I had to work recently on Bitlocker to encrypt the Operating System volume both on Windows 7 and 8.1 computers.

We choose a basic deployment scenario and decide to stick to the following best practice that you can find in the BitLocker Frequently Asked Questions (FAQ)

What is the best practice for using BitLocker on an operating system drive? The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or 2.0 and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

Prerequisites:

Have a laptop or tablet equiped with a TPM

Check Active Directory requirements in the FAQ Does BitLocker require a schema extension to store recovery information in AD DS?

Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 For these servers the schema already includes the required attributes.

Step 1: the group policy

The first step was to create a group policy that would cover our needs. One of the key point is the recovery process and we wanted to make sure no machine gets (bit)locked before its recovery key is stored in Active Directory. By the way, here is the BitLocker Recovery Guide



That group policy is linked to an OU where we have moved our Windows 7 and Windows 8.1 computers.

Step 2: Enable the TPM

…using the built-in manage-bde.exe on Windows 7

manage-bde.exe -tpm -TurnOn

…using built-in cmdlets on Windows 8.1

Initialize-Tpm -AllowPhysicalPresence -AllowClear

…using WMI

$tpm = (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftTPM -Class Win32_TPM) $tpm.SetPhysicalPresenceRequest(10)

After this step, you need to restart the computer and press a key to confirm that you want to enable and activate the TPM.

On Surface 1, I had to press Fn+F12 and a the HP laptop I had to press F1.





Step 3: Own the TPM

…using the built-in manage-bde.exe on Windows 7

manage-bde.exe -tpm -TakeOwnership MyPassPhrase

…using built-in cmdlets on Windows 8.1

$HT =@{ OwnerAuthorization = (Get-Tpm).OwnerAuth ; NewOwnerAuthorization = (ConvertTo-TpmOwnerAuth -PassPhrase "MyPassPhrase") ; } Set-TpmOwnerAuth @HT

…using WMI

$tpm = (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftTPM -Class Win32_TPM) $ownerauth = $tpm.ConvertToOwnerAuth("MyPassPhrase").OwnerAuth $tpm.TakeOwnership($ownerauth)

Step 4: Add a PIN

…using the built-in manage-bde.exe on Windows 7

manage-bde.exe -protectors -add C: -tpmandpin 12345678

…using built-in cmdlets on Windows 8.1

$SecureString = ConvertTo-SecureString "12345678" -AsPlainText -Force Add-BitLockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector

…using WMI

(Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').ProtectKeyWithTPMAndPIN($null,$null,"12345678")

Step 5: Add a recovery password

…using the built-in manage-bde.exe on Windows 7

manage-bde -protectors -add C: -RecoveryPassword

…using built-in cmdlets on Windows 8.1

Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector

…using WMI

(Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').ProtectKeyWithNumericalPassword()

Step 6: Backup the recovery password into Active Directory

…using the built-in manage-bde.exe on Windows 7

for /f "tokens=1-2 delims=: " %i in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr /i /c:"ID: "') do @ set _ID=%j manage-bde.exe -protectors -adbackup c: -ID "%_ID%"

…using built-in cmdlets on Windows 8.1

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId ( (Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where KeyProtectorType -eq RecoveryPassword ).KeyProtectorId

…using WMI

# Either create the random 48-digit recovery password $res = (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').ProtectKeyWithNumericalPassword() # and get the volume protector ID returned $VolumeKeyProtectorID = $res.VolumeKeyProtectorID # ...or retrieve it afterwards like this $VolumeKeyProtectorID = (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').GetKeyProtectors(3) | Select -Expand VolumeKeyProtectorID # Backup (Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').BackupRecoveryInformationToActiveDirectory($VolumeKeyProtectorID)

Step 7: Encrypt the volume

…using the built-in manage-bde.exe on Windows 7

manage-bde.exe -on C: -SkipHardwareTest

…using built-in cmdlets on Windows 8.1

Enable-BitLocker -MountPoint C: -EncryptionMethod Aes128 -RecoveryPasswordProtector -SkipHardwareTest

…using WMI

(Get-WmiObject -Namespace root/cimv2/Security/MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter 'DriveLetter = "C:"').Encrypt(1)

Bonus: Get the recovery password stored in AD

Get-ADObject -SearchBase (Get-ADComputer MyComputerName).DistinguishedName -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -Properties Name,msFVE-RecoveryPassword | ForEach-Object { $reco = @(([regex]'(?<date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\+\d{2}\:\d{2})(?<GUID>\{[A-Za-z0-9]{4}([A-Za-z0-9]{4}\-){4}[A-Za-z0-9]{12}\})').Matches($_.Name) | Select -Expand Groups | Select -Last 2) New-Object -TypeName PSObject -Property @{ Date = (Get-Date -Date $reco[0].Value) PasswordID = $reco[1].Value RecoveryKey = $_.'msFVE-RecoveryPassword' } } | Sort -Property Date -Descending:$false | Select -Last 1 -ExpandProperty RecoveryKey

NB: Domain Admin credentials are required to read this info by default.