Secure your desktop with Bitlocker

Configure Bitlocker

Secure your desktop with BitLocker

Today, mobility means securing your workstations. BitLocker functionality has been integrated into operating systems for many years. This functionnalitty permit to ensures data confidentiality in the event of computer is loss or theft.

BitLocker and secure platform module (TPM)

It’s strongly recommended to use a secure platform module (TPM) version 1.2 or later with BitLocker. This platform is a hardware component present on most recent computers. It’s integrated by the manufacturer. Using BitLocker with the TPM chip ensures the integrity of the operating system. If the motherboard is changed, the system must be recovered. Indeed, the unlocking key will no longer be present in the TPM chip of the new motherboard.

For computers without this chip, it’s possible to use a USB key instead of the TPM chip. In order to start the workstation, the USB key must be inserted. It’s interesting to note that the integrity of the boot is not ensured with this scenario.

Features provided by Windows 10

Windows 10 provides many improvements to BitLocker :

  • XTS-AES encryption: Only for Windows 10, not compatible with older operating systems.
  • Recovery key in Azure AD: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
  • Group policy: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
  • New group policy settings : appeared with Windows 10 (message customization in the recovery window, …)

Prerequisites

BitLocker will require the following prerequisites :

  • A TPM 1.2 chip or higher (strongly recommended) or a USB key
  • Hard disk partitioned with at least 2 drives. Operating system drive formatted in NTFS and system drive (recommended size 350 MB, BitLocker does not encrypt this partition).

Configure GPO for configure BitLocker

To configure BitLocker, a group policy must be created. This GPO allows to indicate the algorithm to use, the encryption (complete, …), recovery method, …

From the domain controller, access the Group Policy Management console.

secure your desktop with Bitlocker

Right-click Group Policy Object and from the context menu select New. Enter the name of the new GPO and click to OK.

secure your desktop with Bitlocker

Right-click the previously created group policy and select Edit. The Group Policy Editor console appears. All parameters to be configured are present in Computer configuration / Policies / Administrative templates / Windows Components / BitLocker Drive Encryption.

The examples below is one of the configurations I usually use in my projects. It may be necessary to adapt them to your needs.

Parameter for Operating System Drives

Operating System Drives / Allow Secure Boot integrity validation : Enabled

secure your desktop with Bitlocker

Operating System Drives / Require additional authentification at startup : Enabled

  • Allow BitLocker without a compatible TPM : disabled
  • Configure TPM Startup : AllowTPM
  • Configure TPM startup PIN : Allow startup PIN with TPM

secure your desktop with Bitlocker

Operating System Drives / Configure minimum PIN lenght for startup : Enabled

  • Minimum characters: 4

secure your desktop with Bitlocker

Operating System Drives / Enforce drive encryption type on operating system drives : Enabled

  • Select the encryption type : Full encryption

secure your desktop with Bitlocker

Operating System Drives / Choose how BitLocker protected operating system drives can be recovered : Enabled

  • Allow data recovery agent : Enabled
  • Save BitLocker recovery information to AD DS for operating system drives : Enabled
  • Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled

secure your desktop with Bitlocker

Parameter for Fixe data Drives

Fixed Data Drives / Deny write access to fixed drives not protected by Bitlocker : Enabled

secure your desktop with Bitlocker

Fixed Data Drives / Enforce drive encryption type on fixed data drives : Enabled

  • Select the encryption type : Used Space Only encryption

Fixed Data Drives / Configure use of passwords for fixed date drives : Enabled

  • Require password for fixed data drive : Enabled
  • Configure password complexity for fixed data drives : Do not allow password complexity
  • Minimum password length for fixed data drive : 8

secure your desktop with Bitlocker

Fixed Data Drives / Choose how BitLocker protected fixed drives can be recovered : Enabled

  • Allow data recovery agent : Enabled
  • Save BitLocker recovery information to AD DS for operating system drives : Enabled
  • Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Store BitLocker recovery information in Active Directory Services : Enabled

  • Require BitLocker Backup to AD DS : Enabled
  • Select BitLocker recovery information to store : Recovery passords and key packages

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Choose how users can recover BitLocker protected drives : Enabled

  • Configure 48-digit recovery : Require recovery password
  • Configure 256-bits recovery key : Require recovery key

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Disable new DMA devices when this computer is locked : Enabled

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength : Enabled

  • Select the encryption method : AES 256 bits

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength (for Windows 10) : Enabled

  • Select the encryption method for Operating system drives : XTS-AES 256 bits
  • Select the encryption method for fixed data drives : XTS-AES 256 bits
  • Select the encryption method for removable data drives : XTS-AES 256 bits

secure your desktop with Bitlocker

Root folder BitLocker Drive Encryption / Prevent memory overwrite on restart : Enabled

secure your desktop with Bitlocker

Apply the group policy to the computers concerned and restart the workstations. This will allow the different computers to apply the settings. After restarting, log in as administrator and run the following commands for activate BitLocker on system partition :

  • %SYSTEMROOT%\system32\manage-bde.exe -protectors -add LetterOfOSPartition: -tp %BitLockerPinCode% -rp
  • %SYSTEMROOT%\system32\Manage-bde -on LetterOfOSPartition:
  • secure your desktop with Bitlocker

    secure your desktop with Bitlocker

    Restart your computer and enter PIN code. After restart encryption is started.

    secure your desktop with Bitlocker

    secure your desktop with Bitlocker

    Run the following commands for activate BitLocker on data partition :

    • %SYSTEMROOT%\system32\Manage-bde -protectors -add LetterOfDataPartition: -recoverypassword
    • %SYSTEMROOT%\system32\Manage-bde -on LetterOfDataPartition: -rp -pw -UsedSpaceOnly
    • secure your desktop with Bitlocker

      secure your desktop with Bitlocker

      Recovery Password Viewer

      In order to view the recovery keys present in Active Directory, it’s necessary to add the Recovery Password Viewer feature to the domain controller. From the DC, go to the Server Manager console and click Add roles and features.
      In the Feature Selection window, select the BitLocker Drive Encryption. After installing the feature, restart the server and access the Users and Computers AD console. Double click on the computer account then on the BitLocker Recovery tab. The recovery key is present.

      secure your desktop with Bitlocker

      secure your desktop with Bitlocker

      Recovery Key is present, the same ID is present in the AD directory.

      secure your desktop with Bitlocker

      So we can know the recovery key to use.

      secure your desktop with Bitlocker

      Store recovery Key on Azure

      For device that are not attached to the Active Directory, it’s not possible to store the key in AD. Since Windows 10 version 1511, it’s possible to store the key in Azure AD. For that, it’s necessary that the computer is joined to Azure AD.

      secure your desktop with Bitlocker

      On drive C, right-click and from the context menu, select Turn BitLocker On.

      secure your desktop with Bitlocker

      A wizard launches, select Save to your cloud domain account option.

      secure your desktop with Bitlocker

      Validate the various windows of the wizard then proceed to encryption. The recovery key is in the Azure AD. The same operation can be performed for the Data partition.

      secure your desktop with Bitlocker

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.