Secure your desktop with Bitlocker
Secure your desktop with BitLocker
Today, mobility means securing your workstations. BitLocker functionality has been integrated into operating systems for many years. This functionnalitty permit to ensures data confidentiality in the event of computer is loss or theft.
BitLocker and secure platform module (TPM)
It’s strongly recommended to use a secure platform module (TPM) version 1.2 or later with BitLocker. This platform is a hardware component present on most recent computers. It’s integrated by the manufacturer. Using BitLocker with the TPM chip ensures the integrity of the operating system. If the motherboard is changed, the system must be recovered. Indeed, the unlocking key will no longer be present in the TPM chip of the new motherboard. For computers without this chip, it’s possible to use a USB key instead of the TPM chip. In order to start the workstation, the USB key must be inserted. It’s interesting to note that the integrity of the boot is not ensured with this scenario.
Features provided by Windows 10
Windows 10 provides many improvements to BitLocker :
- XTS-AES encryption: Only for Windows 10, not compatible with older operating systems.
- Recovery key in Azure AD: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
- Group policy: If your computer is joined to the Azure AD, you can write recovery on Azure AD instead local Active Directory.
- New group policy settings : appeared with Windows 10 (message customization in the recovery window, …)
Prerequisites
BitLocker will require the following prerequisites :
- A TPM 1.2 chip or higher (strongly recommended) or a USB key
- Hard disk partitioned with at least 2 drives. Operating system drive formatted in NTFS and system drive (recommended size 350 MB, BitLocker does not encrypt this partition).
Configure GPO for configure BitLocker
To configure BitLocker, a group policy must be created. This GPO allows to indicate the algorithm to use, the encryption (complete, …), recovery method, … From the domain controller, access the Group Policy Management console.
Right-click Group Policy Object and from the context menu select New. Enter the name of the new GPO and click to OK.
Right-click the previously created group policy and select Edit. The Group Policy Editor console appears. All parameters to be configured are present in Computer configuration / Policies / Administrative templates / Windows Components / BitLocker Drive Encryption.
The examples below is one of the configurations I usually use in my projects. It may be necessary to adapt them to your needs.
Parameter for Operating System Drives Operating System Drives / Allow Secure Boot integrity validation : Enabled
Right-click the previously created group policy and select Edit. The Group Policy Editor console appears. All parameters to be configured are present in Computer configuration / Policies / Administrative templates / Windows Components / BitLocker Drive Encryption.
Operating System Drives / Require additional authentification at startup : Enabled
- Allow BitLocker without a compatible TPM : disabled
- Configure TPM Startup : AllowTPM
- Configure TPM startup PIN : Allow startup PIN with TPM
Operating System Drives / Configure minimum PIN lenght for startup : Enabled
- Minimum characters: 4
Operating System Drives / Enforce drive encryption type on operating system drives : Enabled
- Select the encryption type : Full encryption
Operating System Drives / Choose how BitLocker protected operating system drives can be recovered : Enabled
- Allow data recovery agent : Enabled
- Save BitLocker recovery information to AD DS for operating system drives : Enabled
- Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled
Parameter for Fixe data Drives Fixed Data Drives / Deny write access to fixed drives not protected by Bitlocker : Enabled
Fixed Data Drives / Enforce drive encryption type on fixed data drives : Enabled
- Select the encryption type : Used Space Only encryption
Fixed Data Drives / Configure use of passwords for fixed date drives : Enabled
- Require password for fixed data drive : Enabled
- Configure password complexity for fixed data drives : Do not allow password complexity
- Minimum password length for fixed data drive : 8
Fixed Data Drives / Choose how BitLocker protected fixed drives can be recovered : Enabled
- Allow data recovery agent : Enabled
- Save BitLocker recovery information to AD DS for operating system drives : Enabled
- Do not enable BitLocker until recovery information is stored to AD DS for Operating system drives : Enabled
Root folder BitLocker Drive Encryption / Store BitLocker recovery information in Active Directory Services : Enabled
- Require BitLocker Backup to AD DS : Enabled
- Select BitLocker recovery information to store : Recovery passords and key packages
Root folder BitLocker Drive Encryption / Choose how users can recover BitLocker protected drives : Enabled
- Configure 48-digit recovery : Require recovery password
- Configure 256-bits recovery key : Require recovery key
Root folder BitLocker Drive Encryption / Disable new DMA devices when this computer is locked : Enabled
Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength : Enabled
- Select the encryption method : AES 256 bits
Root folder BitLocker Drive Encryption / Choose drive encryption method and cipher strength (for Windows 10) : Enabled
- Select the encryption method for Operating system drives : XTS-AES 256 bits
- Select the encryption method for fixed data drives : XTS-AES 256 bits
- Select the encryption method for removable data drives : XTS-AES 256 bits
Root folder BitLocker Drive Encryption / Prevent memory overwrite on restart : Enabled
Run the following command to add protector key with pin code and recovery password.
%SYSTEMROOT%\system32\manage-bde.exe -protectors -add LetterOfOSPartition: -tp %BitLockerPinCode% -rp
Run the following command to enable bitlocker.
%SYSTEMROOT%\system32\Manage-bde -on LetterOfOSPartition:
Restart your computer and enter PIN code. After restart encryption is started.
Run the following commands for activate BitLocker on data partition :
%SYSTEMROOT%\system32\Manage-bde -protectors -add LetterOfDataPartition: -recoverypassword
%SYSTEMROOT%\system32\Manage-bde -on LetterOfDataPartition: -rp -pw -UsedSpaceOnly
Recovery Password Viewer
In order to view the recovery keys present in Active Directory, it’s necessary to add the Recovery Password Viewer feature to the domain controller. From the DC, go to the Server Manager console and click Add roles and features.
In the Feature Selection window, select the BitLocker Drive Encryption. After installing the feature, restart the server and access the Users and Computers AD console. Double click on the computer account then on the BitLocker Recovery tab. The recovery key is present.
Recovery Key is present, the same ID is present in the AD directory.
So we can know the recovery key to use.
Store recovery Key on Azure
For device that are not attached to the Active Directory, it’s not possible to store the key in AD. Since Windows 10 version 1511, it’s possible to store the key in Azure AD. For that, it’s necessary that the computer is joined to Azure AD.
On drive C, right-click and from the context menu, select Turn BitLocker On.
A wizard launches, select Save to your cloud domain account option.
Validate the different windows of the wizard then proceed to encryption. The recovery key is in the Azure AD. The same operation can be performed for the Data partition.