Scenario 4: Configuring How BitLocker Is Supported on Previous Versions of Windows (Windows 7)

Applies To: Windows 7

This scenario provides procedures to use the Windows 7 Group Policy settings to control the use of BitLocker on computers running Windows Vista or Windows Server 2008.

Before you start

To complete the procedure in this scenario:

  • You must be able to provide administrative credentials.

  • Your computer must be part of a domain.

To configure how BitLocker is supported on previous versions of Windows

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Operating System Drives.

  4. To use multifactor authentication methods or to allow BitLocker to be used on computers without a TPM, in the details pane, double-click Require additional authentication at startup (Windows Server 2008 and Windows Vista) to open the policy setting.

  5. Click Enabled, and then select the startup authentication methods that you want to support on computers running Windows Vista and Windows Server 2008 in your organization. This policy setting provides the following authentication methods:

    • Allow BitLocker without a compatible TPM. This check box enables BitLocker to be used on computers that do not have a TPM hardware chip. In this situation, a USB flash drive must be used that will store the encryption key for the drive.

    • Configure TPM startup key. This option can be used to require that a USB key be used in addition to the TPM to protect the drive. To unlock the drive, the USB key must be present. The BIOS of the computer needs to be able to read data from a USB drive before starting the operating system. If you do not want users to be able to use USB keys with BitLocker or if you will require that users type a PIN to unlock BitLocker-protected operating system drives, select Do not allow startup key with TPM.

    • Configure TPM startup PIN. This option can be used to require that a PIN be used in addition to the TPM to protect the drive. To unlock the drive, the PIN must be entered by the user. If you do not want users to be able to use PINs with BitLocker or if you will require that users insert USB keys to unlock BitLocker-protected operating system drives, select Do not allow startup PIN with TPM.

      After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  6. To configure Active Directory recovery options for computers running Windows Vista or Windows Server 2008 in your organization, in the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click BitLocker Drive Encryption to show the global policy settings.

  7. To store recovery information in Active Directory Domain Services (AD DS), in the details pane, double-click the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting, click Enabled, and then select the Require BitLocker backup to AD DS check box. When this check box is selected, BitLocker will verify the presence of a domain controller before encrypting the drive. If the domain controller cannot be found, the user will not be able to turn on BitLocker.

    After making this selection, you must choose the recovery information to back up. You can choose to back up only recovery passwords or you can choose to back up recovery passwords and key packages. Key packages are necessary if you need to recover a drive that has been damaged in such a way that the encryption key is no longer readable by BitLocker recovery.

    After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  8. To configure local computer recovery options for computers running Windows Vista or Windows Server 2008 in your organization, double-click the Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) policy setting, and then click Enabled.

    You can then configure whether the user is allowed to select the BitLocker-generated 48-digit recovery password or select the 256-bit recovery key as the recovery method when they turn on BitLocker. By default, both options are allowed when this setting is disabled or not configured. The BitLocker recovery key is saved as a key when written to a USB drive or is saved as a password when saved to a file or printed. This policy setting should be enabled if you want to require the use of one recovery method and prevent the use of another method. If you want recovery to occur only by administrators who can read the recovery password from AD DS, you can disallow the use of both of these methods after you have configured the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting.

    After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  9. To control whether computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) can access removable drives protected by the Windows 7 version of BitLocker, in the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives, and then in the details pane, double-click the Allow access to BitLocker-protected removable data drives from earlier versions of Windows policy setting.

    By default when a removable drive is protected with BitLocker, the BitLocker To Go Reader is copied to the drive, providing read-only access when the drive is accessed from computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, if the user has the required password to unlock the drive. To require that the computer that opens the drive be running either Windows 7 or have the BitLocker To Go Reader installed, click Enabled, and select the Do not install BitLocker To Go Reader on FAT formatted removable drives check box. If you do not want computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 to be used to read BitLocker-protected, FAT-formatted removable drives, click Disabled.

    After you have made your choices, click Apply to apply the settings, and then close the dialog box.

Note

A similar policy setting is available for use with fixed data drives.

  1. Close the Local Group Policy Editor.

  2. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.

By completing this procedure, you have set policy to control the use of BitLocker on computers running Windows Vista or Windows Server 2008 in your organization.