BitLocker™ Drive Encryption Team Blog

Access Denied Error 0x80070005 message when initializing TPM for Bitlocker

Tanner S — Tue, 14 Sep 2010 21:14:21 GMT

Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to initialize TPM successfully when you enable Bitlocker in Windows 7.

A common problem we have seen since the release of Windows 7 has been to initialize TPM successfully so that you can successfully turn ON Bitlocker. This is most likely due to incorrect permissions for the SELF account in AD for ms-TPMOwnerInformation attribute.

When you try to turn on Bitlocker on Windows 7 Operating System Drive, you may get the Access Denied Error message while initializing TPM.

Additionally, when you open the TPM Management Console and you try to initialize TPM you get error message 0x80070005.

NOTE: If you are using SCCM to build Windows 7 machines and using Bitlocker Task Sequencer you may see the following error message(s) logged in smsts.log for OSDbitlocker.

pTpm->TakeOwnership( sOwnerAuth ), HRESULT=80070005 e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,480)OSDBitLocker 3032 (0x0BD8)
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured.
Access is denied. (Error: 80070005; Source: Windows) OSDBitLocker 3032 (0x0BD8)

Resolution:

To set correct permissions, follow the instruction below:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

4. Click Next and then click Add.

5. Type SELF as the Object Name.

6. Select create a custom task to delegate.

7. From the object in the folder, select Computer Objects.

8. Under show these permissions, select all 3 checkbox.

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

10. Click Finish.

After you have done the above steps, you should be able to initialize TPM successfully.

More Information:

Backing Up BitLocker and TPM Recovery Information to AD DS

http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx

Author:

Manoj Sehgal
Senior Support Engineer
Microsoft Corporation

How to backup recovery information in AD after Bitlocker is turned ON in Windows 7

Tanner S — Tue, 14 Sep 2010 21:12:38 GMT

Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover “How to backup recovery information in AD after Bitlocker is turned ON in Windows 7.”

A common question we are asked is how do I save the recovery information for a Windows 7 machine which has Bitlocker turned ON.

This situation can arise when any of the following conditions are true, but is also not limited to this list:

a)    The machine is Bitlocker’ed prior to joining the Domain.
b)    The machine is not physically connected to the Network when enabling Bitlocker.
c)    When the GPO for Saving Recovery Information for Bitlocker is not setup correctly.

So when we open Active Directory Users and Computers portion of server manager you do not see msFVE-RecoveryInformation for the machine which was encrypted.

In this situation we can use manage-bde command from the client machine to save the recovery information in AD, instead of decrypting and encrypting the Operating system drive again for storing recovery information in AD.
First verify that the client machine is in the correct OU in AD where the Bitlocker group policies are applied and then follow the below steps:

Open elevated command prompt on the client computer and run the below command.

Note: You require local admin rights to run manage-bde commands.

c:> manage-bde -protectors -get c:

Example:

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume C: [Old Win7]
All Key Protectors
    External Key:
      ID: {F12ADB2E-22D5-4420-980C-851407E9EB30}
      External Key File Name:
        F12ADB2E-22D5-4420-980C-851407E9EB30.BEK

    Numerical Password:
      ID: {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}
      Password:
        224631-534171-438834-445973-130867-430507-680922-709896

TPM And PIN:
ID: {EBAFC4D6-D044-4AFB-84E3-26E435067AA5}

If you see results above you should see ID and Password for Numerical Password.

Now run the below command, replace id for ID of Numerical Password.

c:> manage-bde -protectors -adbackup c: -id {DFB478E6-8B3F-4DCA-9576-C1905B49C71E}

Bitlocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Recovery information was successfully backed up to Active Directory.

Now if you go to AD, and check the client computer you should see msFVE-RecoveryInformation for this client computer.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Manoj Sehgal
Senior Support Engineer
Microsoft Enterprise Platforms Support

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

Tanner S — Tue, 14 Sep 2010 21:11:18 GMT

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to get the bitlocker policies for windows 7 for on Windows Server 2003 as domain functional level”

If you open Group Policy Management Editor from a Windows Server 2008 Server you will only see policies for bitlocker for Windows Vista Only and not for Windows 7.

Microsoft included the bitlocker admx and adml files for Windows 7 in windows server 2008 R2.

Windows Server 2003 reads only adm files and not admx and adml files. So on Windows Server 2003, you cannot configure admx and adml files.

Resolution:

You will have to configure the bitlocker policies from Windows 7 Client machine.

1. First install RSAT tools for Windows 7 on a windows 7 client machine which is already join to your domain.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

2. Then open Group Policy Management Console and create a new policy for bitlocker.

3. Edit the bitlocker policy which will open group policy management editor.

4. Now you can see the Bitlocker Drive encryption Policies for Windows 7 Operating System.

NOTE: Windows 7 machine would need to be used to configure the bitlocker policies for Windows Vista and Windows 7 client machines.

5. Configure the bitlocker policies and now you can save recovery information in AD.

6. If you have Windows Server 2008 and you want to have Bitlocker policies for windows 7, then you need to copy the corresponding admx and adml file for bitlocker.

7. Go to c:\windows\policydefinition folder on Windows Server 2008 R2 machine and then copy the volumeencryption.admx file and corresponding volumeencryption.adml from c:\windows\policydefinition\en-US folder respectively.

8. Go to Windows Server 2008 and then Copy and Replace the existing volumeencryption.admx located at c:\windows\policydefinition folder and volumeencryption.adml located at c:\windows\policydefinition\en-US folder.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx
Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

How to use Hash of TPM from AD to reset your TPM password

Tanner S — Tue, 14 Sep 2010 21:09:54 GMT

Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Hash of TPM from AD to reset your TPM password”.

As per Best Practices for Bitlocker we configure a Group Policy for TPM to backup information in AD DS.

Note: See links at the end to configure the Group Policy for TPM and Bitlocker.

By design, we save hash of the TPM password in AD and not the actual TPM password.

Consider the below scenarios:

Scenario 1:

Customer rolls out machines using SCCM. SCCM creates a random password for “TPM Owner Password” as part of enabling bitlocker (MDT does this also).

Scenario 2:

If the user enabled Bitlocker and specified a “TPM Owner password”. In this instance you could see scenario where you fired that person and need to give the laptop to his replacement. If you do not have the TPM password, you will only able to clear the TPM to factory defaults and then when you restart your computer, it will prompt you for 48 digit bitlocker recovery key.
This password is saved in AD (msTPM-OwnerInformation) attribute as hash value. By default only domain admins can read this attribute.

At some point the domain admin needs to make a change in TPM.MSC. In order to do this you must supply the TPM “Owner password” otherwise the TPM chip is cleared so you would lose all data on the TPM chip.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In order to reset the TPM Owner Password, follow the below steps:

Resolution:

1. Open notepad and copy the below information.

<?xml version="1.0" encoding="UTF-8"?>

<ownerAuth>JLi2ycvjzYgYaDq5zQ094U/FxAs=</ownerAuth>

2. Get the hash information from ms-TPMOwnerInformation attribute and replace the hash information between the <ownerAuth>……</ownerAuth>

3. Save the file as whatevername.tpm.

4. Open TPM Administration Console (tpm.msc) and Click on Change Owner Password.

5. Select “I have the Owner Password File” and point it to .tpm file which you got in Step 2.

6. Now you can successfully change the TPM password.

For more information on Group Policies for Bitlocker, see my blog below.
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspx

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008

http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspx

Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support

Issues Resulting in Bitlocker Recovery Mode and Their Resolution

Tanner S — Tue, 14 Sep 2010 21:08:08 GMT

My name is Tanner Slayton and I am a Sr. Support Escalation Engineer for Microsoft on the Windows Core Team. I am writing today to shed some light on a common Bitlocker problem that we see.

* While you can accomplish most tasks via the Bitlocker Control Panel Applet, I am going to be using the manage-bde commands from an elevated command prompt.

Specific operations or actions will cause Bitlocker to go into Recovery Mode and ask you to enter the 48-digit Recovery Key. This can be caused by several things, and a complete list can be viewed here , but today I am going to go over the most common issues.

Scenario # 1: When you are using a Laptop or Desktop computer and do not have the BIOS Boot order with the OS HDD listed as the first boot device. The reason for this is the boot device makes up part of the system measurement used by Bitlocker and this must remain consistent to validate the system status and unlock BitLocker. (I.e. if you have the DVD-ROM drive listed first and had a bootable media inserted, this can cause the system measurement to change.) Some firmware will also treat PXE network boot as a change in boot order – even when the user does not choose network boot. Changing from a wireless to wired network can trigger a recovery event. Putting the HDD first in boot order generally eliminates these issues.

Resolution:

o Suspend Bitlocker drive encryption by typing "manage-bde -protectors -disable c:” from an elevated command prompt.

o Go into the BIOS and change the Boot Order so the OS HDD is first in the list.

o By default from most hardware vendors, the HDD is not the first boot device.

o If you have a laptop with a docking station, make sure that it is plugged into the docking station, in order to make sure that the external devices presented by the docking station are present in BIOS.

o Boot into the Operating System and run "manage-bde -protectors -enable c:"

Scenario # 2: When you are either deploying a new system or encrypting the drive for the first time. You might pause the Bitlocker encryption process, in order to speed up the performance or while performing other tasks, so that encryption can run later or you need more than the 6 GB worth of free space to continue deploying the system. When you run "manage-bde -pause c:" you are pausing the drive encryption of C:, but not the Bitlocker protectors on the system.

You might say to yourself, if I run "manage-bde -status c:" I see that the protection is off on that drive. The reason you see this is that the protection for the drive is not yet completed, but the clear text key still exists.

Volume C: []
[OS Volume]
    Size:                 37.17 GB
    BitLocker Version:    Windows 7
    Conversion Status:    Encryption Paused
    Percentage Encrypted: 3%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Protection Off <--- Where it shows "Protection Off"
    Lock Status:          Unlocked
    Identification Field: None

Resolution:

o When you need to pause the encryption, whether for performance or drive space reasons, you need to run "manage-bde -pause c:"

o After encryption has been paused, you will want to run "manage-bde -protectors -disable c:"

o Once you have completed your tasks and wish to start the encryption process again you can run "manage-bde -resume c:"

o Once the encryption is complete, or if you have completed your tasks, you will then want to run "manage-bde -protectors -enable c:"

Scenario # 3: The BIOS / TPM firmware are out of date on the systems.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Update the BIOS on the system

o If there is a TPM Firmware update, please follow the vendor installation instructions.

o Reboot the Operating System and run “manage-bde –protectors –enable c:”

Scenario # 4: When you are installing additional language packs onto the system, and selecting the option to apply the language settings to all users and system accounts. This causes a locale change in the BCD (Boot Configuration Database), which Bitlocker with TPM interprets as a boot attack.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Add language packs to the system and make any language settings.

o Resume Bitlocker drive encryption “manage-bde –protectors –enable c:”

Scenario # 5: When you create or modify any of the partitions that reside on the O/S drive.

Resolution:

o Suspend Bitlocker drive encryption “manage-bde –protectors –disable c:”

o Shrink, expand, or create any partitions on the drive.

o Resume Bitlocker drive encryption “manage-bde –protectors –enable c:”

Scenario # 6: The TPM chip has been turned off in BIOS.

Resolution:

o Go into BIOS and make sure the the TPM Security is enabled and on

Tanner Slayton
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

BitLocker & Application Compatibility

Tanner S — Tue, 14 Sep 2010 20:57:46 GMT

Recently I received an interesting question around BitLocker & Application Compatibility. In other words will an application, which works on a machine without BitLocker also work on a machine with BitLocker enabled? I believe it sounds as simple a question as important it is.

Quick answer is that the BitLocker Drivers are at a very low level in the software system stack; below the file system. So BitLocker is transparent to applications and it shouldn’t cause any incompatibility for most applications that runs in normal Windows environment.

However, considering how important could this topic could be in Enterprise situations I thought of going beyond what I know or expect and finding some real world data around it. I contacted several Enterprise & Medium businesses who had BitLocker deployed for some time and asked their experience. Here are some facts & findings:

· Will an application which works on a machine without BitLocker also work on a machine with BitLocker enabled?

For almost all case, yes. In this case, I could just say “Yes” but the reason I’m saying “almost all” is because I recommend that Enterprise Administrators evaluate which application interact with the disk via file system & which do not. For applications that do not use file system and interact directly with the raw data on disk, Application owners or IT administrators may want to perform a sanity check for those application with & without enabling BitLocker.

· Which applications are known to have incompatibilities due to BitLocker enablement?

In the study I performed, few back-up applications that operate the disk at sector level were heard to have compatibilities raised after enabling BitLocker. Similarly some system internal utilities that access the drive at the block level may have incompatibilities. Some disk partitioning tools trying to manipulate BitLocker encrypted partition may also have issues with partitions that are BitLocker encrypted – however such issues were found to be intuitive to detect & troubleshoot. I didn’t hear any desktop application that did not work with BitLocker.

· Did we find any evidence of application compatibility issues after enabling BitLocker?

For any desktop application, so far no application compatibility issues were found.

· On which Operating System BitLocker was enabled by these customers?

Windows Vista & Windows7.

· For how long those BitLocker deployments were in place?

From 2 to 3 years, including pilot & production deployments both.

Other things to know

Other than the application specific incompatibilities as you would expect, in some scenarios like patch update, OS upgrade or automated deployments you may need to suspend/pause (or in rare cases decrypt) BitLocker on one or more partitions. Best practices, scripts & other information on this topic is already covered in many of the BitLocker documents e.g. BitLocker FAQ.

Hope this helps! If you had a different experience, do post a comment here or send me a message.

-Tanu Mutreja

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Also found at: http://blogs.technet.com/b/wincat/archive/2010/09/02/bitlocker-amp-application-compatibility.aspx

Top 10 Reasons for Deploying BitLocker on Branch Office Servers

Tanner S — Tue, 14 Sep 2010 20:55:54 GMT

Top 10 Reasons for Deploying BitLocker on Branch Office Servers

1. Information Loss is Costly

Information is the key asset of IT industry. Losing this asset or getting it in wrong hands can be equally damaging for all businesses small, medium or large. In 2004, the U.S. Department of Justice estimated that intellectual property theft cost enterprises $250 billion. Whether it’s Personal Identifiable Information (PII), individual health or financial records, employee HR records, organization’s operational data or other intellectual property, losing information can cause lot of damage to an organization. The more sensitive data your organization store the higher the risk. It can cause not only loss of revenue, loss of market credibility, competitive disadvantage but also the non-compliance penalties.

2. Governance & Regulations

Regulations around data protection as in Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and European Data Protection Supervisor (EDPS) are increasing around the globe and non-compliance penalties can be significant. Irrespective of the business sizes, locales or activities regulatory conditions are getting stricter for protecting data at all stages including data at rest, data in transit, hardware transportation and safe hardware disposal. Implications of non-compliance can get severe with the sensitivity of data a business keeps.

3. Equipment theft or loss isn’t limited to laptops or mobile devices

While mobility of a device makes the device much more prone to theft or loss, mobility isn’t the only factor adding to data loss risk. There have been number of incidents reported where theft of IT equipment was committed during a physical break‐into a business premise especially for server systems. This is particularly a concern for small and medium businesses and branch office servers. In these businesses, due to the nature of business and IT infrastructure not every server and storage media is enclosed in iron walls. Think of desktops and servers around you and it won’t be hard to realize the potential vulnerabilities in case of physical break-in.

4. Physical protection is not enough

Even when servers are in iron cages and there are resources physically guarding the data, data in clear text remains at risk. Studies have shown that despite the high level of physical protection like in secure data centers, thousands of data drives leave data center on daily basis. While some drives go out for reasons like repair, return or re-provision, others are stolen or lost. In other cases data cloning (e.g. for maintenance or outsourcing) adds to the risk of data loss without the data leaving its secure physical boundary. Essentially data remains vulnerable until the data itself has a protection via encryption or other such techniques.

5. Safe decommissioning or re-provisioning of disks

Decommission or re-provisioning of a server or its hard drives is part of hardware lifecycle in a business. Ensuring safe decommissioning or re-provisioning is becoming a critical consideration for organizations. This requirement has led organizations to adopt a variety of mechanisms with most being cumbersome. By providing the capability to destroy Volume Encryption Keys, BitLocker provides a reliable and easy way for safe disposal of data. This simple and secure method can save multiple hours of data reclamation efforts and can significantly help in retaining and proving compliance.

6. Safe transportation of pre-configured systems or disks

Transportation of provisioned systems or data drives is a common Branch Office and Enterprise scenario. People carrying their data drives along or sending data drives for repair aren’t uncommon either. In all such scenarios, it’s important to protect the data on the disks so an errant disk doesn’t end up in information loss or theft. BitLocker is the one reliable way to enable Branch Offices and Enterprises to reduce the risk and transport data drives around with higher confidence. With BitLocker data can be protected with a PIN at one end and can then be accessed by authorized personnel at other end.

7. Retain boot integrity and enable multi-factor authentication via TPM

BitLocker has capability to provide authentication for different needs and different security levels needed. It uses TPM (Trusted Platform Module v1.2) to validate boot integrity of the system. BitLocker can also use TPM with PIN or with startup key or with PIN and startup key both. On the other hand, where server systems happen to be headless i.e. no keyboard, mouse and video display, or no USB port or inaccessible, TPM authentication can help avoid the requirements of manual intervention for PIN or startup key.

8. Smooth integration with Active Directory and policy based controls

BitLocker inherently integrates with Active Directory for supporting a number of scenarios like automated backup of certain BitLocker parameters like recovery password. With the use of granular Group Policies, BitLocker deployment can be highly customized for a deployment environment. Fact that Active Directory is mature and well understood technology makes BitLocker integration with Active Directory cause minimal impact to existing ecosystem and helps in reduced learning curve and faster deployments. Familiarity with Active Directory also helps BitLocker deployment professionals in exploring and leveraging information stored in AD for variety of purposes like enhanced logging and auditing.

9. BitLocker is already in the Operating System

With Windows Server 2008 or Windows Server 2008 R2, BitLocker is available as a user-installable feature in all x64 editions. Protection of your data at rest with no additional cost is just a few mouse clicks away.

10. Drive encryption is a one-time task

Enabling BitLocker on a disk volume is a one-time task. Initially when BitLocker is enabled on a disk volume, for the first time BitLocker encrypts the whole volume & later no specific efforts are required for keeping the data encrypted. Depending on the quality of hard-drive the initial encryption time could vary but the benefits simply outweigh this one-time effort.

Useful references:

· BitLocker Drive Encryption in Windows7 - Frequently Asked Questions

· System Integrity Blog for understanding BitLocker knowhow.

Still have questions, feel free to submit here or send my way(tmutrej@online.microsoft.com - after removing online from this address).

Also found at: http://blogs.technet.com/b/wincat/archive/2010/03/20/top-10-reasons-for-deploying-bitlocker-on-branch-office-servers.aspx

BitLocker Makeover

BitLocker Team — Mon, 04 Sep 2006 03:26:00 GMT

The Windows Vista RC1 release is quickly approaching and I know many of you are eager to hear the latest and greatest news about BitLocker. Well, wait no more my fervent comrades!

Anyone who is familiar with previous builds may recall walking through separate wizards for the TPM and BitLocker functionalities – and thinking, “wait, didn’t I just do this?” We realized this was a bit confusing, so in RC1 the TPM initialization wizard functionalities have been integrated directly into the BitLocker setup wizard (on TPM machines). You now only need to run the single BitLocker setup wizard, although the TPM MMC snap-in can still be used separately. No muss, no fuss!

But wait, there’s more! Below you will find additional simplifications that have been made to the BitLocker wizard, which should provide for a straightforward setup experience. So download now, and get your copy of RC1 today!

TPM by Default

In response to customer feedback, we have made some simplifications to the default user interface for BitLocker. By default, the BitLocker setup wizard will not run without a compatible TPM; and on those with a compatible TPM, the interface no longer displays the advanced options to create a startup PIN or USB startup key.

But for those who still want these features – don’t fret! To restore access to the advanced options in the BitLocker setup wizard, just click the following link to review the BitLocker Step-by-Step Guide for RC1. Note that this document will be updated concurrent to the RC1 release.

System Check Option

The purpose of the BitLocker System Check is to verify that the hardware and BIOS is compatible with BitLocker, and that access to the encryption and recovery keys is possible. This check is now an explicit option in the setup wizard when turning on BitLocker.

To prevent a setup failure and resolve hardware issues, BitLocker can complete the system check during BitLocker setup. Choosing this option requires a restart but ensures that encryption is only started if the computer passes the system check.

To access the system check in the BitLocker setup wizard, follow the instructions below:

1) Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

2) If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue.

3) From the BitLocker Drive Encryption page, click Turn On BitLocker for the OS volume.

If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the directions to turn on the TPM and restart your computer. After the restart, the BDE wizard will launch itself to continue the setup.

4) Choose the preferred recovery password storage method from the Save the recovery password page. After saving the password to the desired location, click Next.

5) From the Encrypt the selected disk volume page, check the Run BitLocker system check box, and click Continue.

6) Insert the recovery password USB flash drive (if you saved the password on a USB drive), and click Restart Now. The computer restarts and BitLocker checks to make sure that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem and no encryption is applied to the OS volume.

For a related music selection:

David Bowie – “Changes” from the album “Changesonebowie” (1976)

- Valerie Bays

Open Sesame: BitLocker Recovery Passwords

BitLocker Team — Tue, 22 Aug 2006 02:40:00 GMT

Anyone who has tried enabling BitLocker will have been greeted with a friendly dialog box insisting that you create a recovery password. I remember the first time I saw this, I found myself asking, “what is this recovery password, and what am I supposed to do with it?”

Let’s first take a look at the BitLocker system. BitLocker has two major features: 1) it encrypts the hard drive to prevent offline attacks against lost or stolen laptops and, 2) it takes measurements of the boot process to ensure the integrity of the system at start-up. These measurements detect attacks that try to get into your system before the OS loads.

If the measurements taken during start-up match the measurements taken when BitLocker was enabled, the system will boot into Vista as expected. If the measurements change, however, BitLocker will enter recovery mode. There are several scenarios that can cause these measurements to change. Some scenarios are harmless, like moving a BitLocker-protected drive into a new computer, while others are malicious, like a rootkit attack. For a more complete discussion of recovery scenarios, check out the BitLocker Technical Overview.

In recovery mode, encrypted data will not be unlocked unless you can present the recovery password, either by inserting a USB flash drive containing the recovery password or typing it in manually. Start-up PINs and keys will not work in recovery mode.

This leads to two critical points:

· If you lose the recovery password and the system goes into recovery mode, the data is irretrievable.

· If an adversary gets your recovery password, he can make changes to your system and bypass BitLocker. This is equivalent to a thief learning your Windows XP administrator password or mothers’ maiden name.

So this leads to an interesting dichotomy: you want to preserve your recovery password, but not leave it accessible to an attacker. Taping your recovery password to your laptop is a bad idea. But what other backup options are available? Well, we have a few ideas:

· Save your recovery password on a USB drive, and put it on your key chain (or in a safe).

· Print out the recovery password and hide it away in a file folder.

· Burn the recovery password onto a CD (or floppy) and store that away in some safe place.

· BitLocker also supports automatic backup to Active Directory servers. This will be the recommended method for backing up recovery passwords in business scenarios.

Two things you should always remember about the BitLocker recovery password: back it up and keep it safe.

For a related music selection:

‘N Sync – “I Want You Back” from the album “’N Sync” (1998)

- Jonathan Rhodes

Keys to the Kingdom

BitLocker Team — Tue, 01 Aug 2006 23:36:00 GMT

Every wonder about all those keys in BitLocker? Here's the scoop on the ones you need to care about....(read more)

BitLocker and unallocated space

BitLocker Team — Sun, 09 Jul 2006 09:50:00 GMT

I often see two questions related to free (a.k.a. “unallocated”) disk space when people talk about Windows BitLocker™ Drive Encryption on various forums:

Q: What happens to unallocated space when I enable BitLocker on my volume? Does it get encrypted?

Q: I enabled BitLocker on my volume and – poof! – all my free space is gone! What’s wrong? More importantly, how do I get it back?

Good news: nothing is wrong and the only thing that you have to do to get it back is wait. Here’s a high level explanation (some intricate technical details have been omitted for brevity).

In the IT world “delete” usually means “remove from plain view” rather than “obliterate out of existence”. Unallocated disk space is prone to contain interesting data: rotting skeletons of compensation spreadsheets, “deleted” text files with passwords and credit card numbers, discarded autosave copies of top secret presentations. Hence, BitLocker cannot just ignore free space when the volume is being encrypted.

On the other hand, encrypting (or, to be exact, “reading, encrypting, and writing back”) free space is a real waste on a typical volume that is usually less than twenty percent full. As a performance optimization, BitLocker simply overwrites unallocated space with noise, thereby avoiding redundant reads. As expected, wiping free space is about two times faster than encrypting data, but it still takes considerable time on large volumes.

Now, free space tends to be very fluid. Unallocated chunks of disk space appear and disappear all over the place, all the time. Determining whether a given sector needs to be encrypted or wiped at a particular moment of time is a considerable technical challenge. BitLocker solves this problem by creating a huge file that takes most of the available disk space (leaving 6 GB for short-term system needs) and wiping disk sectors that belong to the file. Everything else (including ~6 GB of free space not occupied by the wipe file) is encrypted. When encryption of the volume is paused or completed, the wipe file is deleted and the amount of available free space reverts to normal.

(Note: if you have a Beta 2 build, you may have noticed that volume conversion leaves only 2 GB of free space, not 6 GB as described here. Increasing the amount of free space available during conversion from 2 GB to 6 GB was a recent change that is aimed to avoid ‘disk full’ errors in some common scenarios, such as installation of large software packages or writing a full memory dump on systems with 2+ GB of RAM.)

When BitLocker is turned off and the volume is decrypted, the wipe file is created in a similar way, and everything except the wipe file is decrypted. There is no need to decrypt sectors that are occupied by the wipe file, since no useful data is contained therein. Wiping unallocated space is not necessary either, as the whole volume is reverted to clear text anyway. As such, sectors occupied by the wipe file are skipped during decryption; consequently, decryption of a volume is typically much faster than encryption. As in the case of encryption, the wipe file is deleted when decryption is paused or completed.

And finally, a bit of trivia: the noise that is used to overwrite free space is generated by encrypting a buffer filled with 0x57 (‘W’ in ASCII code). So, if you ever opened an encrypted volume in a disk viewer and wondered what those vast spaces filled with W’s are – that’s most probably unallocated space that has been wiped during encryption.

— Bulat Shelepov

Doing our part for BitLocker™ Drive Encryption: Particular requirements around partitioning

BitLocker Team — Fri, 09 Jun 2006 21:37:00 GMT

On May 23-25, members of the BitLocker team participated in the Windows Hardware Engineering Conference (WinHEC) in Seattle. It was a successful event for us, and we even got some mentions in keynote speeches. Everyone we talked to understood the importance of encrypting the entire disk volume, and there was a great deal of excitement that this feature will be available in Windows Vista and Windows Server "Longhorn".

Anticipation aside, we know that the true test of a product is in customers using it. Based on WinHEC and other recent feedback, we want to highlight a detour you might encounter on your way to better data protection with BitLocker.

With a newly-installed Windows Vista Beta 2 build, don’t despair if you see that you need to "reconfigure" your hard disk before you can turn on BitLocker. It’s not your fault!

The fact is, you need two partitions set up on your disk before you can turn on BitLocker.

The first partition, called the system volume, contains the boot information in an unencrypted space. This partition must be at least 1.5 GB in size and should not be used as a spare place to store files. BitLocker requires this partition because of architectural constraints and the need to be compatible with existing technologies.
The second partition, called the operating system volume, contains Windows and user data and can be fully encrypted by BitLocker.

To partition your computer, Vista Beta 2 requires that you reinstall Vista from the product DVD and set up the necessary partitioning during the installation. We, too, quite dislike the burden these steps place on you.

Will you need to reinstall and run “diskpart” when Windows Vista is a finished product? Not if we have anything to say about it. Here's what were a trying to do:

We are working closely with computer manufacturers to have these two partitions configured by default in new computers.

We are working with enterprise customers to make sure they can set up their Vista deployment processes appropriately (enterprise customers use automated processes that can seamlessly set up the partitioning).

We are working on a partitioning tool that takes care of the repartitioning so you won’t have to reinstall and type the “diskpart” commands needed in the Windows Vista Beta 2 release. In effect this tool "converts" a disk to a more BitLocker-friendly state.

For now, if you’re a beta tester for Windows Vista Ultimate edition or an employee evaluating the feature for your enterprise, we’d really appreciate it if you can step through this detour, enable BitLocker, and let us know what you think about the data protection capabilities it offers.

For more information on partitioning your computer for BitLocker:

BitLocker Step by Step Guide

For a related music selection:

P!nk – “Get the Party Started” from the album “M!ssundaztood” (2001)

- Xian Ke, on behalf of the BitLocker team

Why you need to own your Trusted Platform Module (TPM)

BitLocker Team — Tue, 06 Jun 2006 23:43:00 GMT

You might think that having your TPM security hardware be “owned” may not be a good thing. If you’re well-versed in slang, you’re excused. However, to own or “take ownership” of your computer’s TPM is actually desirable for both functionality and security.

Taking ownership of the TPM allows you to make full use of TPM capabilities and prevents any other user or software from usurping your ownership title. You are a TPM’s owner if you’re able to set the TPM owner password. Only one owner password exists per TPM, and anyone who knows that password effectively acts as the TPM owner.

So what’s the difference in functionality between a TPM which has a set owner and one which does not? Given that a TPM has an owner, what can the TPM owner do that a non-owner cannot? The first question is answered by documentation in the IsOwned method of the Vista TPM Windows Management Instrumentation (WMI) interface. This same WMI interface allows TPM owners to remotely configure a computer’s TPM. The WMI method ConvertToOwnerAuth takes as input the owner password and derives the 20-byte value that the TPM actually uses to authorize owner-restricted TPM functionality. You can then use the 20-byte owner authorization value to run WMI methods to Enable, Disable, and Clear a TPM. Of course, remotely configuring the TPM is not exactly the most interesting owner-only functionality that a TPM supports. Consult the “Owner Permission Settings” section of the Trusted Computing Group’s Structures of the TPM specification to list the TPM commands that are available only to a TPM owner.

For more information on setting a TPM owner:

TPM Step by Step Guide

For a related terminology trivia:

“Initialize” – a catch-all term to indicate all the steps that must be done to use the TPM with BitLocker or other security applications, including to turn on and take ownership of the TPM.

— Xian Ke

“Is anyone out there?” — Using physical presence to turn on the Trusted Platform Module (TPM)

BitLocker Team — Sat, 13 May 2006 03:51:00 GMT

Malicious software can lurk in the most humorous of dancing baby videos and cause havoc on your computer. To help protect against malware taking control of your computer's Trusted Platform Module (TPM) security hardware, computer manufacturers should follow recommendations from the Trusted Computing Group (TCG) to ship TPMs in the "off" state and require users to establish "physical presence" before turning on the TPM for the first time.

So what exactly does "physical presence" mean? Before Windows Vista appeared on the scene, computer manufacturers fleshed out this ghostly requirement by considering the ability to enter and navigate pre-boot (BIOS) setup menus as proof of physical presence. This approach guards against malware since it's harder to fool us into entering a BIOS setup menu than it is to have us click on a dancing baby video. Unfortunately, finding TPM settings in the BIOS isn't intuitive and in fact, varies widely with each computer model. Not knowing how to help you with this task, Vista's TPM Initialization Wizard would need to display a dialog that says something along the lines of, "Please refer to the BIOS section of your motherboard manual to enable and activate the TPM."

I wanted to resolve this dilemma. I felt strongly that understanding the BIOS should not be a prerequisite for using the TPM, and just as strongly that we must have a choice to turn on the TPM or not. With the help of others on the BitLocker team, I collaborated with industry partners to specify an interoperable BIOS firmware interface that simplifies establishing physical presence. With this firmware interface, you can configure the TPM using Vista wizards without knowing about the BIOS. When an action requires physical presence, Vista will set up the BIOS to automatically ask you to confirm your requested change on the next computer restart. As a result, you can quickly use your mere presence to turn on the TPM, but dancing babies cannot (unless, of course, you permit them to do so).

For more information on using physical presence to turn on the TPM:

TPM Step by Step Guide

For a related music selection:

Level 42 – “Turn It On” from the album “A Physical Presence (Live)” (1985)

— Xian Ke

P.S. Large enterprise customers that desire no-touch deployment—and who have a controlled deployment environment—can work with their preferred computer manufacturer to purchase computers that do not require an extra touch. For example, having the TPM already on removes the need to establish physical presence during an enterprise BitLocker deployment.

BitLocker™ Technical Overview — Now Available

BitLocker Team — Sat, 29 Apr 2006 02:58:00 GMT

It’s been a while since WinHEC 2005, and it was time for a meaningful refresh of our BitLocker docs. In an effort to crystallize the product functionality in one relatively short, yet technical document, I have updated the BitLocker Technical Overview available on http://www.microsoft.com/technet/windowsvista/security/bittech.mspx.

This document is intended for IT administrators and advanced users to help them understand the different authentication scenarios offered. The document includes the following:

The different requirements for installing BitLocker Drive Encryption
An architectural overview
A section on servers
A section on data volumes
Information about the product’s lifecycle—from install to retirement
Information about the different authentication scenarios offered (what is TPM-only and what is TPM+StartupKey)
Information about the different recovery mechanisms available in case something goes wrong

-- Tony Ureche

BitLocker™ and FIPS

BitLocker Team — Sat, 15 Apr 2006 01:25:00 GMT

Because we have many government customers who will want to run FIPS-compliant software, Microsoft will certify BitLocker™ to the FIPS 140-2 standard. This is a long process, but if all goes well we should be in good shape within a few months after shipping.

The process involves following specific requirements to add self-tests (such as integrity checking, known-answer-tests, and so on) to our crypto modules, getting these modules validated by an independent third party, and then getting the actual certification from NIST (the National Institute of Standards and Technology) and CSE (Communications Security Establishment, NIST’s Canadian equivalent).

After several design drill-downs, the BitLocker team determined that we need to implement additional changes beyond self-tests, such as offering choices to opt-in and opt-out of FIPS-compliance through group policy.

In addition to satisfying government customers’ requirements, another good thing about the validation and certification processes is that it allows an independent set of eyes to look at our crypto algorithms, not only for correct implementation and compliance with the standard, but also for potential weaknesses or avenues of attack.

-- Tony Ureche, Ph.D.

Welcome

BitLocker Team — Sat, 15 Apr 2006 00:51:00 GMT

Welcome to the BitLocker™ Drive Encryption Team blog!

The focus of this blog is to post technical content on a range of topics, but especially how you, our customers, can use BitLocker. Posts will include things like:

Announcements of new documents, articles or updates

Explanations of key BitLocker concepts

BitLocker Tips and tricks
Deployment "gotchas" and how to avoid them
Common issues and lessons learned
How-To's
And other things that you tell you'd like to see. To suggest topics, send us an E-mail at bdebidea@microsoft.com.

We plan to update the blog bi-weekly.

Posts are written by team members who work on different areas of the BitLocker feature. BitLocker is part of the System Integrity group in Windows Security. Logistics are managed by Purna Gathani and Byron Hynes.