Loading...

Tech Talk Live Blog

Enabling BitLocker and the Trusted Platform Module (TPM) in an Enterprise Environment

Dave Light


With an increasing focus on security, one of the quick and easy wins an organization ​can do is to implement drive encryption.  For organizations running Microsoft Windows and Active Directory, this is even easier with BitLocker.  It is easy to turn on, can be enabled remotely, recovery keys are stored in AD (Active Directory), and with the use of a TPM, it can be transparent to the user.

Benefits of BitLocker:

  • Encrypts the hard drive at the sector level, including page and hibernation files
  • 128 or 256bit AES (Advanced Encryption Standard)
  • Integrates with a TPM chip
  • Verifies boot files to help prevent rootkits or malware
  • BitLocker To Go encrypts USB drives for portable drive encryption

Things to consider before the policy can be fully enabled:

  • Active Directory Schema may need to be updated to support BitLocker.  Windows 2008 or higher AD is already okay.  Windows 2003 AD schema needs to be extended to allow storing of the recovery keys.  See Extend the schema (Windows Server 2003 domain controllers only).
  • Computers need to be given the “self” permission to read/write to the ‘ms-TPM-OwnerInformation’ attribute.  This can be done through Delegate Control wizard in Active Directory on the OU that contains the computer objects.
  • Requires Ultimate and Enterprise versions of Windows Vista or Windows 7.  Requires the Pro or Enterprise versions of Windows 8.

Enforcing BitLocker settings through Group Policy:  This must be done before enabling BitLocker on machines.

Group Policy Object location:  Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption

Under Operating System Drives the following options are found and can be configured as needed.

Next, we will configure Group Policy to ‘Turn on TPM backup to Active Directory Domain Services’.

This setting can be found in Computer Configuration > Policies > Administrative Templates > System/Trusted Platform Module Services within Group Policy.

TPM chips in Lenovo laptops can be enabled with the following command and script.  This can be done during provisioning of the laptop or after the fact through an application package in SCCM.

cscript.exe SetConfig.vbs SecurityChip Active

‘ Set specific BIOS Setting

On Error Resume Next

Dim colItems

If WScript.Arguments.Count <> 2 Then

    WScript.Echo “SetConfig.vbs [setting] [value]”

    WScript.Quit

End If

strRequest = WScript.Arguments(0) + “,” + WScript.Arguments(1) + “;”

 

strComputer = “LOCALHOST”     ‘ Change as needed.

Set objWMIService = GetObject(“WinMgmts:” _

    &”{ImpersonationLevel=Impersonate}!\\” & strComputer & “\root\wmi”)

Set colItems = objWMIService.ExecQuery(“Select * from Lenovo_SetBiosSetting”)

For Each objItem in colItems

    ObjItem.SetBiosSetting strRequest, strReturn

Next

WScript.Echo strRequest

WScript.Echo ” SetBiosSetting: ” + strReturn

If strReturn <> “Success” Then

    WScript.Quit

End If

 

Set colItems = objWMIService.ExecQuery(“Select * from Lenovo_SaveBiosSettings”)

strReturn = “error”

For Each objItem in colItems

    ObjItem.SaveBiosSettings “;”, strReturn

Next

WScript.Echo strRequest

WScript.Echo ” SaveBiosSettings: ” + strReturn​

Once the options are configured in Group Policy and TPM chips are enabled on laptops, BitLocker can be enabled on domain bound computers.  This can be done either manually on each laptop through the BitLocker control panel or with the command line using managebde.exe.

A simple example of this would be running ‘manage-bde -on C: -tsk -RecoveryPassword’.  This will turn on BitLocker for the C: drive.  Using the –tsk switch will tell it to add a tpm and startup key protector.  Using the –RecoveryPassword switch will generate a key automatically that you can review at a later time.

Once encryption has been started on a computer, a user can continue working while it runs in the background.

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *

CONTACT

Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.


techtalklive@iu13.org
1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770