- What is Bitlocker
- Enable and Activate TPM Chip in Task Sequence Configmgr
- Enable Bitlocker in Task Sequence Configmgr
- Prepare AD for Bitlocker
- How to find Recovery Keys in AD
- How to monitor that all client machins are running Encrypted
- Microsoft BitLocker Administration and Monitoring (MBAM)
What is Bitlocker
BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.
During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.
On fixed and removable data drives, users can use smart card certificate or password to unlock BitLocker-protected drive. An administrator that has been designated a BitLocker data recovery agent is also able to use certificate to recover access to a BitLocker-protected drive.
BitLocker and TPM recovery information can also be backup to Active Directory. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users. Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.
More detailed technical documentation and guides can be obtained from this Microsoft Technet site.
More information on BitLocker & TPM Recovery.
You have verified the following on all computers where you intend to enable Bitlocker Drive Encryption:
- The computer has the latest firmware (BIOS)
- The BIOS is configured correctly and the TPM Module is enabled
- That the computer has a compatible Trusted Platform Module (TPM) version 1.2 or later
Enable and Activate TPM Chip in Task Sequence Configmgr
This operation differs from vendor to vendor.
Most vendors require that an Setup/Admin Bios password is set prior to Enable and Activate TPM Chip step. All this is done in the Task Sequence. Then Afterwards the Bios password can be removed.
Create a 300MB partition for Bitlocker.
Update BIOS prior to Enable, Activate and Enable Bitlocker steps.
But remember to have the Power Cable plugged in on Laptops.
Do not Update BIOS at anytime after Bitlocker is enabled, without following the procedure.
Suspend Bitlocker, Update Bios, Reboot, Resume Bitlocker.
Set Boot Order to allways boot HDD first, and do not change this at anytime later.
Otherwise you might be prompted to enter Bitlocker recovery key.
On machines that have the disk encrypted with Bitlocker, when trying to start a Task Sequence within the running OS it will fail.
By adding this step, bitlocker is temporarily disabled, and access to the locked drive will become available, enabling the TS to put WinPE on to the disk.
The Enable BitLocker task fails to run during a ConfigMgr 2007 Task Sequence
more to come... soon