Bitlocker Drive Encryption Operations Guide

Bit locker is an integral safety function in Windows Vista, S, 2008 and 2008 R2 that helps shield knowledge saved on fastened and detachable knowledge drives and working system drives.
Bit Locker helps be sure that customers can learn the info on the drive and write knowledge to the drive solely once they have both the required password, sensible card credentials, or are utilizing the info drive on a Bit Locker protected pc that has the right keys. bit Locker safety on working system drives helps two-issue authentication through the use of a Trusted Platform Module (TPM) together with a private identification quantity (PIN) or startup key in addition to single-issue authentication by storing a key on a USB flash drive or simply utilizing the TPM.
This choice requires that the pc have a suitable TPM microchip and BIOS. A suitable TPM is outlined as a model B.P TPM.
TPM: TPM is a chip put in on a system that shops cryptographic keys that shield info.
The TPM interacts with BitLocker working system drive safety to assist present safety at system startup. This isn't seen to the consumer, and the consumer logon expertise is unchanged. However, if the startup info has modified, BitLocker will enter restoration mode, and you will have a restoration password or restoration key to regain entry to the info.

To backup recovery keys in Active directory

We can backup restoration and TPM keys of a system in lively listing utilizing group coverage. We want to increase the Active listing schema, set the required permissions for backing up TPM password info and configure group coverage to allow backup of bitlocker and TPM restoration info.

Extending Active directory schema

We want to make use of ldifde command line software to increase the schema on DC that serves because the schema operations grasp. The schema extension file is situated at
“ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=check,dc=internet" -okay -j .”
This command must be entered as one line. The trailing interval (.) is a part of the command.

Set the permission for backing up TPM password information

A shopper pc operating Windows S can again up BitLocker restoration info underneath the pc object's default permission. However, a shopper pc operating Windows S can't again up TPM proprietor info until this extra ACE is added. The script is situated at
This script provides a single ACE to the highest-degree area object. The ACE is an inheritable permission that permits SELF (the pc itself) to put in writing to the ms-TPM-OwnerInformation attribute for pc objects within the area.
Go to the command immediate and sort cscript Add-TPMSelfWriteACE.vbs

Configure group policy to backup bitlocker and TPM recovery information

 To backup restoration keys from computer systems operating Windows 2008 R2 or Windows S:
M.        Go to Group coverage administration, In the console tree underneath Computer ConfigurationPoliciesAdministrative TemplatesWindows Components, click on BitLocker Drive Encryption
P.        In particulars pane, double click on Fixed Data Drives double click on “select how BitLocker-protected fastened drives might be recovered” choose enabled
A.        Make positive Allow knowledge restoration agent, Save bitlocker restoration info to AD DS for fastened knowledge drives and Do not allow BitLocker till restoration info is saved in AD DS for fastened knowledge drives is checked.
A.        Leave different fields as default.
H.        Now we now have to repeat the identical steps for Operating system drives i.e. step three and 4.
S.        In the console tree beneath Computer ConfigurationAdministrative TemplatesSystem, click on Trusted Platform Module Services.
S.        Double-click on Turn on TPM backup to Active Directory Domain Services and Click Enabled.
H.        The Require TPM again to AD DS verify field is chosen by default. When this feature is chosen, the TPM proprietor password can't be set or modified until the pc is related to the area and AD DS backup succeeds.

To backup recovery keys to a shared location:

  1. Go to Group coverage administration, In the console tree beneath Computer ConfigurationPoliciesAdministrative TemplatesWindows Components, click on BitLocker Drive Encryption
  2. Click on “”Choose default folder for restoration password” and allow it. Give the shared location under.
  3. It will backup bitlocker restoration key and TPM proprietor info.

How to Enable BitLocker

We might be utilizing BitLocker with two-issue authentication as all our laptops are operating on home windows S and DC operating on W2k8 R2. Majority of laptops in Cvent have TPM chip put in.
  • First, we have to allow TPM in BIOS. Go to System BIOSàSecurityàTPM SecurityàCheck the field “TPM Security”
  • To allow bitlocker, Go to Control PanelàBitLocker Drive Encryption and switch ON bitlocker for drive as per the requirement.
  • It will ask for restart after checking conditions. After restart, it's going to immediate to press F10 to allow TPM.
  •  It will ask you to save lots of the restoration key. Click on “Save the restoration key to file”
  •  Check Run Bitlocker system examine and restart it.
  •  The entire course of requires M.00 – B.30 Hours

To view recovery keys in Active directory

In order to view bitlocker restoration password in AD console, we have to set up BitLocker password restoration viewer utilizing RSAT in home windows S/home windows 2K8.

Leave a Reply