Deploying and Designing Bitlocker

Do you want to enable bitlocker drive encryption using Altiris? How to do? What to consider? enablebitlocker.vbs does not work on Windows 7?


Do you want to enable bitlocker drive encryption using Altiris?

  • How to do?
  • What to consider?
  • enablebitlocker.vbs does not work on Windows 7?

Okay, lets start from the beginning, I bet that some of the recent press coverages of users loosing laptops with valuable and confidential data, everyone now how confidential data in the wrong hands can destroy the renome of every modern company.

Let’s guess, your CEO probably raised the security issue, and now you have to come up with some way to keep your users data secure at all time? To this Bitlocker is simple, easy to use, and great..!

About Bitlocker: (source: wikipedia)

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft‘s Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It is designed to protect data by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBCElephant diffuser for additional disk encryption specific security not provided by AES.[1][2] mode with a 128 bit key, combined with the

Designing Bitlocker:

Microsoft published in August 2007 a great Design Guide, covering most of the various aspects of planning for deploying Bitlocker. Link

This guide provides a systematic approach when planning for BitLocker deployment and highlights the main decision points. This guide is intended for use by an infrastructure specialist or system architect. It assumes that you have a good understanding of how BitLocker and TPM work on a functional level.

Remember:

  • If your users are local administrators, they have the rights to decrypt and disable bitlocker encryption.
  • Hybernation and standby can be a security risk
  • The deployment process of every machine takes longer times, don’t hand out machines to users while they are encrypting the volume for the first time, this slows down the machine significant and gives your users a bad first experience.
  • Even if you encrypt all your laptops, always remember that the biggest security risk are your users. Week login passwords, unencrypted removable medias, etc.

Deployment Steps:

Create the necessary GPO settings, that enable bitlocker, selects encryption method (128 or 256bit encryption), and remeber to select to save decrypt keys in your AD DS.

You should run the Bitlocker steps in the final part of your task sequence in your image enrollment. First you have to prepare the disk, by creating a 300mb extra unencrypted partition. You can use bdhecfg.exe to that:

bdehdcfg.exe -target c: shrink -quiet

Creates a 300mb partition by shrinking your C: drive, without requesting input by the user.

Reboot the machine after that one.

Use the enablebitlocker.vbs script created by Microsoft, to enable bitlocker, assuming that the TPM chip is active and enabled in BIOS this script allows us to deploy bitlocker.

enablebitlocker.vbs /on:tpm /l:c:\bitlocker.log

This command starts the encryption of the disk, remember to move the log file to another secure location as its includes the hashed value to remove remove ownership of the TPM chip.

I find out (the hard way), that the enablebitlocker.vbs supplied from Microsoft, doesn’t work when your Windows 7 language is different from English. In my case the enablebitlocker,vbs script was checking by a boolean if the TPM chip was active:

If bIsEnabled = “True” and bIsActivated = “True” and bIsOwned = “True” Then
objlog.writeline “TPM is in a ready state to enable BitLocker.”

On a Danish Windows 7, the true value are responding in danish with “Sandt” and false with “Falsk”. This does that the vbs script stops with no reason, and no error in the log file!

To deal with this language fail, I simply added this extra step to the Function 4: Function GetTPMStatus()

nRC = objTpm.IsEnabled(bIsEnabled)

If bIsEnabled = “Sand” Then
bIsEnabled = “True”
End If

If bIsEnabled = “Falsk” Then
bIsEnabled = “False”
End If

and

nRC = objTpm.IsActivated(bIsActivated)

If bIsActivated = “Sand” Then
bIsActivated = “True”
End If

If bIsActivated = “Falsk” Then
bIsActivated = “False”
End If

and

nRC = objTpm.IsOwned(bIsOwned)

If bIsOwned = “Sand” Then
bIsOwned = “True”
End If

If bIsOwned = “Falsk” Then
bIsOwned = “False”
End If

and in function 9: Function OwnTPM

intRC = objTpm.IsEndorsementKeyPairPresent(strEK)

If strEK = “Sand” Then
strEK = “True”
End If

If strEK = “Falsk” Then
strEK = “False”
End If

After this change, the enablebitlocker.vbs are successfully running on a Danish Windows 7, and Bitlocker are automatically deployed from Altiris by running the following:

  1. bdehdcfg.exe -target c: shrink -quiet
  2. reboot
  3. enablebitlocker.vbs /on:tpm /l:c:\bitlocker.log


Share
Tags
Written by Clemen


Leave a Comment

Twitter feed responded with an HTTP status code of 403.