What Should You Consider in Your BitLocker Deployment Plan?

Applies To: Windows 7, Windows Server 2008 R2

The following sections discuss additional considerations you should be aware of before starting to deploy BitLocker in your organization.

Using BitLocker with operating system drives

Using BitLocker on operating system drives works best on computers with a compatible version 1.2 Trusted Platform Module (TPM). When using the TPM with BitLocker, the TPM must be enabled, activated, and owned. These TPM processes are automatically completed if necessary during the BitLocker setup process. For more information about working with the TPM, see TPM Management (https://go.microsoft.com/fwlink/?LinkId=157595).

Image configuration

To function correctly on operating system drives, BitLocker requires a specific disk configuration. BitLocker requires at least two NTFS partitions: one for the operating system and one for the system. The system partition should be at least 100 MB for BitLocker and 300 MB if the Windows Recovery Environment (Windows RE) will also be included on the system partition. Additional tools can be placed on the system partition as long as the size of the partition is increased accordingly. The operating system partition must meet the Windows 7 installation requirements. The BitLocker setup wizard will create this partitioning if it does not exist already. The default configuration for a new installation of Windows 7 is to include a separate system partition so that additional disk preparation is not required to turn on BitLocker. It is recommended that standard client computer images be developed that are consistent with this requirement.

Windows RE is an extensible recovery platform that is based on Windows Preinstallation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of the Windows 7 installation. Windows RE also contains the drivers and tools that are needed to unlock a BitLocker-protected drive by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a drive that is not protected by BitLocker, such as the system partition. For more information about Windows RE, see the Windows Recovery Technical Reference (https://go.microsoft.com/fwlink/?LinkId=157717).

The following table describes two standard partition configurations when using BitLocker and Windows RE. If your organization does not use Windows RE, you need a system partition of 100 MB and an operating system partition to enable BitLocker.

Disk configuration Partition 1 Partition 2 Partition 3

Windows RE and BitLocker on separate partitions

System

Type 0x7

100 MB (Active)

Windows RE

Type 0x27

250 MB

Windows 7

Type 0x7

Windows RE and BitLocker on the same partition

Windows RE/System

Type 0x7

300MB (Active)

System

Windows 7

Type 0x7

Not needed

Hardware implementation standards

As part of your planning, determine which hardware will use BitLocker in your organization and whether you will be using automation to create standard images.

Considerations for computers with TPMs

Record which original equipment manufacturer (OEM) built the system and which TPM it includes. Make sure comparable models are available for testing. This will help identify potential BIOS conflicts, firmware updates, and other settings that might need to be configured for BitLocker to be deployed smoothly on those computers.

Identify if physical presence interfaces are available for the TPM. The Trusted Computing Group (TCG) TPM specification requires that an administrator be physically present at the computer to perform some TPM administration functions, such as turning on and turning off the TPM. These TPM functions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. The following are examples of TPM administrative tasks that require physical presence:

  • Activating the TPM

  • Clearing the existing owner information from the TPM without the owner password

  • Deactivating the TPM

  • Temporarily disabling the TPM without the owner password

BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. All operations are available only when the TPM is in this state. The state of the TPM exists independent of the computer's operating system. After the TPM is enabled, activated, and owned, the state of the TPM is preserved even if the operating system is reinstalled. For each of the TPM states, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.

The following table provides descriptions of the TPM states.

State Description

Enabled

Most features of the TPM are available.

The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.

Disabled

The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.

The TPM may be enabled and disabled multiple times within a boot period.

Activated

Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence, which requires that the computer be restarted.

Deactivated

Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence, which requires that the computer be restarted.

Owned

Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.

Un-owned

The TPM does not have a storage root key and may or may not have an endorsement key.

For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. An endorsement key can be created at any time, but it can be created only once for the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken.

If you have not taken ownership of the TPM before BitLocker is enabled, BitLocker setup will initialize and take ownership of the TPM. The TPM owner password and recovery password will be printed with the BitLocker recovery password and stored to Active Directory Domain Services (AD DS) if you have elected to use Active Directory backup of recovery passwords. For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (https://go.microsoft.com/fwlink/?LinkID=69584).

Considerations for computers without TPM hardware

If you want to use BitLocker on computers without a TPM, consider the following items in your deployment plan:

  • Ensure that the computers meet the minimum hardware requirements for running Windows 7.

  • Verify that the computers can read from a USB device in the preboot environment.

  • Confirm that you have enough USB devices to provide each user with a USB drive for storage of the BitLocker key and that the USB devices are on the same replacement schedule as the computers. CDs or DVDs cannot be used in place of a USB device for storage of the BitLocker key.

  • Record the OEM manufacturers and hardware specifications of the computer that will use BitLocker without a TPM. Obtain comparable computers on which to run the BitLocker system check to identify any compatibility issues.

OEM-specific considerations for automated deployments

If you plan to purchase new computers, obtain the following information from the OEM to simplify the automated deployment plan for BitLocker:

  • Identify the tools provided by the OEM that can automate TPM management.

  • Determine what tools your OEM provides for managing the BIOS configuration of your computers. These tools should be comprehensive enough to manage the state of the TPM and the BIOS administrator password.

  • Identify when the endorsement key for the TPM is generated. The manufacturer can do this during the computer build process, or the computer reseller or the computer owner can do it. It is important to know where or when the endorsement key is applied because this information must be kept secure and tracked for the entire life of the computer. The endorsement key is valid only for the TPM with which it is associated.

Note

You can automate the creation of the endorsement key during your build process, or you can rely on the manufacturer or OEM to apply the endorsement key. If an endorsement key does not exist, you can create the endorsement key and enable BitLocker during your build process by using a Windows Management Instrumentation (WMI) script. If you use the BitLocker setup wizard to turn on BitLocker, an endorsement key is created automatically when BitLocker initializes and takes ownership of the TPM.

  • Identify the standard BIOS configuration for the TPM when it is shipped by the OEM. Computers that are equipped with a TPM and shipped to your organization in a disabled state will require physical presence at some point during your build process to enable the TPM. This physical presence requirement will add a manual step to your deployment. Some OEMs might provide automation tools to override this manual step, but this depends on each OEM's implementation of the TPM technology. The TPM can also be shipped in an enabled state. If you want to automate the activation and ownership process by using the BitLocker WMI providers, you should request that your OEM ships the TPM in the following state:

    1. Enabled

    2. Activated

    3. With the following permanent flag set:

      TPM_PF_OWNERSHIP = TRUE

    4. Ownership not taken

  • Determine if the OEM requires a BIOS administrator password to use the TPM. As a part of the physical presence specification, the OEM might require that a BIOS administrator password be set to enable and activate the TPM. This requirement might also add a manual step to your deployment process. Again, OEMs might provide automation tools to specify the password. You might consider having the OEM ship the computer not only with the TPM enabled but also with a default BIOS administrator password for your organization. You can then change the BIOS password during the build process if the OEM provides the appropriate automation tools.

  • Determine how to specify the boot order on the computer. The boot order on a computer can affect your build process, if you choose to build your computers by using a bootable DVD. If the CD or DVD drive is first in the boot order, or before the operating system, then it would be included in the measurement of the boot process that BitLocker performs. However, this would be blocked when you try to enable BitLocker, forcing you to eject the CD or DVD and restart the computer. If the boot order is configured so that the hard drive containing the operating system starts before the CD or DVD drive, then the CD or DVD is not measured during the system boot process. In this configuration, you still need to remove any CD or DVD bootable media before enabling BitLocker, but you do not have to restart the computer. However, you can programmatically eject any CD or DVD and then continue enabling BitLocker. If you are planning to automate your build process completely, ensure that the boot order of your target computers is configured in a way to support this type of automation.

Unattended restart

BitLocker can be configured to work with unattended restart for organizations that perform remote updates or have implemented Wake On LAN solutions, such as the one included in Microsoft System Center Configuration Manager 2007. For information about Wake On LAN, see Wake On LAN in Configuration Manager (https://go.microsoft.com/fwlink/?LinkId=157596). The TPM-only unlock method should be used on operating system drives in these situations.

Disable sleep

BitLocker unlock methods for operating system drives—such as TPM integrity checks or requests for a PIN or startup key before allowing access to the drive—are only used when a computer is turned on, is restarted, or comes out of hibernation. If a computer enters sleep mode after a period of inactivity instead of entering hibernation, the drive stays unlocked. Therefore, for added security, it is recommended that sleep mode be disabled by using Group Policy.

Unlocking BitLocker-protected drives on computers running Windows XP or Windows Vista

Using BitLocker with removable drives is known as BitLocker To Go. The BitLocker To Go Reader application allows the contents of the removable drive to be read on computers that are running Windows Vista or Windows XP. By default when a removable drive formatted by using the FAT16, FAT32, or exFAT file system is encrypted, the BitLocker To Go Reader is applied to an unencrypted portion of the drive. This allows users to access content on BitLocker-protected removable drives on computers that you do not manage. If you do not want any portion of the removable drive to be unencrypted, you can use a Group Policy setting to prevent the creation of the unencrypted space and the installation of the BitLocker To Go Reader. In this situation, for the drive to be unlocked, the computer on which the drive is mounted must be running Windows 7, Windows Server 2008 R2, or have the BitLocker To Go Reader already installed if the computer is running Windows Vista or Windows XP. You can download the BitLocker To Go Reader from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=151425). Alternatively, you can use Software Restriction Policies to validate the version of the BitLocker To Go Reader that is allowed to be run by computers running Windows XP or Windows Vista in your organization. This helps to provide a countermeasure against malicious software (malware) being introduced from removable devices.

Note

Software Restriction Policies has been updated in Windows 7 and Windows Server 2008 R2 and has been renamed AppLocker. AppLocker rules cannot be enforced on computers running Windows Vista or Windows XP. AppLocker rules and Software Restriction Policies rules can be run in parallel. For more information, see Using Software Restriction Policies with AppLocker Policies (https://go.microsoft.com/fwlink/?LinkId=166611).

Using Group Policy, you can require that all removable drives use BitLocker To Go so that data does not leave your organization without BitLocker protection.

Using BitLocker with fixed data drives

To protect page files and other temporary files generated on the operating system when content is read from fixed data drives, it is recommended that you also encrypt the operating system drive with BitLocker when using BitLocker on fixed data drives. Use of BitLocker on fixed data drives can be required by configuring the appropriate Group Policy setting. Turning on BitLocker on a fixed data drive requires local administrator credentials.