Deployment of BitLocker on large scale
Hi all,
Dont know if this is the right place for this question, but let me try it here :)
I am wondering if someone could give me some information on what the user experience will be when enabling BitLocker on large scale. I have read on Microsoft TechNet that i have to use a WMI script for enabling BitLocker on large scale, but if thats done, what
will the user notice? Will it get a message that a reboot is needed to setup BitLocker for the first time?
Thanks for the answer.
February 15th, 2011 9:52am
You cannot just enable BitLocker on a large scale on systems that you already deployed with Windows 7.
First you have to make sure that the TPM is enabled in the BIOS and ready to receive the key material needed for BitLocker.
When you have run the script to enable BitLocker (using manage-bde.exe), users will receive a message that they need to reboot in order to start the encryption process. After the reboot your users will experience reduced performance during the initial
encription process. This can take several hours, depending on the hardware in use. After the encryption process has finished, user performance will get back to normal.
Before you start the mass encryption, make sure that you have the policies in place to store the BitLocker recovery keys. If you store those in AD, you also should make sure that the systems are connected to the corporate network at the time that you
enable BitLocker.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2011 5:24pm
You cannot just enable BitLocker on a large scale on systems that you already deployed with Windows 7.
First you have to make sure that the TPM is enabled in the BIOS and ready to receive the key material needed for BitLocker.
When you have run the script to enable BitLocker (using manage-bde.exe), users will receive a message that they need to reboot in order to start the encryption process. After the reboot your users will experience reduced performance during the initial
encription process. This can take several hours, depending on the hardware in use. After the encryption process has finished, user performance will get back to normal.
Before you start the mass encryption, make sure that you have the policies in place to store the BitLocker recovery keys. If you store those in AD, you also should make sure that the systems are connected to the corporate network at the time that you
enable BitLocker.Ray - Author of Windows 7 for XP Professionals
February 15th, 2011 5:30pm
Hi Ray,
thanks for your response.
Why do i need to make sure TPM is already enabled? From Microsoft Website i read the following:
The EnableBitLocker.vbs script automates the BitLocker configuration settings to:
Enable and activate the TPM.
Take ownership of the TPM and generate a random owner password.
Enable BitLocker protection by using any of the following authentication modes:
So the script enables and activates TPM.
All devices will be equiped with TPM version 1.2.
I was also wondering how or when the user has to enter a self made PIN code. But i downloaded the script from Microsoft website and in there there is some information that tells me the user will get a pop-up screen to enter a PIN code.
So if im right, policies should be all taken care off. WMI script will be deployed with SCCM in this case. USer gets message that BitLocker will be turned on and user has to provide a PIN code. After this disk will be encrypted and recovery information is
saved in AD. This all with user connected to domain.
Please could you give any remarks on this?
Thanks in advance.
André
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 12:09pm
Hi André,
That is correct
Most manufacturers have the TPM module turned off by default. This is configured in the BIOS setup.
When the TPM is turned on, it must be cleared and activated. Clearing and activation can be initiated in Windows but will be executed during the post BIOS at startup.
Some manufacturers have tools available to turn on the TPM from the OS. If you don't have such a tool available, then this is a manual operation.Ray - Author of Windows 7 for XP Professionals
February 17th, 2011 7:06pm
Hi André,
That is correct
Most manufacturers have the TPM module turned off by default. This is configured in the BIOS setup.
When the TPM is turned on, it must be cleared and activated. Clearing and activation can be initiated in Windows but will be executed during the post BIOS at startup.
Some manufacturers have tools available to turn on the TPM from the OS. If you don't have such a tool available, then this is a manual operation.Ray - Author of Windows 7 for XP Professionals
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 8:49pm
Hi Ray,
Thanks again for your response.
I have one more other question, which i hope u would like to asnwer.
When only using a PKI (data recovery agent) for recovery, is the way to recover an OS drive only possible by placing that disk as a data disk in another computer?
I could imagine that the recovery password/key is nowhere available, and the DRA can only unlock that OS disk when its inserted as DATA drive in another PC, where the DRA certificate is installed on. But are there any tricks? We dont want
the user to save the recovery information on for example a USB disk or something like that.
Merci for ur response.
February 18th, 2011 6:17am