This last part in this series gives you some valuable tips when running BitLocker in an Active Directory environment.
BitLocker, like any other new technology, is a lot of trial and error. Here are the things I’ve learned using BitLocker that will hopefully help you out:
Test, test, test
I think, I encrypted my two test systems about 20 times each before I got comfortable with BitLocker. You may also want to consider making the IT staff that will be supporting BitLocker encrypt their own laptops as part of your pilot. The quickest way to identify issues is to use the technology yourself on a daily basis.
Backup, backup, backup!!!
Always, always, always, make sure you have a backup of a drive before you encrypt it with BitLocker. Always, always, always, make sure you keep a backup of data that resides on BitLocker encrypted drives. If you’re not using Folder Redirection and Offline File or running a some kind of third-party backup software on your clients, now is the time to investigate before encrypting your data. If you’ve got mobile users, you’re hopefully doing this already.
Like I said before, I highly advise “dog fooding” of technology. If you’re going to support the technology, you need to know it inside and out. What better way to get to know the product than by eating your own dog food? In addition, you’ll need to make sure that the process to give a 48-digit recovery key to an end user is documented for your Help Desk or normal support staff. If you have a user that is on the road that needs a recovery password, they are already potentially going to be in a bad mood. The last thing you want is for the person answering the phone to not know the procedure to get that user the recovery password they need.
Not only is this something new for you, but it will definitely be new for your users. With BitLocker, especially if you’re using the Microsoft Best Practices, end users are going to need some additional training. Someone on your IT staff will need to take the time to sit down with each user that will be receiving a BitLocker encrypted system to explain why their device is being encrypted, how to enter their PIN, and why they shouldn’t write down their PIN anywhere near their encrypted system. You’ll also need to make sure that your users know what process they need to use to receive a recovery key should their system require it. If you don’t already, you may want to consider putting contact information for your Help Desk or IT group either on a label on your computers or on a card in users’ laptop bags.
Securely Document user PINs
If you think you have users that won’t be able to remember their PIN numbers, document PIN’s when the laptop goes out the door with BitLocker enabled. You’ll thank me later when you can give them just their PIN over the phone instead of the 48-digit recovery key.
When should you encrypt?
In a perfect world, right after the system is imaged and before it is assigned to the user. Both SCCM (System Center Configuration Manager) and MDT (Microsoft Deployment Toolkit) support BitLocker encrypting a system as part of the OS deployment process. It may be possible to read data from encrypted SSD drive using a wear-leveling algorithm, but I can’t say that I’ve seen it used out in the real world.
What should you encrypt?
Well, what is your company’s liability if you lose a device? Which employees have access to your company’s sensitive data? How do you know if an employee is storing sensitive data? Ask these kinds of questions of your organization’s leadership and you’ll have the answer to what you need to encrypt. My advice: if you’re not sure, encrypt it… Better safe than sorry.
If you’re going to be BitLocker encrypting the OS Drive of laptops, make sure you know whether or not the laptop will be using a docking station. Make sure that the laptop is configured to use just the local hard drive as a boot device for booting both with the dock and without the dock. If the boot order changes on the laptop (for example when the user undocks the laptop), your user will be prompted for the 48-digit recovery key at boot. Setting the boot order to local hard drive only for both docked and undocked will resolve this issue. Also consider password protecting the BIOS on systems with docking stations if you believe that the startup options might be tampered with.
System configuration changes
Suspend BitLocker before making major system configuration changes. If you need to update the BIOS, modify the boot order, or any other major changes, suspend BitLocker first or you may be prompted for the 48-digit recovery key.
Error message: A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker.
A TPM was not found
This is caused by either the system not having a TPM or the TPM not being enabled. Refer to your system’s documentation on how to enable the TPM.
Error Message: This computer requires a startup option that isn’t supported by BitLocker Setup. Please contact your system administrator to enable BitLocker.
Startup option that isn’t supported by BitLocker setup
If you see this one, it is usually caused by having more than one required option for additional authentication for an OS Drive at startup.
You can’t require more than one startup type. In your GPO, go to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating system drives, Require Additional authentication at startup. Set to enabled and require the use of a startup PIN with a Trusted Platform Module (TPM).
Require additional authentication at startup
Error Message: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.
Group Policy settings for BitLocker startup options are in conflict and cannot be applied
Like the previous error, this is usually caused by incorrect settings in the Require additional authentication at startup option. The error can be caused by having no required or allowed startup options:
No required or allowed startup options
Or, by having a Required startup option and an Allowed startup option:
Required startup option and an Allowed startup option
To resolve the issue, go to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating system drives, Require Additional authentication at startup. Set to enabled and require the use of a startup PIN with a Trusted Platform Module (TPM).
Require additional authentication at startup and require the use of a startup PIN with a Trusted Platform Module (TPM)
Do you have other tips when running BitLocker in an Active Directory environment? Please leave a comment!