BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011 Purpose To provide a step-by-step procedure for encrypting installed laptop hard drives using BitLocker in ASU's Active Directory environment. Scope Laptops running Windows 7, Server 2008, or newer, used to handle or store sensitive data at ASU. System requirements: TPM 1.2-compliant chip TCG-compliant BIOS Windows 7 Enterprise or Ultimate, or Windows Server 2008 R2 Joined to an ASU Active Directory domain Note: Domain connection is required to store BitLocker recovery keys and TPM owner information, not for operation of an encrypted laptop. The laptop does not have to remain connected to the AD domain after the encryption procedure; however, it is recommended to keep the laptop connected until the process has completed. Audience Technical support staff responsible for end user equipment Procedure Preparation 1. Required: Verify that the laptop meets the requirements listed above. 2. Strongly recommended: Back up the laptop's hard drive. 3. Required: Update the laptop to the current BIOS firmware (typically available from the computer manufacturer's support/drivers download site). 4. Recommended: Have a USB drive or other removable media on hand. Activate the TPM Chip The TPM chip must be activated before beginning the encryption process. On most systems, this is done at the BIOS level. The instructions below apply to most Dell laptops; other systems may not
be identical, but should be very similar. 1. Boot the system into BIOS setup. 2. Choose "Security" from the BIOS menu. 3. Set "TPM Activation" to "Activate." 4. Set "TPM Security" to "On." 5. Save the settings, exit, and reboot. Apply Active Directory Storage Settings Configure the laptop to enable and require storage of the BitLocker recovery key and TPM owner information in Active Directory. This can be done using any of the following methods: Link the ASURITE Group object EnableBitLockerKeyStorage to the system (or, preferably, the OU that contains it). Create your own GPO using the EnableBitLockerKeyStorage GPO's settings as a base, and apply it to the system or its containing OU). Apply the EnableBitLockerKeyStorage GPO's settings to the laptop manually. The EnableBitLockerKeyStorage GPO's settings and a brief step-by-step guide to creating a Group object are included as appendices to this document. When this task is complete, reboot the system to apply the settings. Enable BitLocker The laptop must be configured to enable and require storage of the BitLocker recovery key and TPM owner information in Active Directory. This can be done by any of the following methods: 1. In the Control Panel, under the System and Security category, choose BitLocker Drive Encryption. 2. Under BitLocker Drive Encryption - Hard Disk Drives, next to the C: drive, click Turn On BitLocker. 3. Check the box to Run BitLocker System Check. 4. Click to Restart when prompted. BitLocker will initialize the TPM chip and/or partition the disk as required, then will begin drive encryption. This process can be paused, and/or the system can be used while encryption proceeds in the background. Note: During the encryption process, the disk will temporarily appear to be full. Disk encryption with BitLocker does not affect free disk space noticeably. Transfer of Ownership On personnel termination and/or transfer of the laptop to a new user, 1. Use the BitLocker Drive Encryption control panel to disable BitLocker. The disk will be decrypted. 2. Use the Enable BitLocker procedure above to re-enable BitLocker. This will generate and store a new BitLocker recovery key.
Data Recovery/Key Retrieval To recover data from a disk encrypted with BitLocker, follow the instructions online at http://support.microsoft.com/kb/928202 Appendix: Creating and/or Applying a Group Object Preparation Download and install MS Remote Server Administration Tools. Download: http://www.microsoft.com/download/en/details.aspx?id=7887 Documentation: http://technet.microsoft.com/en-us/library/ee449467(ws.10).aspx Step 1 Start the Group Editor. Run mmc.exe Add the following snap-ins, selecting your target domain when prompted: o Active Directory Users and Computers o Group Management (Note: You can add whatever other snap-ins you like and save this as your own management console if you like. Just answer "yes" when asked if you want to save the console on closing, and give it a filename. Next time, open the file in MMC to save a few clicks.) Step 2 Find your OU. Expand the Group Management snap-in. Expand the Forest, then Domains, then your target domain. Your top-level OU should be visible now (e.g., M.IT). Keep expanding if you are managing a sub-ou (e.g., M.IT.ACIT). Right-click your OU and choose the appropriate option: o Link an Existing GPO... (step 3a) o Create a GPO in this domain, and Link it here... (step 3b) Step 3a Link an existing GPO. Select the template from the list of Group objects and click OK. It will appear under your OU name. Double-click it to view more information. Don't expect to have permission to change the template settings. This would affect others who are using the same template. If you want to apply settings that are different, either override the template with another of your own or create your own template instead of linking the existing one.
Step 3b Create a GPO and Link it. Give your template a name. You can choose an existing template as a starting point. The Group Management Editor should open in a new window. Choose the settings you want to apply, then save the template and exit. Appendix: EnableBitLockerKeyStorage GPO Settings Computer Configuration () Policies Administrative Templates definitions (ADMX files) retrieved from the local machine. System/Trusted Platform Module Services Turn on TPM backup to Active Directory Domain Services Require TPM backup to AD DS If selected, cannot set or change TPM owner password if backup fails (recommended default). If not selected, can set or change TPM owner password even if backup fails. Backup is not automatically retried. Windows Components/BitLocker Drive Encryption Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista) Require BitLocker backup to AD DS If selected, cannot turn on BitLocker if backup fails (recommended default). If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried. Recovery passwords and key Select BitLocker recovery information to store: A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords Key may help perform specialized recovery when the disk is damaged or corrupted. Windows Components/BitLocker Drive Encryption/Fixed Data Drives Choose how BitLocker-protected fixed drives can be recovered Allow data recovery agent Configure user storage of BitLocker recovery information: Omit recovery options from the BitLocker setup wizard Save BitLocker recovery information to AD DS for fixed data drives Allow 48-digit recovery password Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Backup recovery passwords and key Windows Components/BitLocker Drive Encryption/Operating System Drives Choose how BitLocker-protected operating system drives can be recovered Allow data recovery agent Configure user storage of BitLocker recovery information: Omit recovery options from the BitLocker setup wizard Save BitLocker recovery information to AD DS for operating system drives Configure storage of BitLocker recovery information to AD DS: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Allow 48-digit recovery password Allow 256-bit recovery key Store recovery passwords and key User Configuration () No settings defined.