The BitLocker control panel does not expose everything you can do with BitLocker and data volumes, so you should use the -? option to explore the manage-bde.wsf commands. The manage-bde.wsf syntax is also included in the "Windows BitLocker Drive Encryption Design Guide" and the "Windows BitLocker Deployment Guide," which are available from the Microsoft Download Center at
Customers also wanted to be able to use additional authentication factors with BitLocker. BitLocker uses the TPM chip in your computer in order to verify the integrity of the platform—in other words, to determine that the early startup components, including the BIOS, have not been tampered with or corrupted. However, since the release of Windows Vista, you can now also require either a PIN or the presence of a USB flash drive containing a key created when you enabled BitLocker.
With Windows Server 2008 and Windows Vista SP1, you can now combine all three. The TPM continues to verify platform integrity, the USB key represents "something you have," and the PIN represents "something you know." This configuration provides very strong protection against unauthorized users being able to start the computer and unlock BitLocker-protected drives.
As with many things in security, however, this represents a trade-off. Obviously, when BitLocker is configured this way, a computer cannot automatically restart. In the case of a server, for example, you must decide which is more important: a seamless restart or higher levels of protection.
With Windows Server 2008 and Windows Vista SP1, support has also been added for computers equipped with a Unified Extensible Firmware Interface (UEFI). UEFI is a specification that represents a modernization of the traditional BIOS used by most computers at startup. For more information about the UEFI specification, please visit
When BitLocker detects that the system has been changed, or if a required PIN or USB key is not available at startup, BitLocker enters recovery mode. In recovery, BitLocker-enabled volumes remain locked and a text-mode dialog called the Recovery Console is presented to the user.
To unlock the drive, the user must enter a recovery password (a 48-digit number) either from the keyboard or from a USB flash drive. (When stored on a USB flash drive, the password is sometimes called a recovery key, because it is a binary, not text, format.)
BitLocker uses the recovery password to decrypt the keys stored in the volume metadata—the Volume Master Key (VMK) and then the Full Volume Encryption Key (FVEK)—to unlock the drive. For recovery to be successful, a copy of the recovery password must be available.
Because of this, in addition to storage by the user (such as on a USB flash drive), I highly recommend that you also store the recovery password centrally. The operating system includes functionality for storing recovery passwords in Active Directory® Domain Services (ADDS).
Secrets stored in the volume metadata, such as the VMK, are encrypted and the integrity of the entire volume metadata is cryptographically protected. If BitLocker detects that the volume metadata has been tampered with, it will refuse to use any of the metadata and it won't unlock any protected volumes. Note that the recovery password alone will not unlock a drive in this state.
It is important to stress that this situation only occurs with a deliberate security attack against the computer. If it happens, there's a good chance your computer is already in the hands of an evil-doer and out of your control. It will not arise from a simple unplanned change to the platform or if you forget your PIN.
To unlock the volume, you will need the following three items:
- The recovery password (as text to type in or on a USB flash drive)
- The binary key package that includes encrypted versions of the FVEK and VMK
- The BitLocker Repair Tool
In short, you need to make sure your enterprise always has access to all of these things.
The recovery password can be backed up manually or automatically. I recommend using the Group Policy setting to automatically back up the recovery password to Active Directory Domain Services.
When you configure this setting, as shown in Figure 3, include the option to back up the binary key package. The binary key package includes encrypted versions of the VMK and FVEK, allowing you to use the BitLocker Repair Tool, if necessary.
Figure 3 Configuring Group Policy to include key packages in recovery information (Click the image for a larger view)
The BitLocker Repair Tool has been designed to help you recover data from damaged disks that are BitLocker-enabled. Note that this is an advanced tool, meant for use by experienced administrators. For more information on the BitLocker Repair Tool, read the Microsoft Knowledge Base article at
, or watch my webcast, "Microsoft BitLocker in the Enterprise: BitLocker Tools to Make Your Life Easier" (which includes a live demo), at
This is a good place to point out that BitLocker does not replace the need to back up your data. If your disk is damaged or has been deliberately attacked, there is no certainty that the BitLocker Repair Tool will be able to recover any, let alone all, of the data.
Broader TPM Usage
Technically, this isn't a BitLocker change, but it's cool enough to be worth mentioning. Prior to SP1, the only part of the Windows OS that made use of TPM was BitLocker, but now the TPM is also used for some other functions as well. For one, when Windows sees that a TPM is available, it uses the TPM as a source of increased entropy when generating random numbers. This improves the quality of all sorts of encryption (and might even make your game play better, too).
However, this also means that not all TPM-related events shown in the Event Viewer are necessarily related to BitLocker. As an IT pro, you want to be aware that other system components—and potentially software from other vendors—can and will make use of the TPM, and therefore will cause events to be logged.
BitLocker in Windows Server 2008
Because of the shared codebase between Windows Vista and Windows Server 2008, the BitLocker changes appearing in SP1 are part and parcel of Windows Server 2008. But why is BitLocker relevant on a server? After all, BitLocker, by design, protects a computer from offline attacks. In other words, BitLocker offers no protection to a running system and servers, of course, are generally expected to be running all the time.
As it turns out, there are occasions where a server, or a hard disk from a server, could be exposed to an offline attack. Even if that never happens, BitLocker can help greatly when it is time to decommission a server or a hard disk, as we'll see. First, let's look at how to get BitLocker installed and running on a server.
Getting and Installing BitLocker
BitLocker is included in all editions of Windows Server 2008, but it is an optional component, or feature, that must be installed from either Server Manager or the command line. BitLocker is implemented, in part, as an NTFS filter driver. Installing this filter driver requires a restart of the computer, so be aware that activating BitLocker on a server will require a reboot. Also, as with Windows Vista, BitLocker requires a split-load configuration, where the active partition used to start the computer remains unencrypted. The BitLocker Drive Preparation tool is available to help you correctly configure your hard disks to support BitLocker if the server has not come pre-configured from the manufacturer. If you are comfortable with hard drive partitioning, however, you can certainly configure the hard disks manually.
To install BitLocker into Windows Server 2008, you can use the Server Manager graphical interface to select BitLocker from the list of features, as shown in Figure 4, or you can use the Server Manager command-line interface, by issuing the command:
Figure 4 Selecting BitLocker in Server Manager (Click the image for a larger view)