In previous versions of BitLocker (Windows Vista and Windows 7), BitLocker provisioning (system and data volumes) was completed during the post installation of the BitLocker utility. BitLocker provisioning was done through either the command-l ine interface (CLI) or Control Panel. In the Windows 8+ /Windows Server 2022 version of BitLocker, you can choose to provision BitLocker before the operating system is even installed.
You can enable BitLocker prior to the operating system deployment from the Windows Preinstallation Environment (WinPE). BitLocker is applied to the formatted volume, and BitLocker encrypts the volume prior to running the Windows setup process.
If you want to check the status of BitLocker on a particular volume, you can view the status of the drive either in the BitLocker Control Panel applet or in Windows Explorer.
Used Disk Space–Only Encryption
Windows 7 BitLocker requires that all data and free space on the drive must be encrypted.
Because of this requirement, the encryption process can take a long time on larger volumes. In Windows 10+ BitLocker, you have the ability to encrypt either the entire volume or just the space being used. When you choose the Used Disk Space Only option, only the section of the drive that contains data will be encrypted. Because of this, encryption is completed much faster.
Standard User PIN and Password Change
One issue that BitLocker has had in the past is that you need to be an administrator to configure BitLocker on operating system drives. This could become an issue in a large organization because deploying TPM + PIN to a large number of computers can be challenging.
Even with the new operating system changes, administrative privileges are still needed to configure BitLocker, but now your users have the ability to change the BitLocker PIN for the operating system or change the password on the data volumes.
When a user gets to choose their own PIN and password, they normally choose something that has meaning to them and something that is easy to remember. That is a good and a bad thing at the same time. It’s a good thing because when your users choose their own PIN and password, they normally don’t need to write it down—t hey just know it. It’s a bad thing because if anyone knows the user well, they can have an easier time figuring out the person’s PIN and password. Even when you allow your users to choose their own PIN and password, make sure you set a GPO to require password complexity.
Network Unlock
One of the features of BitLocker is Network Unlock. Network Unlock allows you to easily manage desktops and servers that are configured to use BitLocker. Network Unlock allows you to configure BitLocker to automatically unlock an encrypted hard drive during a system reboot when that hard drive is connected to your trusted corporate environment. For this to function properly on a machine, there has to be a DHCP driver implementation in the system’s firmware.
If your operating system volume is also protected by the TPM + PIN protection, you have to be sure to enter the PIN at the time of the reboot. This protection can actually make using Network Unlock more difficult to use, but they can be used in combination.
Support for Encrypted Hard Drives for Windows
One of the new advantages of using BitLocker is Full Volume Encryption (FVE). BitLocker provides built- in encryption for Windows data files and Windows operating system files. The advantage of this type of encryption is that encrypted hard drives that use Full Disk Encryption (FDE) get each block of the physical disk space encrypted. Because each physical block gets encrypted, it offers much better encryption. The only downside to this is that because each physical block is encrypted, it degrades the hard drive speed somewhat. So, as an administrator, you have to decide whether you want better speed or better security on your hard disk.
In Exercise 11.12, you will enable BitLocker on the Windows Server 2022 system.
EXERCISE 11.12
Enabling BitLocker in Windows Server 2022
- Open Server Manager by clicking the Server Manager icon or running server manager.exe.
- Select Add Roles And Features from the dashboard.
- Select Next in the Before You Begin pane (if shown).
- Select role- based or feature- based installation and click Next to continue.
- Select the Select A Server From The Server Pool option and click Next.
- At the Select Server Roles screen, click Next.
- At the Select Features screen, click the BitLocker Drive Encryption check box. When the Add Roles and Features dialog box appears, click the Add Features button. Then click Next.
- Click the Install button in the Confirmation pane of the Add Roles And Features Wizard to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the Restart The Destination Server Automatically If Required option in the Confirmation pane will force a restart of the computer after installation is complete.
- If the Restart The Destination Server Automatically If Required option is not selected, the Results pane of the Add Roles And Features Wizard will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
You also can install BitLocker by using the Windows PowerShell utility. To install BitLocker, use the following PowerShell commands:
Install- WindowsFeature BitLocker – IncludeAllSubFeature –
IncludeManagementTools – Restart
Using EFS Drive Encryption
If you have been in the computer industry long enough, you may remember the days when only servers used NTFS. Years ago, most client systems used FAT or FAT32, but NTFS had some key benefits over FAT/FAT32. The main advantages were NTFS security, quotas, compression, and encryption. Encryption is available on a system because you are using a file structure (for example, NTFS) that allows encryption. Windows Server 2022 NTFS allows you to use these four advantages, including encryption.
Encrypting File System (EFS) allows a user or administrator to secure files or folders by using encryption. Encryption employs the user’s security identification (SID) number to secure the file or folder. Encryption is the strongest protection that Windows provides to help you keep your information secure. Some key features of EFS are as follows:
■ Encrypting is simple; just select a check box in the file or folder’s properties to turn it on.
■ You have control over who can read the files.
■ Files are encrypted when you close them but are automatically ready to use when you open them.
■ If you change your mind about encrypting a file, clear the check box in the file’s properties.
To implement encryption, open the Advanced Attributes dialog box for a folder and check the Encrypt Contents To Secure Data option.
If files are encrypted using EFS and you have to unencrypt the files, there are two ways you can do this. You can log in using the user’s account (the account that encrypted the files) and unencrypt the files using the cipher command. Alternatively, you can become a recovery agent and manually unencrypt the files.