Bitlocker

strawgate edited this page May 3, 2016 · 2 revisions
Clone this wiki locally

Overview

Bitlocker is the encryption technology developed by Microsoft and embedded in every recent enterprise release of the Windows Operating System.

To implement Bitlocker using C3 Protect you must follow the following steps:

  • Enable the TPM Analyses
  • Enable and own the Trusted Platform Module
  • Enable Bitlocker Probes Policy Action
  • Push Bitlocker Encryption to Endpoints

C3-Protect Implementation Caveats

  • Bitlocker with only the TPM + Recovery Key is not the most secure implementation of BitLocker. Though it is the most user friendly implementation. Consider implementing other key protectors for privileged workstations (pin, fob, etc).
  • A personal recovery key will be used to enable encryption on the endpoint. The personal key will be stored on the encrypted disk. This key is trivially available via both Powershell and WMI so the key existing in n system/admin only directory on an encrypted disk is not of concern given that any administrator of the endpoint can dump the recovery key.

Implementation

Enable the TPM Analyses

The following analyses in the C3 Protect site should be enabled:

  • TPM - Ownership Authorization - Windows

The following analyses in the C3 Inventory site should be enabled:

  • TPM - Windows

Enable and own the Trusted Platform Module

Enabling the TPM often requires entering the system bios. The C3 inventory site provides automated tools to perform this action for Dell hardware. For hardware from other vendors you may have to enable it on an individual basis. Once the TPM is enabled in hardware we can enable it in software with Fixlet: Invoke - Provision Trusted Platform Module - Windows.

For Dell Hardware you can enable the TPM using Fixlet: Config - Dell Command | Configure Trusted Platform Module - Activate if Dell Command | Configure is installed.

Enable Bitlocker Probes Policy Action

Action the following Fixlets as policy actions:

  • Invoke - Bitlocker Recovery Password Probe - Windows
  • Invoke - Bitlocker Configuration Probe - Windows

These should be actioned to reapply whenever relevant waiting whatever time span you consider to be an acceptable age of the data regarding Bitlocker. The system impact for these fixlets is minimal so applying daily is fine.

You can also apply them more frequently for newly provisioned machines and less frequently for existing machines (a machines encryption status is most likely to change within the first couple of days of being provisioned)

Push Bitlocker Encryption to Endpoints

Once the pre-requisites are met (TPM is enabled in Hardware and Software) you can enable Bitlocker on the endpoint by actioning Fixlet: Invoke - Bitlocker Encrypt System Volume - Windows against endpoints you wish to encrypt.

Once encryption has started, and after the Recovery Password Probe has run again, the recovery key will be available to BigFix administrators.

Warnings

A small number of warning fixlets are available in the C3-Protect site for potential configuration issues. If you see these relevant in your environment please carefully consider the description of the fixlet and take appropriate action.