Welcome to the US SMB&D TS2 Team Blog

Helping partners understand the value of Microsoft solutions.

What are the Top Issues for Bitlocker?

What are the Top Issues for Bitlocker?

  • Comments 8
  • Likes

rwagg-white small
Rob Waggoner

  BitLocker-AandM_bL

Q: (from Anthony)

I want to know the top issues (problems) in BitLocker and their solutions.  What should I be aware of from an architectural perspective as well?

 

A:

I’ve spent a lot of time with BitLocker and I think it has addressed a big need in our industry.  With that said, of course BitLocker requires planning, and it has some unique concerns we need to be aware of. 

Here are a few past articles that will help set the stage for the value of BitLocker

From an architectural perspective, there are a few things we need to consider. Instead of duplicating all of that here, I’ve listed a few key articles you should review.

  1. How do I use Active Directory for backup of BitLocker Drive Encryption recovery information?
  2. Windows Trusted Platform Module Management Step-by-Step Guide
  3. How can I tell if my BIOS supports BitLocker Drive Encryption?

 

As far as problems with BitLocker; the biggest problem I’ve seen in past issues is that the recovery key is not properly archived.  Without that key, your data is lost in the event of a failure.  With the recovery key, BitLocker will not hinder the recovery of data from a hard drive.  If your computer is a member of Active Directory, archiving the key is straight forward.  If your computer is not part of AD, you need to take some additional steps to either 1) print the recovery key(s) and store them in a safe place or 2) save the recovery key to a USB thumb drive and store the thumb drive in a safe place.

We also have the BitLocker Repair tool, the link to the instructions are here.  The Repair tool is included with Windows 7 and Windows Server 2008 R2, for Windows Vista and Windows Server 2008, the tool can be downloaded here.  Take note that the Repair Tool will not recover a recover key from a failed drive, it needs this recovery key to assist in troubleshooting.

 

I found a great article on the BitLicker Architecture:

http://technet.microsoft.com/en-us/library/cc732774(WS.10).aspx#BKMK_SystemDesign

It’s part of the over all BitLocker Drive Encryption Technical Overview, located here.

 

Here is a great FAQ on BitLocker, I think this article will address the majority of your concerns.

BitLocker Drive Encryption in Windows 7: Frequently Asked Questions

While all of this information is very useful as you architect your BitLocker solution, please pay special attention to these questions and responses in the FAQ:

Is the BitLocker recovery information stored in plaintext in AD DS?

Yes, the recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators.

What if BitLocker is enabled on a computer before the computer has joined the domain?

If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. (read on, this can be mitigated)…

Is Microsoft pursuing any security certification for BitLocker?

BitLocker Drive Encryption in Windows Vista has Federal Information Processing Standard (FIPS) 140-2 certification. BitLocker is included in the Common Criteria (EAL4+) certification process for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

If I lose my recovery information, will the BitLocker-protected data be unrecoverable?

BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. Therefore, we highly recommend that you store the recovery information in AD DS or in another safe location.

When it comes to recovering a hard drive after some type of hardware failure…  Simply put, if you don’t have your recovery key, all you have left is a hard drive ready to be reformatted!

We also have a new tool, the BitLocker Administration and Monitoring tool that simplifies the provisioning and deployment of BitLocker.

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx

 

I hope this helps.

Until next time,Rob

 

Comments
  • sir i need your help.

    my external hard disk drive is lock with bitlocker drive encryption,i lost my password and recovery key too.my hdd contains lost of important data which is necessary for me i do not want to delete the data.kindly help me for unlocking the hdd.....

    plz plz

    please mail me if there any solution of this problem.

    my email id-karanraj6342@gmail.com

  • i had password and recovery key, but while decrycpting i shut down my laptop, now its not working , plz help

  • One of the biggest issues with BL is the horror of bit locking a HDD which in turn has a hardware failure...completely screwed.

  • Dear Sir,

    I have not bitlocker  in  window7 Professional  please tell me its solution ..............

    my email id mtahir_tahir62@yahoo.com

  • john the ripper is the solution google that nuff said

  • What when I copied (not push) just one file (archive.pst) trough the Network on another PC. I got the recovery key but cannot encrypt only one file with it?

  • sir i forgot my password of bit locker and unfortunately formatted the c drive where recovery key was stored.

    though i found my recovery key through cmd but not able to type or paste the alphabetical letters in recovery key panel.
    requires your help with some affevtive solutions plz.

    regards:
    mayank mukul joshi
    email: mayankjoshi40@gmail.com

  • Kutta

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment