M
any of the security features built into the Windows operating system are designed
to protect a computer from attacks by individuals accessing the computer over
the network or from the Internet. But what about when individuals have direct physi-
cal access to a computer? When someone has direct physical access to a computer,
many of Windows security safeguards don’t apply. For example, if someone can boot
a computer—even if it is to another operating system they’ve installed—he or she could
gain access to any data stored on the computer, perhaps even your organization’s most
sensitive data. To protect a computer from individuals who have direct access to a com-
puter, Windows Vista and Windows Server 2008 include the Trusted Platform Module
Services architecture and BitLocker Drive Encryption. Together these features help
protect a computer from many types of attacks by individuals who have direct access to
a computer.
Working with Trusted Platforms
Windows Vista and Windows Server 2008 include the Encrypting File System (EFS) for
encrypting fi les and folders. Using EFS, users can protect sensitive data so that it can
only be accessed using their public key certifi cate. Encryption certifi cates are stored as
part of the data in a user’s profi le. As long as users have access to their profi les and the
encryption keys they contain, they can access their encrypted fi les.
Although EFS offers excellent protection for your data, it doesn’t safeguard the com-
puter from attack by someone who has direct physical access. In a situation where a
user loses a computer, a computer has been stolen, or the attacker is logging on to a
computer, EFS might not protect the data because the attacker might be able to gain
access to the computer before it boots. He could then access the computer from another
operating system and change the computer’s confi guration. He might then be able to
hack into a logon account on the original operating system so that he can log on as the
user or confi gure the computer so that he can log on as a local administrator. Either
way, the attacker could eventually gain full access to a computer and its data.
To seal a computer from physical attack and wrap it in an additional layer of protection,
Windows Vista and Windows Server 2008 include the Trusted Platform Module (TPM)
Services architecture. TPM Services protect a computer using a dedicated hardware

Working with Trusted Platforms . . . . . . . . . . . . . . . . . . . 467
Managing TPM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introducing BitLocker Drive Encryption . . . . . . . . . . . . . 477
Deploying BitLocker Drive Encryption . . . . . . . . . . . . . . 478
Setting Up and Managing BitLocker
Drive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
CHAPTER 15
TPM and BitLocker Drive Encryption
467
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
component called a TPM. A TPM is a microchip that is usually installed on the moth-
erboard of a computer where it communicates with the rest of the system using a hard-
ware bus. Computers running Windows Vista or Windows Server 2008 can use a TPM
to provide enhanced protection for data, to ensure early validation of the boot fi le’s
integrity, and to guarantee that a disk has not been tampered with while the operating
system was offl ine.
A TPM has the ability to create cryptographic keys and encrypt them so that they can
only be decrypted by the TPM. This process, referred to as wrapping or binding, pro-
tects the key from disclosure. A TPM has a master “wrapping” key called the Storage
Root Key (SRK). The SRK is stored within the TPM itself to ensure that the private por-
tion of the key is secure.
Computers that have TPM can create a key that has not only been wrapped but also
sealed. The process of sealing the key ensures that the key is tied to specifi c platform
measurements and can only be unwrapped when those platform measurements have
the same values that they had when the key was created. This is what gives TPM-
equipped computers increased resistance to attack.
Because TPM stores private portions of key pairs separately from memory controlled
by the operating system, keys can be sealed to the TPM to provide absolute assurances
about the state of a system and its trustworthiness. TPM keys are only unsealed when
the integrity of the system is intact. Further, because the TPM uses its own internal

fi rmware and logical circuits for processing instructions, it does not rely upon the oper-
ating system and is not subject to external software vulnerabilities.
The TPM can also be used to seal and unseal data that is generated outside of the TPM,
and this is where the true power of the TPM lies. In Windows Vista and Windows
Server 2008, the feature that accesses the TPM and uses it to seal a computer is called
BitLocker Drive Encryption. Although BitLocker Drive Encryption can be used in both
TPM or non-TPM confi gurations, the most secure method is to use TPM.
When you use BitLocker Drive Encryption and a TPM to seal the boot manager and
boot fi les of a computer, the boot manager and boot fi les can be unsealed only if they
are unchanged since they were last sealed. This means you can use the TPM to vali-
date a computer’s boot fi les in the pre–operating system environment. When you seal
a hard disk using TPM, the hard disk can only be unsealed if the data on the disk is
unchanged since it was last sealed. This guarantees that a disk has not been tampered
with while the operating system was offl ine.
When you use BitLocker Drive Encryption and do not use a TPM to seal the boot man-
ager and boot fi les of a computer, TPM cannot be used to validate a computer’s boot
fi les in the pre–operating system environment. This means there is no way to guaran-
tee the integrity of the boot manager and boot fi les of a computer.
Chapter 15
468 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing TPM
A computer running Windows Server 2008 must be equipped with a compatible TPM
and compatible fi rmware to take advantage of TPM. Both Windows Vista and Windows
Server 2008 support TPM version 1.2 and require Trusted Computing Group (TCG)–
compliant fi rmware. Firmware that is TCG-compliant is fi rmware that supports the
Static Root of Trust Measurement as defi ned by the Trusted Computing Group. In some
confi gurations of TPM and BitLocker Drive Encryption, you’ll also need to make sure
the fi rmware supports reading USB fl ash drives at startup.
Understanding TPM States and Tools

The TPM Services architecture in Windows Vista and Windows Server 2008 provides
the basic features required to confi gure and deploy TPM-equipped computers. This
architecture can be extended with a feature called BitLocker Drive Encryption, which is
discussed in “Introducing BitLocker Drive Encryption” on page 477.
Before you can use TPM, you must turn on TPM in fi rmware and initialize the TPM for
fi rst use in software. As part of the initialization process, you’ll set the owner password
on the TPM. After TPM is enabled, you can manage the TPM confi guration.
In some cases, computers that have TPM might ship with TPM turned on. However, in
most cases, you’ll fi nd TPM is not turned on by default. You turn on TPM in fi rmware.
With my servers, I needed to:
1. Start the computer. Press F2 during startup to access the fi rmware. In the
fi rmware, I accessed the Advanced screen and then the Peripheral Confi guration
screen.
2. On the Peripheral Confi guration screen, Trusted Platform Module was listed as
an option. After scrolling down to highlight this option, I pressed Enter to display
an options menu. On the options menu, I selected Enable and then pressed Enter.
3. To save the setting change and exit the fi rmware, I then pressed F10. When
prompted to confi rm that I wanted to exit, I pressed Y and the computer then
rebooted.
Windows Vista and Windows Server 2008 provide several tools for working with TPM,
including:

Trusted Platform Module Management
An MMC console for confi guring and
managing TPM. You can access this tool by clicking Start, typing tpm.msc in the
Search box, and then pressing Enter.

Initialize The TPM Security Hardware
A wizard for creating the required TPM
owner password. You can access this tool by clicking Start, typing tpminit in the

Search box, and then pressing Enter.
When you are working with Trusted Platform Module Management, you’ll be able
to determine the exact state of the TPM. If you try to start Trusted Platform Module
Managing TPM 469
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Management without turning on TPM, you’ll see an error like the one shown in the fol-
lowing screen:
Similarly, if you try to run Initialize The TPM Security Hardware without turning on
TPM, you’ll see an error like the one shown in the following screen.
Only when you’ve turned on TPM in fi rmware will you be able to access and work with
the TPM tools. When you are working with the Trusted Platform Module Management
console, shown in Figure 15-1, you should note the TPM status and the TPM manufac-
turer information. The TPM status indicates the exact state of the TPM (see Table 15-1).
The TPM manufacturer information shows that the TPM supports specifi cation version
1.2. Support for TPM version 1.2 or later is required.
Table 15-1 TPM Status Indicators and Their Meanings
Status Indicator Meaning
The TPM is on and ownership has
not been taken
The TPM is turned on in fi rmware but hasn’t been
initialized yet.
The TPM is on and ownership has
been taken
The TPM is turned on in fi rmware and has been
initialized.
The TPM is off and ownership has
not been taken
The TPM is turned off in software but hasn’t been
initialized yet.

Chapter 15
470 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 15-1 Use the Trusted Platform Module Management console to initialize and manage TPM.
Initializing a TPM for First Use
Initializing a TPM confi gures it for use on a computer. The initialization process
involves turning on the TPM and then setting ownership of the TPM. By setting owner-
ship of the TPM, you are assigning a password that helps ensure that only the autho-
rized TPM owner can access and manage the TPM. The TPM password is required to
turn off the TPM if you no longer want to use it and to clear the TPM if the computer is
to be recycled. In an Active Directory domain, you can confi gure Group Policy to save
TPM passwords.
To initialize the TPM and create the owner password, complete the following steps:
1. Start the Trusted Platform Module Management console. On the Action menu,
choose Initialize TPM to start the Initialize The TPM Security Hardware wizard.
Note
If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet
Windows requirements or no TPM is found, you will not be able to continue and should
ensure that the TPM has been turned on in fi rmware. Otherwise, you’ll see the Create The
TPM Owner Password page.
2. On the Create The TPM Owner Password page, shown in Figure 15-2, click
Automatically Create The Password (Recommended).
Note
If the Initialize The TPM Security Hardware wizard detects fi rmware that does not meet
Windows requirements or no TPM is found, you will not be able to continue and should
ensure that the TPM has been turned on in fi rmware. Otherwise, you’ll see the Create The
TPM Owner Password page.
Managing TPM 471
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Figure 15-2 Initialize the TPM.
3. On the Save Your TPM Owner Password page, shown in Figure 15-3, note the
48-character TPM owner password. Click Save The Password.
Figure 15-3 Note the 48-character TPM owner password.
4. In the Save As dialog box, shown in Figure 15-4, select a location to save the
password backup fi le and then click Save. By default, the password backup fi le is
saved as ComputerName.tpm. Ideally, you’ll save the TPM ownership password to
removable media, such as a USB fl ash drive.
Chapter 15
472 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 15-4 Save the TPM owner password.
5. On the Save Your TPM Owner Password page, click Print The Password if you
want to print a hard copy of the password. Be sure to save the printout containing
the password in a secure location, such as a safe or locked fi le cabinet.
6. Click Initialize. The initialization process may take several minutes to complete.
When initialization is complete, click Close. In the TPM Management console,
the status should be listed as “The TPM is on and ownership has been taken,” as
shown in Figure 15-5.
Figure 15-5 The status of an initialized TPM shows ownership has been taken.
Turning an Initialized TPM On or Off
Computers that have TPM might ship with TPM turned on. If you decide not to use
TPM, you should turn off and clear the TPM. If you want to reconfi gure or recycle a
computer, you should also turn off and clear the TPM.
To turn off TPM, complete the following steps:
1. Start the Trusted Platform Module Management console. On the Action menu,
choose Turn TPM Off. This starts the Manage The TPM Security Hardware
wizard.
Managing TPM 473
Chapter 15

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
2. On the Turn Off The TPM Security Hardware page, shown in Figure 15-6, use
one of the following methods for entering the current password and turning off
the TPM:

If you have the removable media onto which you saved your TPM owner
password, insert it and click I Have A Backup File With The TPM Owner
Password. On the Select Backup File With The TPM Owner Password page,
click Browse and then use the Open dialog box to locate the .tpm fi le saved
on your removable media. Click Open, and then click Turn TPM Off.

If you do not have the removable media onto which you saved your pass-
word, click I Want To Type The TPM Owner Password. On the Type Your
TPM Owner Password page, enter the TPM password (including dashes)
and then click Turn TPM Off.

If you do not know your TPM owner password, click I Don’t Have The TPM
Owner Password, and then follow the instructions provided to turn off the
TPM without entering the password. Because you are logged on locally to
the computer, you will be able to turn off the TPM.
3. In the TPM Management console, the status should be listed as “The TPM is off
and ownership has been taken.” Do not discard the TPM owner password fi le or
printout. You will need this information if you want to turn the TPM back on.
Figure 15-6 Click an option for turning off the TPM.
After you’ve used the previously listed procedure to turn off the TPM in software, you
can turn on the TPM in software by following these steps:
1. Start the Trusted Platform Module Management console. On the Action menu,
choose Turn TPM On. This starts the Manage The TPM Security Hardware
wizard.
Chapter 15

474 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
2. On the Turn On The TPM Security Hardware page, use one of the following
methods for entering the current TPM password and turning on the TPM:

If you have the removable media onto which you saved your TPM owner
password, insert it and click I Have A Backup File With The TPM Owner
Password. On the Select Backup File With The TPM Owner Password page,
click Browse and then use the Open dialog box to locate the .tpm fi le saved
on your removable media. Click Open, and then click Turn TPM On.

If you do not have the removable media onto which you saved your pass-
word, click I Want To Type The TPM Owner Password. On the Type Your
TPM Owner Password page, enter the TPM password (including dashes)
and then click Turn TPM On.

If you do not know your TPM owner password, click I Don’t Have The TPM
Owner Password, and then follow the instructions provided to turn on the
TPM without entering the password. Because you are logged on locally to
the computer, you will be able to turn on the TPM.
3. In the TPM Management console, the status should be listed as “The TPM is on
and ownership has been taken.” Do not discard the TPM owner password fi le or
printout. You will need this information if you want to manage the TPM.
Clearing the TPM
Clearing the TPM cancels the TPM ownership and fi nalizes the shutdown of the TPM.
You should only clear the TPM when a TPM-equipped computer is to be recycled.
To clear the TPM, complete the following steps:
1. Start the Trusted Platform Module Management console. On the Action menu,
choose Clear TPM. This starts the Manage The TPM Security Hardware wizard.
CAUTION

!
Clearing the TPM resets it to factory defaults and fi nalizes its shutdown. As a result, you
will lose all created keys and data protected by those keys.
2. On the Clear The TPM Security Hardware page, select a method for entering the
current password and clearing the TPM:

If you have the removable media onto which you saved your TPM owner
password, insert it and click I Have A Backup File With The TPM Owner
Password. On the Select Backup File With The TPM Owner Password page,
click Browse and then use the Open dialog box to locate the .tpm fi le saved
on your removable media. Click Open, and then click Clear TPM.

If you do not have the removable media onto which you saved your pass-
word, click I Want To Type The TPM Owner Password. On the Type Your
CU O
!
Managing TPM 475
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
TPM Owner Password page, enter your password (including dashes) and
then click Clear TPM.

If you do not know your TPM owner password, click I Don’t Have The TPM
Owner Password, and follow the instructions provided to clear the TPM
without entering the password. Because you are logged on locally to the
computer, you will be able to clear the TPM.
Changing the TPM Owner Password
You can change the TPM password at any time. To change the TPM owner password,
complete the following steps:
1. Start the Trusted Platform Module Management console. On the Action menu,

choose Change Owner Password. This starts the Manage The TPM Security
Hardware wizard.
2. On the Change TPM Owner Password page, select a method for entering the
current password:

If you have the removable media onto which you saved your TPM owner
password, insert it and click I Have A Backup File With The TPM Owner
Password. On the Select Backup File With The TPM Owner Password
page, click Browse and then use the Open dialog box to locate the .tpm fi le
saved on your removable media. Click Open, and then click Create New
Password.

If you do not have the removable media onto which you saved your pass-
word, click I Want To Type The TPM Owner Password. On the Type Your
TPM Owner Password page, enter your password (including dashes) and
then click Create New Password.
3. On the Create The TPM Owner Password page, select Automatically Create The
Password (Recommended) and then click Next.
4. On the Save Your TPM Owner Password page, note the 48-character TPM owner
password. Click Save The Password. In the Save As dialog box, select a location to
save the password backup fi le and then click Save. If you are saving the password
backup fi le to the same location and name, click Yes when prompted to replace
the existing fi le.
5. On the Save Your TPM Owner Password page, click Print The Password if you
want to print a hard copy of the password. Be sure to save the printout containing
the password in a secure location, such as a safe or locked fi le cabinet.
6. To complete the process, click Change Password.
Chapter 15
476 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Introducing BitLocker Drive Encryption
BitLocker Drive Encryption, a feature included in all editions of Windows Server 2008
and in the Ultimate and Enterprise editions of Windows Vista, is designed to protect
the data on lost, stolen, or inappropriately decommissioned computers. Without Bit-
Locker Drive Encryption, there are a variety of ways a user with direct physical access
to a computer could gain full control and then access the computer’s data whether that
data was encrypted with EFS or not. For example, a user could use a boot disk to boot
the computer and reset the administrator password. A user could also install and then
boot to a different operating system, and then use this operating system to unlock the
other installation.
BitLocker Drive Encryption prevents all access to a computer’s drives except by autho-
rized personnel by wrapping entire drives in tamper-proof encryption. If a user tries
to access a BitLocker encrypted drive, the encryption prevents them from viewing or
manipulating the data in any way. This dramatically reduces the risk of an unauthor-
ized person gaining access to confi dential data using offl ine attacks.
CAUTION
!
BitLocker Drive Encryption reduces disk throughput. Because of this, it should be used on
an enterprise server only if the server is not in a physically secure location and requires
additional protection.
BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot
manager and boot fi les at startup, and to guarantee that a computer’s hard disk has not
been tampered with while the operating system was offl ine. BitLocker Drive Encryp-
tion also stores measurements of core operating system fi les in the TPM.
Every time the computer is started, Windows validates the boot fi les, the operating sys-
tem fi les, and any encrypted volumes to ensure that they have not been modifi ed while
the computer was offl ine. If the fi les have been modifi ed, Windows alerts the user and
refuses to release the key required to access Windows. The computer then goes into
Recovery mode, prompting the user to provide a recovery key before allowing access to
the boot volume. The Recovery mode is also used if a BitLocker encrypted disk drive is

transferred to another system.
BitLocker Drive Encryption can be used in both TPM and non-TPM computers. If a
computer has a TPM, BitLocker Drive Encryption uses the TPM to provide enhanced
protection for your data and to ensure early boot fi le integrity. These features together
help prevent unauthorized viewing and accessing of data by encrypting the entire
Windows volume and by safeguarding the boot fi les from tampering. If a computer
doesn’t have a TPM or its TPM isn’t compatible with Windows, BitLocker Drive Encryp-
tion can be used to encrypt entire volumes and in this way protect the volumes from
tampering. This confi guration, however, doesn’t allow the added security of early boot
fi le integrity validation.
CAUTION
!
Introducing BitLocker Drive Encryption 477
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
On computers with a compatible TPM that is initialized, BitLocker Drive Encryption
can use one of three TPM modes:

TPM-Only
In this mode, only TPM is used for validation. When the computer
boots, TPM is used to validate the boot fi les, the operating system fi les, and any
encrypted volumes. As the user doesn’t need to provide an additional startup key,
this mode is transparent to the user and the user logon experience is unchanged.
However, if the TPM is missing or the integrity of fi les or volumes has changed,
BitLocker will enter Recovery mode and require a recovery key or password to
regain access to the boot volume.

TPM and PIN
In this mode, both TPM and a user-entered numeric key are used
for validation. When the computer boots, TPM is used to validate the boot fi les,

the operating system fi les, and any encrypted volumes. The user must enter a PIN
when prompted to continue startup. If the user doesn’t have the PIN or is unable
to provide the correct PIN, BitLocker will enter Recovery mode instead of booting
to the operating system. As before, BitLocker will also enter Recovery mode if the
TPM is missing or the integrity of boot fi les or encrypted volumes has changed.

TPM and Startup Key
In this mode, both TPM and a startup key are used for vali-
dation. When the computer boots, TPM is used to validate the boot fi les, the oper-
ating system fi les, and any encrypted volumes. The user must have a USB fl ash
drive with a startup key to log on to the computer. If the user doesn’t have the
startup key or is unable to provide the correct startup key, BitLocker will enter
Recovery mode. As before, BitLocker will also enter Recovery mode if the TPM is
missing or the integrity of boot fi les or encrypted volumes has changed.
On computers without a TPM or on computers that have incompatible TPMs, Bit-
Locker Drive Encryption uses Startup Key Only mode. As the name implies, this mode
requires a USB fl ash drive containing a startup key. The user inserts a USB fl ash drive
in the computer before turning it on. The key stored on the fl ash drive unlocks the com-
puter. If the user doesn’t have the startup key or is unable to provide the correct startup
key, BitLocker will enter Recovery mode. BitLocker will also enter Recovery mode if the
integrity of encrypted volumes has changed.
Deploying BitLocker Drive Encryption
Deploying BitLocker Drive Encryption in an enterprise changes the way both admin-
istrators and users work with computers. A computer with BitLocker Drive Encryption
requires user intervention to boot to the operating system—a user must either enter a
PIN or insert a USB fl ash drive containing a startup key. Because of this, after you’ve
deployed BitLocker Drive Encryption, you can no longer be assured that you can
perform remote administration that requires a computer to be restarted without hav-
ing physical access to the computer—someone will need to be available to type in the
required PIN or insert the USB fl ash drive with the startup key.

Chapter 15
478 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Before you use BitLocker Drive Encryption, you should perform a thorough evaluation
of your organization’s computers. You will need to develop plans and procedures for:

Evaluating the various BitLocker authentication methods and applying them as
appropriate

Determining whether computers support TPM and thus whether you must use
TPM or non-TPM BitLocker confi gurations

Storing, using, and periodically changing encryption keys, recovery passwords,
and other validators used with BitLocker
You will need to develop new procedures for:

Working with BitLocker encrypted drives

Supporting BitLocker encrypted drives

Recovering computers with BitLocker encrypted drives
These procedures will need to take into account the way BitLocker encryption works
and the requirements to have PINs, startup keys, and recovery keys available whenever
you work with BitLocker encrypted computers. After you’ve evaluated your organiza-
tion’s computers and developed basic plans and procedures, you’ll need to develop a
confi guration plan for implementing BitLocker Drive Encryption.
Note
Two implementations of BitLocker Drive Encryption are available: the original BitLocker
Drive Encryption as released with Windows Vista and the updated BitLocker Drive
Encryption as released with Windows Server 2008. With the updated implementation,

you can use BitLocker encryption on both system and data volumes. Because Windows
Vista and Windows Server 2008 share the same core kernel and architecture, the
updated BitLocker Drive Encryption should also become available in Windows Vista.
BitLocker Drive Encryption requires a specifi c disk confi guration. On a computer with
a compatible TPM, you must create or make available a BitLocker Drive Encryption
partition on your hard drive and then initialize the TPM as discussed previously under
“Initializing a TPM for First Use” on page 471. On a computer without a compatible
TPM, you only need to create or make available a BitLocker Drive Encryption partition
on your hard drive.
The way you create the BitLocker Drive Encryption partition depends on whether the
computer has an operating system installed. If the computer doesn’t have an operat-
ing system installed, follow the procedure discussed under “Creating the BitLocker
Drive Encryption Partition for a Computer with No Operating System” on page 482. If
the computer has an operating system installed, follow the procedure discussed under
Note
Two implementations of BitLocker Drive Encryption are available: the original BitLocker
Drive Encryption as released with Windows Vista and the updated BitLocker Drive
Encryption as released with Windows Server 2008. With the updated implementation,
you can use BitLocker encryption on both system and data volumes. Because Windows
Vista and Windows Server 2008 share the same core kernel and architecture, the
updated BitLocker Drive Encryption should also become available in Windows Vista.
Deploying BitLocker Drive Encryption 479
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
“Creating the BitLocker Drive Encryption Partition for a Computer with an Operating
System” on page 482.
You can use Local Group Policy and Active Directory Group Policy to help you manage
and maintain TPM and BitLocker confi gurations. TPM Services Group Policy settings
are found in Computer Confi guration\Administrative Templates\System\Trusted Plat-
form Module Services and include:


Turn On TPM Backup To Active Directory Domain Services

Confi gure The List Of Blocked TPM Commands

Ignore The Default List Of Blocked TPM Commands

Ignore The Local List Of Blocked TPM Commands
BitLocker Group Policy settings are found in Computer Confi guration\Administrative
Templates\Windows Components\BitLocker Drive Encryption and include:

Turn On BitLocker Backup To Active Directory Domain Services

Control Panel Setup: Confi gure Recovery Folder

Control Panel Setup: Confi gure Recovery Options

Control Panel Setup: Enable Advanced Startup Options

Confi gure Encryption Method

Prevent Memory Overwrite On Restart

Confi gure TPM Platform Validation Profi le
BitLocker policy settings apply to both Windows Vista and Windows Server 2008.
Unlike Active Directory Domain Services for Windows Server 2003, Active Directory
Domain Services for Windows Server 2008 includes the TPM and BitLocker recovery
extensions for Computer objects. For TPM, the extensions defi ne a single property of
the Computer object called ms-TPM-OwnerInformation. When the TPM is initialized or
when the owner password is changed, the hash of the TPM ownership password can be

stored as a value of the ms-TPM-OwnerInformation attribute on the related Computer
object. For BitLocker, these extensions defi ne Recovery objects as child objects of Com-
puter objects and are used to store recovery passwords and associate them with specifi c
BitLocker encrypted volumes.
Chapter 15
480 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

To ensure that TPM and BitLocker recovery information is always available, you should
confi gure Group Policy to require its backup. With Turn On TPM Backup To Active Direc-
tory Domain Services, enable the policy and then use the setting Require TPM Backup To
AD DS. With Turn On BitLocker Backup To Active Directory Domain Services, enable the
policy and then use the setting Require BitLocker Backup To AD DS.
For Federal Information Processing Standard (FIPS) compliance, you cannot create or save
a BitLocker recovery password. So instead, you’ll need to confi gure Windows to create
recovery keys. The FIPS setting is located in the Security Policy Editor at Local Policies\
Security Options\System Cryptography: Use FIPS Compliant Algorithms For Encryption,
Hashing, And Signing. To do this, enable the security option System Cryptography: Use
FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or
Active Directory Group Policy as appropriate. With this setting enabled, users can save a
recovery key only to a USB fl ash drive. Users will not be able to save a recovery password
to AD DS, local folders, or network folders, and also will not be to use the BitLocker Drive
Encryption wizard or other method to create a recovery password. Because recovery
passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error
if AD DS backup is required by Group Policy.
Setting Up and Managing BitLocker Drive Encryption
With Windows Server 2008, you can confi gure and enable BitLocker Drive Encryption
on both system volumes and data volumes. However, if you want to encrypt a server’s
data volumes you must fi rst encrypt its system volume. When you use encrypted data
volumes, the operating system mounts BitLocker data volumes as it would any other

volume.
The encryption key for a protected data volume is created and stored independently
from the system volume and all other protected data volumes. To allow the operat-
ing system to mount encrypted volumes, the key chain protecting the data volume
is stored encrypted on the operating system volume. If the operating system enters
Recovery mode, the data volumes are not unlocked until the operating system is out of
Recov ery mode.
Setting up BitLocker Drive Encryption is a multistep process that involves:
1. Partitioning a computer’s hard disks appropriately and installing the operating
system, if you are confi guring a new computer.
2. Initializing and confi guring a computer’s TPM (if applicable).
3. Installing the BitLocker Drive Encryption feature (as necessary).
SIDE OUT
Using TPM, BitLocker, and FIPS with AD DS
To ensure that TPM and BitLocker recovery information is always available, you should
confi gure Group Policy to require its backup. With Turn On TPM Backup To Active Direc-
tory Domain Services, enable the policy and then use the setting Require TPM Backup To
AD DS. With Turn On BitLocker Backup To Active Directory Domain Services, enable the
policy and then use the setting Require BitLocker Backup To AD DS.
For Federal Information Processing Standard (FIPS) compliance, you cannot create or save
a BitLocker recovery password. So instead, you’ll need to confi gure Windows to create
recovery keys. The FIPS setting is located in the Security Policy Editor at Local Policies\
Security Options\System Cryptography: Use FIPS Compliant Algorithms For Encryption,
Hashing, And Signing. To do this, enable the security option System Cryptography: Use
FIPS Compliant Algorithms For Encryption, Hashing, And Signing in Local Group Policy or
Active Directory Group Policy as appropriate. With this setting enabled, users can save a
recovery key only to a USB fl ash drive. Users will not be able to save a recovery password
to AD DS, local folders, or network folders, and also will not be to use the BitLocker Drive
Encryption wizard or other method to create a recovery password. Because recovery
passwords cannot be saved to AD DS when FIPS is enabled, Windows will display an error

if AD DS backup is required by Group Policy.
Setting Up and Managing BitLocker Drive Encryption 481
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
4. Checking fi rmware to ensure that the computer is set to fi rst start from the
disk containing the system partition and the Bitlocker partition, not the USB or
CD/DVD drives.
5. Turning on and confi guring BitLocker Drive Encryption.
After you’ve turned on and confi gured BitLocker encryption, there are several tech-
niques you can use to maintain the environment and perform recovery.
Creating the BitLocker Drive Encryption Partition for a
Computer with No Operating System
BitLocker Drive Encryption requires two NTFS drive partitions, one for the system vol-
ume and one for the operating system volume. The system volume partition must be at
least 1.5 gigabytes (GB) and set as the active partition.
On new hardware, you create the BitLocker Drive Encryption partition on a computer
with no operating system. To do this, you start the computer from the installation
media and then create two partitions on the computer’s primary disk:

The fi rst partition is the partition for BitLocker Drive Encryption. This partition
holds the fi les required to start the operating system and is not encrypted.

The second is the primary partition for the operating system and your data. This
partition is encrypted when you turn on BitLocker.
You can partition a drive with no operating system for BitLocker Drive Encryption by
following these steps:
1. Insert the Windows Installation disc for the hardware architecture and then boot
from the installation disc by pressing a key when prompted. If the server does not
allow you to boot from the installation disc, you might need to change fi rmware
options to allow booting from a CD/DVD-ROM drive.

2. If Windows Setup doesn’t start automatically, select Windows Setup (EMS
Enabled) on the Windows Boot Manager menu to start Windows Setup.
3. On the Install Windows page, select the language, time, and keyboard layout
options that you want to use. Click Next.
4. On the next Setup page, you have several options:

If a Repair Your Computer link is available in the lower-left corner of
the Install Windows page, click this option to start the System Recovery
Options wizard. On the System Recovery Options page, click Command
Prompt to access the MIN-WINPC environment.

If a Repair Your Computer link is not available (such as when there is no
current Windows Server 2008 or later operating system already installed),
click Install Now. Proceed through the installation process until you get
to the Where Do You Want To Install Windows page. At this point, press
Shift+F10 to access a command prompt.
Chapter 15
482 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
5. In the Command Prompt window, type diskpart and press Enter.
6. Select the hard disk to use by typing select disk 0.
7. Erase the existing partition table by typing clean. This destroys all data on
the disk.
8. Create the BitLocker partition by typing create partition primary size=1500.
9. Designate the partition as S: by typing assign letter=s.
10. Make the partition the active partition by typing active.
11. Format the partition using NTFS as the fi le system by typing format fs=ntfs.
12. Create the operating system partition using the rest of the available disk space by
typing create partition primary.
13. Designate the partition as C: by typing assign letter=c.

14. Format the partition using NTFS as the fi le system by typing format fs=ntfs.
15. Quit the DiskPart application by typing exit.
16. Quit the command prompt by typing exit.
17. Return to the main installation screen by clicking Close. Proceed with the
installation process. Install Windows Server 2008 on drive C.
18. If the computer has a TPM, you will need to initialize it as discussed under
“Initializing a TPM for First Use” on page 471. Although you are working with
fi rmware, you should also ensure that the computer is set to fi rst start from the
disk containing the system partition and the Bitlocker partition, not the USB or
CD/DVD drives.
Creating the BitLocker Drive Encryption Partition for a
Computer with an Operating System
BitLocker Drive Encryption requires two NTFS drive partitions, one for the system vol-
ume and one for the operating system volume. The system volume partition must be at
least 1.5 GB and set as the active partition.
On a computer running Windows Server 2008, Windows confi gures an available parti-
tion as the necessary BitLocker Drive Encryption partition during the BitLocker confi g-
uration process. As long as the server has at least two partitions on one or more disks,
Windows will confi gure one partition as the boot partition and another partition as the
active, system partition. The boot partition is the one containing the operating system
fi les. The active, system partition is the one containing the boot manager and other fi les
needed by BitLocker during startup. Because you will not be able to encrypt the active,
system partition used by BitLocker, it is a recommended best practice that you size
the fi rst partition on the fi rst available disk (typically disk 0) with BitLocker in mind.
Setting Up and Managing BitLocker Drive Encryption 483
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Specifi cally, this partition should be at least 1.5 GB in size and should not be used for
other purposes, such as storing server data.
On a computer running Windows Vista Ultimate or Windows Vista Enterprise, you

can, in most cases, create the required BitLocker Drive Encryption partition without
having to reinstall the operating system. To do this, use the BitLocker Drive Prepara-
tion Tool (BdeHdCfg.exe), which you’ll fi nd in the %ProgramFiles%\BitLocker folder.
If the tool is not available, you should be able to download it from the Microsoft Down-
load Web site. See Microsoft Knowledge Base article 930063 for more information
(
The BitLocker Drive Preparation Tool automates the process of creating the BitLocker
partition, moving the required fi les to this partition, and setting the partition as the
active volume. There are many caveats to using this tool:

The drive must be formatted as a basic disk with simple volumes. Although hard-
ware RAID confi gurations can be implemented, no software spanning, mirroring,
or other RAID confi gurations are supported.

The partition must be a primary partition. Extended partitions and logical drives
are not supported.

The partition must be formatted as NTFS and the fi le system must not be
compressed.

The partition cluster size must be less than or equal to 4 KB in size.
You can perform four general operations with the BitLocker Drive Preparation Tool:

Query Disk
When you want to determine the current disk confi guration, type
bdehdcfg -driveinfo at the command prompt. The output shows the drive let-
ter, total size, maximum free space, and partition type of the Windows Recovery
Environment, operating system, and unallocated partitions.

Create Partition

When a disk has an area of unallocated space at least 1.5 GB in
size, you can use this operation to automatically create the BitLocker partition,
move the required fi les to this partition, and set the partition as the active volume.
In the following example, you create a new S: partition in 1.5 GB of unallocated
space:
bdehdcfg –target unallocated –newdriveletter s: -size 1500 –quiet -restart

Split Partition
When a disk has a large operating system partition that you want
to split to create the required BitLocker partition, you can perform a split opera-
tion. For a split operation, at least 10 percent of the operating system partition
must remain free after the partition is reduced by 1.5 GB to create the BitLocker
partition. In the following example, you create a new S: partition by splitting the
C: partition and using 1.5 GB of previously unallocated space on this partition:
bdehdcfg –target c: shrink –newdriveletter s: -size 1500 –quiet -restart
Chapter 15
484 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Merge Partition
When a disk has a separate partition (that is not being used as
the operating system partition) you can merge the required boot fi les into the
partition and set the partition as the active partition for BitLocker using a merge
operation. For a merge operation, the partition must have a total capacity of at
least 1.5 GB and at least 800 MB of free disk space. In the following example, you
merge BitLocker required fi les and settings into the existing D: partition:
bdehdcfg –target d: merge -size 1500 –quiet -restart
If the computer has a TPM, you will need to initialize it as discussed under “Initializing
a TPM for First Use” on page 471.
Confi guring and Enabling BitLocker Drive Encryption

As discussed previously, BitLocker Drive Encryption can be used in a TPM or non-TPM
confi guration. Both confi gurations require some preliminary work before you can turn
on and confi gure BitLocker Drive Encryption.
With Windows Vista Ultimate and Enterprise, BitLocker should be installed by default.
With Windows Server 2008, you can install the BitLocker Drive Encryption feature
using the Add Features Wizard. Alternatively, on a server, you can install BitLocker
Drive Encryption by entering the following command at an elevated command prompt:
servermanagercmd -install bitlocker. Either way, you will need to restart the computer
to complete the installation process.
After you’ve installed BitLocker, you can determine the readiness status of a computer
by accessing the BitLocker Drive Encryption console. Click Start, Control Panel, Secu-
rity, and then BitLocker Drive Encryption. If the system isn’t properly confi gured yet,
you’ll see a message similar to the one shown in the following screen.
If you see this message on a computer with a compatible TPM, refer to “Understanding
TPM States and Tools” on page 469 to learn more about TPM states and enabling TPM
in fi rmware. If you see this message on a computer with an incompatible TPM or no
TPM, you’ll need to change the computer’s Group Policy settings so that you can turn
on BitLocker Drive Encryption without a TPM.
Setting Up and Managing BitLocker Drive Encryption 485
Chapter 15
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
You can confi gure policy settings for BitLocker encryption in Local Group Policy or in
Active Directory Group Policy. For local policy, you apply the desired settings to the
computer’s Local Group Policy object. For domain policy, you apply the desired set-
tings to a Group Policy object processed by the computer. While you are working with
domain policy, you can also specify requirements for computers with a TPM.
To confi gure the way BitLocker can be used with or without a TPM, follow these steps:
1. Open the appropriate Group Policy object for editing in the Group Policy Object
Editor or the Group Policy Management Editor.
2. Double-click the setting Control Panel Setup: Enable Advanced Startup

Options in the Computer Confi guration\Administrative Templates\Windows
Components\BitLocker Drive Encryption folder.
3. In the Control Panel Setup: Enable Advanced Startup Options Properties dialog
box, shown in Figure 15-7, defi ne the policy setting by selecting Enabled.
Figure 15-7 Choose an option for turning off the TPM.
4. If you want to allow BitLocker to be used without a compatible TPM, select the
Allow BitLocker Without A Compatible TPM check box. This changes the policy
setting so that you can use BitLocker encryption with a startup key on a computer
without a TPM.
Chapter 15
486 Chapter 15 TPM and BitLocker Drive Encryption
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.