Deployment Planning for BitLocker Drive Encryption for Windows Vista
Technical Case Study
Published: October 2008
To help protect valuable data, Microsoft Information Technology (Microsoft IT) began the process of deploying Windows® BitLocker™ Drive Encryption throughout Microsoft. The valuable lessons learned from the deployment can help Microsoft customers take full advantage of this integral feature in the Windows Vista® operating system.
Products & Technologies
Protecting high-business-impact data is critical for any organization. Microsoft is no different. Microsoft needed to reduce the likelihood of its intellectual property and personally identifiable information (PII) from being stolen from employees' computers. Additionally, Microsoft wanted to demonstrate for its customers how to protect against these threats.
To increase data security on laptop and desktop computers, the Microsoft IT team is deploying BitLocker Drive Encryption. BitLocker is a hardware-enhanced security feature in the Windows Vista Enterprise and Windows Vista Ultimate operating systems that provides offline data protection.
BitLocker Drive Encryption is a Windows Vista Enterprise and Windows Vista Ultimate feature that helps protect the operating system and the user's data while the operating system is offline. Not only does BitLocker provide full-volume data encryption, which helps protect the user's data even if a person takes over the hard drive after installing it in another computer, but it also helps protect the operating system startup files from tampering. BitLocker works best with a Trusted Platform Module (TPM) chip but supports other authentication options that users can use singly or in combination to provide multifactor authentication.
Microsoft IT knew early that deploying BitLocker was an easy decision that required little financial justification. At Microsoft large numbers of users work with high-business-impact data, and the risk of not securing this data far outweighed the costs of deploying BitLocker.
Deploying to new computers was not a significant challenge. Microsoft IT requires OEMs to deliver new computers ready for BitLocker. This includes using a BitLocker-capable Windows Vista image when imaging the new computer's hard drive.
However, Microsoft IT's BitLocker deployment did present some challenges. One challenge was how to deploy BitLocker to existing computers. Microsoft IT addressed this challenge by running events called installation fairs. Another challenge was how to drive participation in the installation fairs.
This case study describes both challenges and Microsoft IT's solutions. It also describes lessons that Microsoft IT learned about BitLocker deployment and best practices. This case study is for technical decision makers and IT managers.
BitLocker is an integral Windows Vista Enterprise and Windows Vista Ultimate security feature that helps protect the operating system and data while the operating system is offline. By providing full-volume encryption, BitLocker helps ensure that data stored on a computer is not revealed if the computer is tampered with when the installed operating system is offline.
BitLocker provides a seamless end-user experience on computers that have compatible TPM microchips and basic input/output systems (BIOSs). A compatible TPM is a version 1.2 TPM with the appropriate BIOS required to support the Static Root of Trust Measurement, as defined by the Trusted Computing Group (https://www.trustedcomputinggroup.org). The TPM interacts with BitLocker to help protect system startup files.
The concern of loss of data is top of mind when talking to employees, customers, partners, and certainly other CIOs. I am very proud of Microsoft IT's efforts to support the deployment of Windows Vista BitLocker within the company. The use of BitLocker provides us with one more level of security to help protect our valuable assets.
Chief Information Officer
BitLocker also offers the option to lock the normal startup process until users supply personal identification numbers (PINs) or insert universal serial bus (USB) flash drives (or both) that contain startup keys, as Figure 1 shows. In the figure, the startup volume is the unprotected volume from which the computer starts, and the Windows volume is the volume that BitLocker encrypts. These additional security measures provide multifactor authentication and higher assurance that the computer will not start or resume from hibernation until users present the correct PINs or USB flash drives.
Figure 1. BitLocker components
BitLocker enhances data protection by bringing together two major functions: full drive encryption and the integrity checking of early startup components. The following sections describe both functions.
Full-volume encryption helps prevent unauthorized users from breaking the Windows Vista file and system protection on lost or stolen computers. BitLocker achieves this protection by encrypting the entire Windows Vista volume. BitLocker encrypts all user and system files, including the system memory paging and hibernation files. It operates between the Volume Manager and operating system kernel, and it is transparent to applications. Unlike other encryption technologies, such as Encrypting File System (EFS), application testing is not required prior to deployment.
Integrity Check of Early Startup Components
An offline attack is a scenario in which an attacker starts an alternative operating system to gain control of the computer's file system. Integrity checking the early startup components helps protect against offline attacks by verifying that data decryption is performed only if those components appear unmodified and that the encrypted drive is located in the original computer. BitLocker stores measurements of core startup platform components in the TPM chip (PCR values). Every time the computer starts, Windows Vista verifies that the startup components have not been modified. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access the Windows partition. The system then goes into a recovery mode, prompting the user to provide a recovery password to allow access to the startup volume.
Windows Vista also uses recovery mode if a disk drive is transferred to another computer. Recovery mode requires a recovery password that is generated when BitLocker is enabled, and that password is specific to one computer. As a result, BitLocker is intended for enterprises with a management infrastructure in place to store the recovery passwords, such as Active Directory® Domain Services (AD DS). Otherwise, the potential exists for data loss if a computer enters recovery mode and the recovery password is not in escrow by either the user or the management infrastructure.
Note: Customers can also use BitLocker without a compatible TPM. Using BitLocker without a compatible TPM provides the full-volume encryption but not the added security of integrity checking early startup components. Instead, a USB flash drive provides the storage root key that allows access to the volume encryption key.
Supporting the deployment of Windows Vista BitLocker was an extremely easy decision for our organization. Customer and partner data, and the reputation we have to uphold regarding the security and privacy of their data, is one of our highest priorities within Microsoft. BitLocker is a core, native component of the Windows Vista security architecture, and we know that our customers have the same desire to secure their data as well. BitLocker is a great way for Microsoft, our customers, and our partners to help protect highly valuable resources in a cost-effective manner.
Chief Operating Officer
Microsoft has a large number of users who work with high-business-impact data, and the cost of deploying BitLocker were outweighed by the risks associated with not securing this data. However, deploying BitLocker internally presented challenges, some of which are unique to Microsoft.
For example, before Microsoft released Windows Vista, users were already going through multiple iterations of beta testing. At the release of Windows Vista, more than 60,000 users were already using the operating system on their computers, many of which had pre-release code and service packs installed. This scenario created BitLocker compatibility challenges. Now, Microsoft IT had to deploy BitLocker to these installations, most of which were not ready for BitLocker.
Microsoft IT had three primary challenges to address in a BitLocker deployment:
- Personal presence. The BitLocker policy at Microsoft requires personal presence. That is, users must be present to enable BitLocker by creating their PIN. No enterprise tool exists to automate this process. Although Microsoft IT can and sometimes does pre-provision the PIN, policy requires users to reset it to a private PIN.
- Firmware and BIOS updates. The existing fleet of computers at Microsoft frequently required an update to ensure that the firmware and BIOS were at a level that fully supported BitLocker and TPM. Early versions of TPM were implemented differently and were not always fully compatible with BitLocker. Additionally, existing computers often required a user to manually enable TPM in the BIOS settings, depending on the OEM's firmware implementation.
- Partitioning. BitLocker requires a second partition called the system partition. Microsoft IT initially deployed Windows Vista images that did not include the system partition, though, and the company had to go back and create it on existing computers. Although the BitLocker Drive Preparation Tool can help create the system partition on existing computers, the tool is not foolproof. In many cases, the tool failed because it could not shrink drives due to file-locking issues. The longer the computer had been in service, the higher the odds that a second partition could not be easily created by shrinking the primary partition.
Before developing a deployment plan for company-wide BitLocker adoption, teams across Microsoft IT (including support, client hardware, and infrastructure) completed a pilot to gain experience in using the feature, tools, and hardware. During each phase of the pilot, these teams worked closely with the product group to provide feedback and drive enhancements into the feature.
The final output from the pilot was a well-defined security position that expanded the scope and direction for BitLocker adoption. The position focuses on three deciding factors that are vital to managing security risk and how BitLocker can help remediate the risk:
- Data management. Architecturally, all systems have digital asset value. Applying this policy uniformly releases both users and administrators from the untenable task of trying to maintain classifications on data containers like computers.
- Environment controls. Physical access to the location where a system resides defines the scope of the threat to that device. Whereas locations such as labs and data centers have levels of managed access, offices and open locations have a greater threat to data and devices.
- Provisioning and enforcement. AD DS, Group Policy, Microsoft System Center Configuration Manager, and tools like Windows Deployment Services and Microsoft Deployment Toolkit (MDT) 2008 provide methods for managing and provisioning BitLocker to an environment with varied management systems. Because BitLocker mitigates offline attacks, Microsoft IT drives enforcement by monitoring users and reporting compliance failures to users' managers.
Based on these factors, Microsoft IT chose to prepare BitLocker on all of its corporate computers for security and asset management purposes. Microsoft IT created a data-handling and classification policy to outline the corporate standard for encryption on corporate systems. Microsoft IT actively encourages internal users whose computers are running Windows Vista to adopt BitLocker as their standard platform. Table 1 lists BitLocker policies and configurations at Microsoft.
Table 1. BitLocker Policies and Configurations
BitLocker policy and configuration
Corporate mobile and desktop computers
No persistent, physical security
Open physical access
Computers will use BitLocker encryption with a TPM plus a PIN or USB startup key, depending on hardware compatibility. This will be used to control data exposure and manage asset retirement.
The deployment planning process resulted in the development of a three-year phased adoption plan that coincided with hardware refresh cycles. Aligning the BitLocker deployment to hardware provisioning and procurement will enable Microsoft IT to convert all capable systems to the TPM platform. Table 2 lists the activities in each phase.
Table 2. Phased Adoption Plan
Windows Vista adoption with BitLocker enabled in the installed base
Windows Vista/BitLocker usage
Windows Vista/BitLocker enterprise-wide deployment
Focused on mobile computers that high-risk organizations (such as Human Resources) use
Creation of corporate position and policies requiring disk encryption
BitLocker image available through Windows Deployment Services
Optional adoption of BitLocker
Production BIOS integration
TPM made available by manufacturer
BitLocker supported by the Helpdesk
Require TPM plus PIN on new computers
Installed by default on new computers
Provide targeted user education
Enforced compliance and remediation
Include desktop and mobile computers
Complete hardware refresh cycle
Network Access Protection (NAP) with exceptions
Deployment to New Computers
Microsoft IT has identified a standard TPM platform for all mobile and desktop computers. As of December 2006, all computers purchased through standard Microsoft IT procurement channels are TPM-capable devices. The hardware and software requirements for TPM are as follows:
- The system must have a version 1.2 TPM.
- The hardware platform must be Windows Vista logo certified.
- The TPM device should be turned on by the hardware manufacturer with all features available.
Microsoft IT's strategy for deploying BitLocker on these new computers is straightforward: Provision every new computer for BitLocker from the very beginning. In addition to hardware requirements, Microsoft IT produced a specification that describes how OEMs should prepare new computers. Microsoft IT provides the specification and image (one for x86 and one for x64) to every OEM. The specification includes TPM configuration in the BIOS, partitioning the drive for BitLocker compatibility, and applying a BitLocker-ready image to the drive.
Microsoft IT tests and reviews all new hardware and firmware to make sure they work with BitLocker and TPM. TPM works with the hardware at a very intimate level, so detailed verification is necessary.
Microsoft IT does not enable BitLocker on Windows Vista images. As described earlier, the BitLocker policy at Microsoft requires personal presence. With each new computer, Microsoft IT provides a guide that describes how to enable BitLocker. This guide is a simple set of step-by-step instructions.
Deployment to Existing Computers
For existing computers, Microsoft IT designed and built a Windows Vista image that is prepared for BitLocker, although BitLocker is not enabled on it. Windows Deployment Services hosts this image. When users choose the image and the Windows Preinstallation Environment (PE) starts, a specially designed program prompts to partition and format the drive so that it is compatible with BitLocker. After the program prepares the drive, Windows PE starts the Windows Vista setup program. Microsoft IT chose to use a specialized program instead of Diskpart.exe or an answer file to prepare the drive to provide an enhanced user experience.
Although users can reimage computers themselves, Microsoft IT chose to use events like installation fairs to drive BitLocker adoption internally. Installation fairs occur in locations across Microsoft campuses and events worldwide. Each user schedules a time to drop off his or her computer, and a technician calls the user when the computer is ready. Rather than reimage users' computers, technicians enabled BitLocker by using third-party tools while leaving users applications, data, and settings intact.
When hosting installation fairs, Microsoft IT wanted full attendance. The cost per user decreases as more users participate; thus, full attendance improves return on investment for the event. One of Microsoft IT's major challenges was convincing users to commit to participating in the installation fairs. Users were reluctant to be without their laptop computer for an hour and sometimes a half a day. Microsoft IT used several methods to drive participation:
- Getting endorsements from managers. Microsoft IT worked with users' managers to require people to sign up and then require them to attend. IT reported non-compliance to users' managers and requested support from managers for compliance.
- Automating communications. Microsoft IT built a repeatable communication process that could be used worldwide so that nobody had to send manual communications. These tools automatically send e-mail and track who has and who has not enabled BitLocker.
In addition to installation fairs, Microsoft IT trained support technicians on how to talk users through enabling BitLocker. IT also posted articles to the internal IT Web site that described how to install the new Windows Vista image and enable BitLocker.
Initially, Microsoft IT prioritized BitLocker deployment to existing computers based on risk. Microsoft IT identified organizations that work with sensitive information that Microsoft wanted to protect. Lost and stolen computers were the major risk scenarios in these groups. Then, Microsoft IT prioritized each organization based on the different types of information with which each worked. For example, the Legal, Human Resources, Finance, and Sales departments were high priorities for BitLocker deployment.
Management and Support Strategy
Microsoft IT is enforcing BitLocker compliance through awareness and notification. For example, Microsoft IT can identify through Configuration Manager and network scans who is and who is not using BitLocker. Customers without Configuration Manager can use Windows Management Instrumentation (WMI) scripts to perform network scans or logon scripts to record the information.
When Microsoft IT identifies users who need to enable BitLocker, it notifies them. If the users do not enable BitLocker, Microsoft IT notifies their managers. Microsoft IT does not currently revoke network credentials for non-compliance but plans to do so in the future.
BitLocker Authentication Modes
The Microsoft IT preferred authentication model is TPM plus PIN. In the absence of a TPM-based hardware platform, users can use a startup key that can be stored on a USB flash drive that must be inserted every time the computer starts. Users should consider added protection based on the physical location of the device and device access.
Password and Key Management Policies
Microsoft IT has implemented best practices and policies to manage the recovery information for BitLocker. The policies include:
- Require backup of recovery passwords to AD DS by using Group Policy.
Note: The Microsoft implementation of AD DS automatically removes inactive computer accounts every 45 days, based on the time the computer last changed its password. Removing the account from the directory also removes the recovery password; thus, relying solely on AD DS for keeping recovery passwords is not suitable for mobile computers. Microsoft IT is building a separate tool for storing recovery passwords.
- Require backup of TPM owner information to AD DS.
- Instruct users to not store key material, such as USB startup keys, with the system that it unlocks.
Note: Because of these policies, users must connect their computers to the network in order to enable BitLocker. Because recovery-password backup is required, BitLocker will not allow users to enable BitLocker if it cannot connect to AD DS.
BitLocker and AD DS Integration
BitLocker integrates with AD DS so that administrators can control the user experience in the BitLocker from Control Panel and control the backup of recovery data for each BitLocker-enabled computer. To take advantage of this integration, Microsoft IT extended and configured this schema for BitLocker-specific Group Policy objects.
Microsoft IT has set the following Group Policy settings for BitLocker and TPM configuration in the WW-BDEADBackupSettings-IdM policy:
- Power management. Microsoft IT has not set the power management object specifically for BitLocker; the default Windows Vista settings are in place. As a security best practice, Microsoft IT recommends hibernate mode for any scenario where the computer may leave a user's physical possession. When a computer transitions to sleep mode, open programs and documents persist in memory. When resuming from sleep, BitLocker does not require users to re-authenticate by using a PIN or USB startup key to access encrypted data.
- Partition visibility. BitLocker creates the system partition on the S:\ partition. Microsoft IT can create a custom ADM template to hide this drive with a WMI filter for computers running BitLocker. The template can be deployed via Group Policy, hiding the drive from Explorer view. Users can see the drive via Disk Management snap-in tools. Microsoft IT has chosen not to currently implement this policy to minimize changes in the Microsoft IT environment.
- User interface visibility. To enable users of the TPM-plus-PIN functionality
within BitLocker, Microsoft IT has currently enabled the user interface via Group
Policy. The Group Policy setting enables users to access the interface for TPM-plus-PIN
and non-TPM modes. Microsoft IT has implemented this functionality to address the
transition of its existing population of Windows Vista users to a Windows Vista
with BitLocker platform. Microsoft IT decided to implement the Group Policy setting
- BitLocker on non-TPM computers (USB only): Allow
- BitLocker TPM plus PIN: Allow
- BitLocker TPM plus startup key: Disallow
- BitLocker TPM only: Disallow
Support and Tools
Microsoft currently uses standard support and escalation processes to support BitLocker, although desk-side support has had to create processes that ensure that BitLocker is turned off before the remediation of hardware failures. To help facilitate the deployment, support, and management of BitLocker, Microsoft IT uses the tools listed in Table 3.
Table 3. Tools for Deployment, Support, and Management of BitLocker
BitLocker Drive Preparation Tool
To encrypt drives and to verify startup integrity, BitLocker requires at least two partitions. These two partitions make up a split-load configuration. A split-load configuration separates the main operating system partition from the active system partition from which the computer starts.
The BitLocker Drive Preparation Tool automates the following processes to make the computer ready for BitLocker:
For more information about the BitLocker Drive Preparation Tool, go to http://support.microsoft.com/kb/930063.
BitLocker Repair Tool
The BitLocker Repair Tool helps access encrypted data if a hard disk drive has been severely damaged. This tool can reconstruct critical parts of the drive and salvage recoverable data. A recovery password or recovery key is required to decrypt the data. Helpdesk service technicians use this tool for damaged drives when a drive has failed and needs to be replaced.
For more information about the BitLocker Repair Tool, go to http://support.microsoft.com/kb/928201.
BitLocker Recovery Password Viewer
This tool helps support personnel with delegated permissions locate BitLocker Drive Encryption recovery passwords for Windows Vista– based computers in AD DS.
For more information about the BitLocker Recovery Password Viewer, go to http://support.microsoft.com/kb/928202.
Lessons learned during Microsoft IT's BitLocker deployment include:
- Microsoft IT tried to retrofit the environment with BitLocker. A better approach would have been to move forward with new computers and then upgrade only existing computers that had the highest security risk.
- Microsoft IT thought BitLocker would be easier to deploy than it was. Microsoft IT relied on the BitLocker Preparation Tool to handle all aspects but found during testing that it failed in some situations, primarily due to locked files when trying to shrink the partition.
- Hardware needs rigorous testing at scale. Computers that test well in a lab environment sometimes yield different results in a production environment. In other words, one computer in a lab might look fine but thousands in the production environment have variance, such as differences in the BIOS.
- Recognizing high-business-impact data is a difficult, industry-wide issue. Few tools are available that enable organizations to find the types of high-business-impact data that users have on their computers.
The following are best practices for BitLocker deployment based on Microsoft IT's experience with deploying it:
- Deploy BitLocker as part of the original Windows Vista deployment and not as an afterthought. If BitLocker is not designed in to the initial Windows Vista image, it is unlikely that the computer will be partitioned in a way that is compatible with BitLocker. Deploying Windows Vista with the system partition removes the problem of creating the system partition later.
- Plan early which combination of key protectors (TPM, PIN, and USB flash drive) and key strength to use. Different compliance regulations, corporate policies, and government contracts have different requirements regarding this choice. Some countries (for example, China and Russia) have explicit TPM regulations, so an organization should check with its legal department during development of this policy.
- Keep BitLocker deployment simple. Microsoft IT is doing the absolute minimum to prepare each computer for BitLocker. This effort primarily involves partitioning the disk correctly and ensuring that TPM is enabled.
- Plan early how key escrow is going to work. Will the organization require backup of recovery passwords to AD DS? Should users store recovery passwords in a secure but accessible location? Also, the organization should document the policies and procedures for accessing escrowed keys. Local legal requirements may exist regarding key escrow, so the organization should check with its legal department.
- Enforce a standard for all new computer purchases that is compatible with BitLocker, and instruct OEMs on how to prepare computers for BitLocker prior to shipment. Also, an organization should plan a strategy for updating the firmware and BIOS on existing computers to be compatible.
- Use major events like installation fairs to drive BitLocker adoption. An organization should plan marketing and communications around each to provide a roadmap that helps users successfully enable BitLocker. Communications should raise awareness and drive users to the events. Also, the organization should plan how to measure uptake for installation fairs and create contingency plans for users who do not voluntarily participate. Last, the organization should find a way to soften users' time away from their computers and make the event more exciting, such as snacks and prize drawings.
- To drive adoption, the request must have some power behind it. An organization should involve managers if users do not follow through, for example. Additionally, the organization should consider checking for BitLocker compliance before allowing users on the network.
- If the infrastructure does not enforce adoption, use scripts or monitoring tools to track which users should but have not enabled BitLocker; then, notify employees' managers when they are not in compliance.
BitLocker helps secure users' data and helps protect the integrity of the operating system startup files. Most organizations have employees who work with high-business-impact data, and for Microsoft IT, protecting that data with full-volume encryption was an easy decision to make.
Microsoft IT learned that deploying BitLocker brings challenges, but customers can overcome those challenges by planning for BitLocker early in the deployment process. This planning includes building BitLocker in to the deployment process from the beginning.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
For more information about deploying BitLocker, see the BitLocker design and deployment guides at:
© 2008 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, BitLocker, Windows, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.