IT Channel.com
Securing Windows Server 2008: Installing and turning on BitLocker
By null
Service provider takeaway:This section of the chapter excerpt titled "Microsoft Windows Server 2008: Data Protection" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. The chapter excerpt provides a step-by-step approach for installing, configuring and turning on BitLocker.
Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.
Installing BitLocker on Windows Server 2008
As we already mentioned, BitLocker is a Feature of Windows Server 2008 and is not installed by default. To install BitLocker you use Server Manager as you would with all other roles and features. Be aware that a restart is required after installation. You can also install BitLocker from the command line by typing ServerManagerCmd -install BitLocker --restart.
Here are the steps to follow to install Bitlocker on Windows Server 2008.
1. Log on as an administrator.
2. Click Start | Administrative Tools | Server Manager.
3. Scroll down to Feature Summary; click Add Features.
4. On the Select Features page, choose BitLocker Drive Encryption and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. When installation is complete, click Close.
7. In the Do you want to restart Window click Yes.
Turning on and Configuring BitLocker
After installing the BitLocker Feature on your Server and rebooting the system, you need to turn on BitLocker via a Control Panel applet. Make sure you are logged on as an administrator on the system and you have decided where to store the recovery password. In case your computer does not have a Trusted Platform Module (TPM) or the TPM is not supported, you will receive a warning.
Here are the steps to follow for turning on BitLocker.
1. Log on as an administrator.
2. Click Start, click Control Panel, and then click BitLocker Drive Encryption.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
4. On the BitLocker Drive Encryption Platform Check dialog box click Continue with BitLocker Drive Encryption.
5. If your TPM is not initialized already, you will see the Initialize TPM Security Hardware screen.
6. On the Save the recovery password page, click Save the password on a USB drive.
7. On the Save a Recovery Password to a USB Drive box, select your USB drive and click Save.
8. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check checkbox is selected, and then click Continue.
9. Confirm that you want to reboot.
During the reboot phase, BitLocker verifies the system and makes sure it is ready for encryption. After rebooting the system, you should log back on to the system and verify that the Encryption in Progress status bar is displayed in the BitLocker Control Panel applet. In case your system cannot be enabled for BitLocker, an error message pops up during logon.
Turning on Bitlocker for Data Volumes
Now we'll show you how to turn on BitLocker for data volumes.
1. Log on as an administrator.
2. Click Start, click All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt type manage-bde --on
4. At the command prompt type manage-bde --autounlock --enable
Configuring BitLocker for TPM-Less Operation
The following steps configure your computer's Group Policy settings to turn on BitLocker on systems without a TPM.
1. Logon as an administrator.
2. Click Start, click Run, type gpedit.msc in the open box, and then click OK.
3. In the Local Group Policy Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then click BitLocker Drive Encryption.
4. Double-click the setting Control Panel Setup: Enable Advanced Startup Options.
5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK.
Turning on BitLocker on Systems without a TPM
Turning on BitLocker on systems without a TPM is similar to the normal activation process. Make sure you have a USB flash drive available to store the startup key.
1. Log on as an administrator.
2. Click Start, click Control Panel, and then click BitLocker Drive Encryption.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
4. On the BitLocker Drive Encryption Platform Check dialog box click Continue with BitLocker Drive Encryption.
5. On the Set BitLocker startup preferences page select Require Startup USB key at every startup.
6. On the Save your Startup Key page select your USB drive from the list and click Next.
7. On the Save the recovery password page, click Save the password on a USB drive.
8. On the Save a Recovery Password to a USB Drive Box, select your USB drive and click Save.
9. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check checkbox is selected, and then click Continue.
10. Confirm that you want to reboot.
About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.
Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
Securing Windows Server 2008: BitLocker data protection basics
Securing Windows Server 2008: BitLocker authentication and configuration
Securing Windows Server 2008: Installing and turning on BitLocker
Securing Windows Server 2008: BitLocker information storage and administration
18 Aug 2008