Complete Guide to Deploying BitLocker Drive Encryption
  • 26
    Mar

Complete Guide to Deploying BitLocker Drive Encryption

The 2018 GDPR continues to be at the forefront of many IT Manager’s minds and these days there are few excuses for not encrypting your IT assets. We’ve spent much of the past 18 months rolling out Bit Locker encryption to our clients and in this article, I’m going to cover some of the common issues and foibles we’ve run across. Hopefully it will assist you in your roll out of the technology!

 

1.   Windows 7 vs Windows 10

 

BitLocker was first introduced in Windows 7 but requires the Ultimate edition and is not as feature rich as the Windows 10 version (which only requires a Professional license). Windows 7 is also less willing to accept a PIN/password as the primary method of unlocking and without a compatible TPM chip you are forced to use a USB pen drive to unlock the machine which is not ideal if you have a lot of assets to encrypt.

All things considered we recommend to our clients that their environments should be upgraded to Windows 10 before rolling out BitLocker. Personally, I would recommend that any Windows 7 PC should be upgraded as a matter of course anyway (Microsoft is ending Windows 7 support soon) so this project can be a good excuse to bring your older machines up-to-date.

 

2.   TPM or not to TPM

 

BitLocker is ratiodesigned to work alongside a TPM chip and the performance will be a lot better if the assets you are encrypting have a TPM 2.0 (or later) installed. That said it is possible to still encrypt the drive without a compatible TPM and that is often the case where the business has employed a lot of “home” PCs (e.g. bought from PC World or Amazon) or where older hardware is still in use.

In order to enable BitLocker without a TPM you need edit the Group Policy on the machine/domain to “allow the use of Bit Locker without a compatible TPM”. The settings for this can be found under:

Local Computer Policy > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

If your computer does have a TPM then you will need to both enable it and prepare it before you can enable Bit Locker. There is a “TPM Administration” tool (available through a link on the Bit Locker configuration page) where you can do this. Note that in some cases you will have to enter your PC’s BIOS settings to clear/enable the TPM (though don’t clear it when you already a drive encrypted!)

Also note that in some cases we have had to upgrade the firmware of the TPM chip before Bit Locker could be successfully enabled. If you are having trouble with the TPM then we would recommend that you visit the manufacturer’s support page and search for any available BIOS or TPM firmware updates

 

3.   IMPORTANT! Before you Begin

 

Before commencing with the BitLocker setup, we STRONGLY recommend that you commit any pending Windows updates and fully reboot the machine.

We have had a handful of machines completely bricked where the drive thinks that it is encrypted but the password AND the recovery key will not unlock it. Usually in this scenario the actual data is still accessible on the disk and can be recovered but what is usually a 5-minute job becomes a 5-hour job when you have to manually recover their data from the disk and completely rebuild the machine.

When you have 50 odd machines to encrypt it can be tempting to skip this step but I can’t stress enough how important it is, take the extra time, reboot the machine and save yourself a million headaches.

 

4.   Enabling BitLocker Step One: System Check / Preparation

 

Whilst you can use the ‘manage-bde’ command-line utility to enable Bit Locker, I’d recommend sticking to the GUI / wizard where possible to avoid mistakes. Manage-bde must be run from an elevated command prompt and gives more control over the process but you need an in-depth knowledge of BitLocker to really make the most of it and unless you’re putting some kind of deployment script together it’s not worth the hassle.

Always make sure you run the BitLocker system check. There’s never any reason not to do this and you want to make sure it’s all going to work.

The first stage of the GUI is to scan and prepare your computer for Bit Locker and this is where you’ll encounter most of your problems:

TPM Related Errors

If your computer has a TPM chip and it’s not been properly enabled or cleared then this will often cause a TPM related error. The solution is to go back to step 2: Check your BIOS, try and update the firmware, go through the TPM administration tools, and then try again. If all fails you can use the Group Policy to explicitly disable the use of the TPM.

‘Drive Could not be configured’ / drive or partition errors

The layout and size of the partitions on the drive can cause this step to fail. This seems to be a particular issue where manufacturers have done odd things with recovery partitions or where the partitions absolutely max out the disk and there is no free space. Don’t quote me on this but from what I’ve read Bit Locker requires about 100mb of raw space at the beginning or end of the target partition to store its own inner workings and so you might have to move, delete or shrink some of your partitions to free up space. Partition Magic is a great tool for this but there are loads of free tools available. Note that the wizard will try to automatically adjust your partitions to make things work but where it fails, you’ll have to do it manually. BE VERY CAREFUL here as deleting or damaging your partition might lead to data loss and may leave your PC inoperable.

 

Unknown errors / “could not enable BL” errors

Boot entries and a lack of secure UEFI booting can also cause problems. If you use any boot loaders or have installed any applications that have their own boot entries then you might find that these conflict with BitLocker. Again, don’t quote me but from what I’ve read Bit Locker needs the Windows boot loader to be the default entry and it also seems to be happier if UEFI boot is enabled (there are often issues if you try to enable Bit Locker with Legacy boot mode).  If you have problems here then I’d recommend converting your Windows installation to use UEFI boot and also use the msconfig tool to check your boot entries. BE VERY CAREFUL with this because mistakes here will damage your boot records and you might not be able to get into your PC.

The boot order in the BIOS can also play a factor and sometimes Bit Locker will fail if the primary operating system partition is not the first item in the boot order. This can be a particular issue for servers where you have network booting and RAID controllers thrown into the mix so you will have to have a tinker around in there and try to disable any devices that are attempting to boot ahead of the primary drive.

 

5.   Enabling Bit Locker Step Two: Settings

 

This step actually occurs both before and after the previous step but I thought it simpler to group all these together.

The first thing you select when enabling Bit Locker is how you would like to secure the drive (TPM, USB key, PIN). If you can’t find the option you want here then you will usually need to go back and make changes to the Group Policy or prepare the TPM as per step 2. Occasionally you will be unable to enter a PIN whatever you do but don’t worry , just enable Bit Locker with the TPM and you can use manage-bde to add a PIN later on.

Once you’ve run through the system check (see previous step) you will then need to configure it:

  • Either enter your PIN or load a blank USB key for securing the system. If you are using the TPM only then you won’t need to do either.
  • You will need to save your recovery key to a safe place or print it. If you lose this, you’re completely stuffed so keep your recovery key very very safe however you choose to store it. We preferred to store all of ours in secure cloud storage with offline backups. It goes without saying that you should not save it to a drive you are planning to encrypt (!).
  • We always enable “new encryption mode” as the technology is better and more secure. There are only a handful of very niche situations where you would want to select the older method of encryption so I’d always select new here.
  • Finally, we prefer to encrypt the whole drive including empty space but there are arguments for both methods here so choose whatever you prefer.

 

 

6.   Has it worked?

 

Once you’ve run through the wizard, Bit Locker will prompt you to reboot. I’d recommend you do this immediately as the system is in an unstable state and you don’t want to risk doing anything which could cock up the initialisation and brick your PC.

If you have chosen to enter a PIN to unlock the drive then you should be prompted for this after the reboot. If you’re not prompted then that is the first indication that things have gone wrong.

If you chose to use a USB stick then you must ensure this remains plugged in for the first reboot. If you unplug the USB after completing the setup wizard then Bit Locker assumes that something has gone wrong and aborts. Once the first reboot has happened and Bit Locker starts encrypting the drive you are safe to remove it.

The TPM only option doesn’t give you any warning either way so you’ll just have to see where you are when Windows loads.

If all has gone well then you should get the Bit Locker icon appearing in the taskbar and clicking on it will give you a percentage showing how much of the disk is encrypted. Note that you need Administrator permissions to view this and if you click the icon with a standard user account it will not show you the percentage.

If things have not gone well then you will need to go back to step 2 and start working back through the list of possible problems:

  • TPM issues?
  • Group Policy issues?
  • Pending Windows Updates?
  • Partition / Drive issues?
  • Boot issues?
  • UEFI not enabled?
  • Took out the USB key too soon?

Remember that the data is not actually encrypted until the percentage reaches 100% so be patient and leave the PC on until it’s done.  Sometimes Bit Locker will stall or fail before it reaches 100% and we’ll cover this in the next section.

 

7.   Post-Setup Blues

 

In handful of cases the BitLocker encryption will stall out before it reaches 100%. This can usually be fixed by booting into the Windows RE (using a Windows 10 recovery / boot disk) and then allowing BitLocker to complete from there. The manage-bde utility can be used from the command prompt to check on the progress of Bit Locker while you are in Windows RE. I’d guess this is caused by the OS or a core application (like an Anti-Virus) locking out sectors on the disk while Windows is running.

Sometimes due to oddness with the TPM or Group Policy, Windows will flat out refuse to let you enter a PIN code. Once Bit Locker has finished encrypting the drive you can usually add this manually using the manage-bde utility with the -AddProtectors flag. If there are problems which are preventing you from enabling the PIN you will usually get a more useful error message here which can help you troubleshoot the problem.

Finally, there will be occasions where BitLocker stalls at 99%. We’ve had this occur on a couple of servers and from what I’ve read the issue seems to be related to one of the points already listed previously (likely boot order or issues with the partitions). In this case you just have to work your way through the steps and try to figure out where it’s stalling.

 

I hope this guide helps you get up and running with BitLocker. If you have any other points to add please mention them in the comments below.

 

If your business needs help rolling out BitLocker or if you would like a consultation please don’t hesitate to get in touch

Leave a Reply

Contact Us