is in the Azure AD. The same operation can be performed for the Data partition.

View recovery key present in Azure AD