Deploying BitLocker on an enterprise environment?

FD3S

New member
Local time
10:08 PM
Messages
11
Does anyone have any experience deploying Bitlocker on an enterprise environment?
I've been doing some research, but wanted to hear from your past experience for any pro vs. con. Things to be aware of, sample scripts to kick it off. Any advice will help.

This is on a Win 7 front end, with a mix of Server2003,2008 exchange2010.

Thanks.
 

My Computer My Computer

At a glance

Win7
OS
Win7
The only thing I've run into since we deployed it 3 months ago - if you run it on machines that don't have TPM and need a USB start-up key, certain brands of USB flash drives will not work (I'm looking at you, Verbatim). Not sure if it's the manufacturer of the flash chips or the brand's software (Store 'n Go, in this case) that Bitlocker won't work with - but we've had no problems since switching to Kingston USB drives.
 

My Computer My Computer

At a glance

Windows 7 Enterprise
OS
Windows 7 Enterprise
One other thing to be aware of, is that some enterprises want to have up-to-date information and control on which machines are encrypted, which portable drives are encrypted (if forcing Bitlocker to go on USB devices), allow help-desk or admin staff to be able to access and provide recovery keys in the event of someone forgetting their TPM PIN or of disk failure, and more targeted enforcement. To give Bitlocker real enterprise-grade manageability and address these issues (and more), you also want to think about adding MBAM as your management and key escrow (in addition to AD) location. However, as you can see, MBAM requires access to MDOP, access to which you may or may not have already acquired from Microsoft as part of your volume licensing agreement and software assurance. Bitlocker + MBAM is really powerful though (and scales to tens or even hundreds of thousands of endpoints quite well), so it is worth it.

Also, one other security caveat is that you generally want to force TPM + PIN (or at least USB key if a v1.2 TPM isn't available), as well as disabling hybrid sleep. Bitlocker only protects data at rest, so if the machine is sleeping (and not hibernated or off), the security keys used to unlock the volume that are stored in RAM can be brute-forced if given enough physical time with the machine in a powered-on (sleep) state as RAM is not cleared (for obvious reasons - it's sleep! :)). This is true of any volume or disk encryption software, but it still bears repeating as some admins forget about disabling hybrid sleep when they start encrypting volumes.
 

My Computer My Computer

At a glance

Windows 10 Pro x64Intel Core i7 4790K @ 4.5GHz32GB DDR3Nvidia GeForce GTX970
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Windows 10 Pro x64
CPU
Intel Core i7 4790K @ 4.5GHz
Motherboard
Asus Maximus Hero VII
Memory
32GB DDR3
Graphics Card(s)
Nvidia GeForce GTX970
Sound Card
Realtek HD Audio
Screen Resolution
1920x1200
Hard Drives
1x Samsung 250GB SSD
4x WD RE 2TB (RAIDZ)
PSU
Corsair AX760i
Case
Fractal Design Define R4
Cooling
Noctua NH-D15
I've gone through a couple installations of bitlocker on a Windows 7 64 bit enterprise OS

I had to meet this criteria
  • Ensure TPM is turned on in BIOS
  • Ensure your Network Domain computer account is made and active but dont login to network yet.
  • Must join your computer name to the network. After joining domain, restart computer.
  • Login as Local Administrator on laptop, Control panel, Bitlocker, Turn on Bitlocker
  • Save a recovery key on a network or external device, type in a startup key pin that is universal to your organization
  • Run bitlocker system check (Checkmark it)
  • Restart when told to restart
  • Login as Local Administrator again, at desktop bitlocker will begin to encrypt automatically.

If you need to re-image the laptop harddrive because...
  • Your locked out of Windows 7, due to forgotten password... remember you cant crack windows password with bootable cd like knoppix because the partitions are encypted where your password is kept.
  • You then need to re-image your hard drive, enter in your recovery bitlocker key.
  • Plug in your hard drive into an ESata Reader hooked up to another computer with windows 7 64 bit. Access control panel, Manage Bitlocker, Turn off bitlocker, Decrypt drive.
  • Remove hard drive, put back into original laptop.
  • Create a new Windows 7 Image or blow a new image from norton ghost onto the computer, or perform a new windows 7 installation from the cd.

If you lost your bitlocker recovery key. You can still image over the encryption but all data will be lost, effectively destroying the encryption, correct me if i'm wrong please. Hope this helps someone
 

My Computer My Computer

At a glance

Windows 7 64 Bit Enterprise
Computer type
Laptop
Computer Manufacturer/Model Number
Dell Latitude E6530
OS
Windows 7 64 Bit Enterprise
Browser
IE 10
1. Bitlocker encryption can be disabled, you do not need to decrypt the drive.
2. A Windows PE environment that matches the installed version of Windows (if built from real WinPE source, and not using something from non-MS sources) can mount and access bitlocker-encrypted volumes on boot. This allows password recovery tools to work (see MSDaRT as an example).

Getting locked-out of a bitlocker-encrypted drive does not require decryption or paving of the disk to regain access.
 

My Computer My Computer

At a glance

Windows 10 Pro x64Intel Core i7 4790K @ 4.5GHz32GB DDR3Nvidia GeForce GTX970
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Windows 10 Pro x64
CPU
Intel Core i7 4790K @ 4.5GHz
Motherboard
Asus Maximus Hero VII
Memory
32GB DDR3
Graphics Card(s)
Nvidia GeForce GTX970
Sound Card
Realtek HD Audio
Screen Resolution
1920x1200
Hard Drives
1x Samsung 250GB SSD
4x WD RE 2TB (RAIDZ)
PSU
Corsair AX760i
Case
Fractal Design Define R4
Cooling
Noctua NH-D15
Back
Top