Servicing a BitLocker-Protected Computer

Previous page
Table of content
Next page

Group Policy Options

As you've read a few times, BitLocker and the TPM Base Services can be configured by using Group Policy. There are two nodes in Group Policy to be aware of:

  • BitLocker Group Policy settings are found in Computer Configuration\ Administrative Templates\Windows Components\BitLocker Drive Encryption\

  • TPM Services Group Policy settings are found in Computer Configuration\ Administrative Templates\System\Trusted Platform Module Services\

The following list offers brief explanations of the BitLocker settings. For more details, check out the product help or the "explain text" in the Group Policy object editor.

Turn on BitLocker backup to Active Directory Domain Services As described above, this setting allows BitLocker to back up recovery information to Active Directory Domain Services.

You can also make two additional selections within this setting. The first, "Require BitLocker backup to AD DS" will configure BitLocker so that if it cannot connect to a DC and successfully back up the recovery information; it will not allow BitLocker to be enabled. This is a useful setting to ensure recoverability, but it also means that the client computer must be connected to the domain to turn on BitLocker (in other words, no enabling BitLocker while flying to your next conference).

The second subsetting, "Select BitLocker Information to store" determines how much information is stored. If you store a full key package, then a copy of the FVEK is encrypted with a key created from the recovery password and then stored in AD DS. This is similar, in essence, to creating another copy of the key information kept in the volume metadata.

There is some increased risk of key exposure when the key package is stored in AD DS, but having it available may make it possible to recover data from a corrupted disk. If the key package is stored in AD DS, you must establish your decommissioning procedures accordingly.

Configure encryption method This setting allows you to specify the encryption to be used:

  • AES 128 bit with Diffuser (default)

  • AES 256 bit with Diffuser

  • AES 128 bit

  • AES 256 bit

Configure TPM platform validation profile Use this setting to choose which PCRs are examined during pre-OS component validation. If you have already enabled BitLocker, you must disable it and reenable it for the change to take effect, so carefully plan before changing this setting.

Control Panel Setup: Enable advanced startup options This setting controls whether a user setting up BitLocker from the Windows Vista control panel is given choices about creating key protectors.

You have these options:

Allow BitLocker without a compatible TPM

Settings for computers with a TPM:

Configure TPM startup key option:

Allow user to create or skip (default)

Require startup key

Disallow startup key

Configure TPM startup PIN option:

Allow user to create or skip (default)

Require startup PIN

Disallow startup PIN

Remember that you can't have both a PIN and a startup key, so if one is set to "require" the other much be set to "disallow."

Control Panel Setup: Configure recovery options Use this setting to allow users to have a choice about which recovery options are available in the setup wizard.

Control Panel Setup: Configure recovery folder This allows you to specify a default folder where the recovery password will be stored, and it would normally be a fully qualified path (\\server\share\path). Note that this is only a default; the user can still choose to store it elsewhere.

Prevent memory overwrite on restart You can configure your computer so that memory is not wiped when the computer is "warm booted." While this may shorten the restart time, it leaves open a risk that BitLocker secrets could remain in memory. The default is to make sure that memory is overwritten so that BitLocker secrets are removed.

The following offers brief explanations of the Trusted Platform Module Settings.

Turn on TPM backup to Active Directory Domain Services This setting controls whether the TPM owner password is backed up to AD DS, and, like the equivalent BitLocker setting, allows you to choose whether or not the backup is required. If it is required, you cannot change the owner password (which is usually part of enabling BitLocker for the first time) unless connected to the network and able to back up the new password.

Configure the list of blocked TPM commands and ignore the default list of blocked TPM commands and ignore the local list of blocked TPM commands As part of TPM base services, you can manipulate these three settings to control what functions may be disallowed on the TPM. For BitLocker, you should leave these settings alone.



Previous page
Table of content
Next page
Administering Windows Vista Security. The Big Surprises
Administering Windows Vista Security: The Big Surprises
ISBN: 0470108320
EAN: 2147483647
Year: 2004
Pages: 101
Authors: Mark Minasi, Byron Hynes
BUY ON AMAZON
Building Web Applications with UML (2nd Edition)
Managing Enterprise Systems with the Windows Script Host
Postfix: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Extending and Embedding PHP
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy