BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 2) - Cluster Share Volume Support
If you would like to read the other parts in this series please go to
In Part 1 of this series, we started a review of the new features and functionalities that Microsoft has added to BitLocker Drive Encryption in Windows Server 2012 and the Windows 8 client, which make BitLocker an even more useful security mechanism for protecting enterprise servers, as well as desktops and mobile devices running Windows 8 Pro. We've already discussed support for self-encrypting hard drives and the new Network Unlock feature. In Part 2, we'll take a look at two more important new features: used disk space only mode and preprovisioning of BitLocker.
Used disk space only encryption
In previous versions of BitLocker, if you wanted to implement BitLocker on a volume, you had to encrypt all the data and all the free space on that volume. That's the most secure option (since any data that might have been on the disk and then deleted is still there and could be recovered by the proper forensics tools). However, with a large volume, this makes the encryption process take a very long time, and if the drive is a new one with no pre-existing data, it's not necessary.
In Windows 8 and Server 2012, there is an additional option to encrypt only the "used space" (the part of the volume on which accessible data is stored). That speeds up the process significantly on drives that have a large amount of empty space. You can also still choose to encrypt the entire volume (this selection is called "full encryption") and should choose that option if there is deleted data on the drive that might be sensitive.
When you set up BitLocker using the BitLocker setup wizard, you are given the option to select either full encryption or used disk space only encryption, on the "Choose how much of your drive to encrypt" page, as shown in Figure 1.
BitLocker will encrypt the volume in the background while you work.
Using Manage-bde to set the encryption type
If you prefer to use the command line interface, you can also select the encryption type when you use the Manage-bde tool to encrypt a volume with BitLocker. The default is full encryption so if you use the manage-bde –on <drive letter>: command to turn BitLocker on, it will encrypt the entire volume.
To encrypt used disk space only, use the following command:
manage-bde –on –used <drive letter>:
If you are encrypting an operating system on a computer that has a TPM chip, the TPM-only protector will be added automatically. If the system doesn't have a TPM, you need to tell BitLocker what type of protector to use. The protector is the method used to protect the encryption, such as a password, PIN or USB startup key. You can add one of the following parameters to the command:
If the volume you're encrypting is a data volume, you need to specify the appropriate protector before the volume will be protected. You can check the status with Manage-bde using the following command:
Manage-bde –status <drive letter>:
This shows the size of the volume, the version of BitLocker being used, the conversion status (full or used space only encrypted), the percentage of the drive that is encrypted, the encryption method (e.g., AES 128), whether automatic unlock is enabled or disabled, the key protectors (e.g., password), and the protection status (off or on).
When you encrypt a data volume, Manage-bde will show the status as "protection off" until you add a protector, and in the BitLocker control panel, it will be shown as "waiting for activation." In this case, to add a protector, use the command:
Manage-bde –protectors –add –pw <drive letter>:
This adds a password protector for the data volume.
You can also set the encryption type using PowerShell if you prefer that interface. You'll need to use the Enable-BitLocker cmdlet with the –UsedSpaceOnly parameter. And as with Manage-bde, you'll need to add protectors, using the Add-BitLockerKeyProtector cmdlet.
New Group Policy settings to force type of encryption
In the enterprise environment, administrators may want to force one type of encryption or the other. More often, you would want to force full encryption to prevent leakage of data that had been previously deleted, but you can also force used disk space only encryption to ensure the process always completes as quickly as possible.
To force an encryption type through Group Policy, navigate in the Group Policy Editor for the appropriate GPO (domain computer policy) to
Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption
Select the folder for the type of drive on which you want to enforce the encryption type policy: fixed data drives, operating system drives, or removable data drives. Then in the right pane, scroll down to find the policy Enforce drive encryption type on <type of drive> as shown in Figure 2.
When you enable this policy, you can set it to one of the following options:
Allow the user to choose (which is default if the policy is not configured)
Used disk space only
The policy will be applied subsequently when BitLocker is enabled on a volume. The policy will not have any effect on volumes that are already encrypted with BitLocker. If you force full encryption or used disk space only encryption, then when the BitLocker setup wizard is run, the option to choose an encryption type will not be available.
Here's another new BitLocker feature that is aimed at the enterprise: the ability to preprovision BitLocker – to provision it prior to the installation of the operating system. Windows 7 already brought us the ability to prepare the drive partitions for BitLocker during installation, and Windows 8/Server 2012 allows you to go a step further.
You enable BitLocker prior to the OS installation from the Windows Pre-installation Environment (WinPE). One way to do this is with the Manage-bde tool. You would use the same command that you use when provisioning BitLocker via the command line after the OS is installed:
manage-bde –on <drive letter>:
The problem with this is that by default, WinPE doesn't include the Manage-bde utility, nor does it have WMI objects used by Manage-bde, so you'll need to create a custom WinPE image and add the WinPE-WMI and WinPE-SecureStartup elements. For instructions on how to do that, see the TechNet article titled Building a Windows PE Image with Optional Components.
It's a good idea to use the Used Disk Space only encryption option, which will speed up the entire process, assuming the disk is empty in preparation for OS installation. A clear key protector will be randomly generated and the volume will be encrypted prior to the Windows setup procedure. As you might guess from the term "clear," this key is stored on the disk in a less-than-secure state. You'll need to activate BitLocker (via the BitLocker control panel in the GUI, using PowerShell or using Manage-bde) and specify an unlock method in order to protect the key for the volume that was preprovisioned. The unlock method can be TPM only, TPM + PIN, TPM + Startup key, TPM + PIN + Startup key, Startup key only, password, smart card or automatic unlock, depending on the type of volume (operating system or data) and the configuration of the computer (with or without a TPM chip). The first five unlock options are applicable to OS volumes, and the last three are applicable to data drives.
Preprovisioning with SCCM
You can also use System Center Configuration Manager 2012 SP1 to preprovision BitLocker in WinPE 4. You'll need to make sure Active Directory is prepared for BitLocker beforehand. Assuming you're running Windows Server 2003 SP1 or above, you will be able to save the BitLocker recovery key in Active Directory Domain Services. To do this, you use AdsiEdit. Then you create a BitLocker Policies GPO on the Active Directory domain controller (you will need to be logged in as a domain admin to do this). Finally, you create the new deploy task sequence with BitLocker enabled on the SCCM server. You can find the step by step directions for doing this, with screenshots, at this link.
This creates a step called "preprovision BitLocker" but the task will not run by default if the computer doesn't have a TPM chip, or if the TPM has not been enabled. After you install Windows 8, you'll need to activate BitLocker. Until you do so, the status will be displayed in the BitLocker control panel as "waiting for activation."
Two important new features for BitLocker in Windows 8 and Server 2012 are the ability to encrypt used disk space only, instead of the entire volume, and the ability to preprovision BitLocker on a computer before the operating system is installed. This article took a closer look at each of these features. In Part 3, we'll discuss cluster shared volume support and the ability of standard users to change their PINs.