Planning to Deploy Windows 7 BitLocker Drive Encryption

  • Article

Applies To: Windows 7

Before deploying BitLocker Drive Encryption in your organization, you should create a deployment plan that covers the essential supporting infrastructure for BitLocker. Having this infrastructure in place will help users be more confident in their use of BitLocker on their removable drives, desktop computers, and mobile computers because they will understand why BitLocker provides protection for their computers, how to enable BitLocker, and that drives protected by BitLocker can be accessed through administrative methods if a problem occurs.

Use the information in the following tables to help you create your deployment plan.

Task Reference

Verify that the BIOS is configured correctly on all computers in the deployment that will have BitLocker-protected operating system drives.

To use BitLocker to protect the operating system drive, computers must have a BIOS that is compatible with Trusted Platform Module (TPM) version 1.2 or later or supports USB devices during computer startup.

Identify which computers in the BitLocker-protected operating system drive deployment have a TPM version 1.2 chip. If you will use BitLocker to protect the operating system drives of computers without TPMs, make sure that the users of those computers have a USB drive on which to save the encryption key and that the USB drivers are loaded and able to read from USB drives before the operating system is started.

To determine whether a computer includes a TPM chip, click Start, type tpm.msc in the Search programs and files box, and then press ENTER. The TPM Management snap-in will open and display whether the computer has a TPM and its current status.

If you will back up recovery information to Active Directory Domain Services (AD DS), make sure that all computers will be able to connect to the domain when they enable BitLocker. Storage of BitLocker recovery information in AD DS is supported by an AD DS schema extension that provides the attributes and class attributes required to store BitLocker and TPM recovery keys and packages. Windows Server® 2008 and Windows Server® 2008 R2 domain controllers include the BitLocker schema extension by default. If you are running Windows Server® 2003 with Service Pack 1 or Service Pack 2, you need to install the BitLocker schema extension to back up recovery information in AD DS.

To verify that a computer is connected to a domain, click Start, type cmd in the Search programs and files box, and then press ENTER to open the command prompt. At the command prompt, type Ipconfig /displaydns to see the current DNS cache for the computer.

If you require the schema extension, see Backing Up BitLocker and TPM Recovery Information to AD DS.

Determine the deployment method for BitLocker. This can be done during the build process, administratively, or through scripting.

Review the topics on administrative installation methods: Enabling BitLocker by Using a WMI Script and Enabling BitLocker by Using the Command Line.

Prepare an upgrade migration plan to enable users of BitLocker in the previous version of Windows to easily transition to Windows 7.

When upgrading a computer running Windows Vista that has BitLocker enabled on the operating system drive, the drive does not need to be decrypted. You only need to suspend or disable BitLocker protection prior to upgrading. After the upgrade to Windows 7 is complete, you can resume protection by right-clicking the drive in Windows Explorer.

When a BitLocker-protected drive is part of an operating system upgrade, the drive's BitLocker version will not be updated. If you plan to use new Windows 7 BitLocker features such as identification fields and data recovery agents as part of your BitLocker deployment, you will need to run the Manage-bde command-line tool and upgrade the BitLocker version by using the upgrade command. To use Manage-bde, you must be logged on with an account that has administrative privileges and open the command prompt with elevated privileges. For more information, see the Manage-bde.exe Parameter Reference.

For data drives migrated from a computer running Windows Vista to a computer running Windows 7, users will be prompted to upgrade the BitLocker version if a Windows 7 unlock method is added to the drive. After the BitLocker version is upgraded, the drive can no longer be unlocked on a computer running Windows Vista.

For more information on planning a BitLocker deployment, see the BitLocker Drive Encryption Design Guide for Windows 7.