Windows 8 : Managing BitLocker and other policy-based mobility tools (part 3) - Managing BitLocker at the command line

Using BitLocker on computers without TPM

Although the Trusted Platform Module (TPM) is present on an increasing number of devices to aid with security, there are still devices in use today that do not use TPM technology. Because Windows 8 can operate on hardware that might have been provisioned for earlier versions of Windows, organizations might not purchase new laptops or, if they do purchase new laptops, they might be smaller, more portable units that do not support TPM.

In these cases, it is still possible to use BitLocker encryption to keep the information stored on mobile devices secure. The encryption key information for a BitLocker-encrypted drive will be stored on startup key storage.

Startup key storage is a storage device, usually a USB flash device, that stores the encryption key for the BitLocker configuration on a device. When the computer starts, the process asks for the USB key containing the BitLocker encryption key. After the key is provided, the computer continues to start.

To enable BitLocker on a computer without TPM, complete the following steps:

1. Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).

2. Expand the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path.

3. Select Operating System Drives.

4. Press and hold or right-click Require Additional Authentication At Startup.

5. Select Enabled.

6. Select Allow BitLocker Without A Compatible TPM.

7. Tap or click OK to save the changes.

Important

DOCUMENT THE CHANGES

When modifying policies such as BitLocker, it is helpful to add a comment about what has been done and the reason for the change. Since the release of Windows 7, comments have been visible when searching for policy objects. A short description can be helpful when looking for objects that have been modified.

After the settings in local Group Policy have been adjusted to allow the use of a startup key, computers without the option of TPM will be able to encrypt drives. When the policy is configured, the default options for the Group Policy Object (GPO) also enable the use of TPM, as shown in Figure 2. The settings do not disable it; they just allow the encryption key to be stored elsewhere.

Figure 2. Configuring BitLocker to run on a device without TPM

Using BitLocker on removable media (BitLocker To Go)

Just as BitLocker for built-in drives enables data to be encrypted, BitLocker To Go focuses on removable media and encrypting data stored there. When BitLocker To Go is enabled, the entire volume is encrypted, and one key is stored on the removable media. The other portion of the pair is a password known to whomever encrypted the drive. When the drive is inserted on a computer that supports BitLocker, a password prompt appears to allow the drive to be unlocked.

Windows 8 includes the following policy settings for BitLocker for removable drives:

• Control Use Of BitLocker On Removable Drives

• Configure Use Of Smart Cards On Removable Data Drives

• Deny Write Access To Removable Drives Not Protected By BitLocker

• Configure Use Of Hardware-Based Encryption For Removable Media

• Enforce Drive Encryption Type On Removable Data Drives

• Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows

• Configure Use Of Passwords For Removable Data Drives

• Choose How BitLocker-Protected Removable Drives Can Be Recovered

To configure the policy objects for BitLocker on removable media, complete the following steps:

1. Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).

2. Expand the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives path.

3. Double-tap or double-click the policy object you want to work with.

4. Select Enabled.

5. Configure other options, if available, as needed for your organization.

6. Document the changes within the object’s comments dialog box.

7. Tap or click OK to save the changes.

Important

DO NOT ENCRYPT STARTUP KEY DEVICES BY USING BITLOCKER

Using BitLocker to encrypt a removable drive used as a startup key for a computer that does not support TPM is not supported. Because the computer requires the key from the USB drive to start Windows, but the USB drive is encrypted by BitLocker, which requires Windows to be accessed, the device will be unable to start a computer.