Solved

BitLocker on Windows 8, Windows Server 2008 & 2012, SBS2011

Posted on 2014-03-13
10
919 Views
Last Modified: 2014-03-27
Hi,
 I successfully enabled BitLocker on Windows 7 Ultimate OS.
 Now I like to do the same on  Windows 8, Windows Server 2008 & 2012, SBS2011.
 Before I do that, are there things that I should be aware?
 For example, Does Windows 8 Professional version only comes with BitLocker feature?

 When I tried to enable BitLocker on Windows 2008 Server Std. with one drive/partition yesterday, it said that I had to have two partitions to enable BitLocker. So apparently I need an separate OS partition on the top of data partition even if there is only one hard disk?

 Having seen that message, I just wanted to get some heads-up before attempting to do this on other server operating systems that I manage.
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 340 total points
ID: 39926699
Hi.

You would not do this without having backups, will you?
Win8 does not Feature bitlocker, win8 pro and 8 Enterprise do.

When encrypting, an extra Partition will get created unless there already is one. On 2008, there was not. On 2008 R2/2012/2012R2/win8, there already is.

Biggest caveat: please think about what happens after encrypting the Servers. How are the keys provided if the Servers reboot after nightly updates or eventual crashes? Who provides the key?
0
 

Author Comment

by:sglee
ID: 39926743
@McKnife
Thanks for the information. I understand why I saw that message on W2008 Server now.
I am glad to hear that on 2008 R2/2012/2012R2/win8, extra partition will be created as BitLocker is turned on.
Now on "Biggest caveat", it make total sense. If I leave the USB flash drive that has the recovery key plugged into the Servers and if they get stolen, it defeats the purposes of encrypting. On the other hand, if the user takes the USB flash drive out of the Server and take it home, then what happens when the Server restarts after the reboot....
It is definitely something to think about...
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 340 total points
ID: 39926762
I have this solved like this:

Possibility A: virtualize the Server and encrypt the whole VM machine or, if not possible:
B: put the sensitive data on an extra Partition and encrypt it, set the Server to Auto unlock itself using a script (using manage-bde.exe, the bitlocker command line tool). That script of course lies on another,  physically secured Server. So if the Server gets stolen: no Access to that script, so no data Access at all.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:sglee
ID: 39926965
@McKnife
Sounds complicated, particularly since I am not familiar with the process.

If the Server gets stolen, first, they are protected by the Windows admin password. Secondly even if the thief takes the hard disks out, they won't be useful because they are part of disk array in RAID system. So I don't have to too much worry about the Servers ...
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39926990
> So I don't have to too much worry about the Servers ...
Sorry, but you don't know what you are talking about. If the thieves have no understanding of Windows, yes, then you won't have to worry. Otherwise...it's very easy to get at the data in minutes. I would stick in a Windows 8.1 to go and after maybe 5 minutes, I have your data.

The process is not complicated, please feel free to ask for Details.
0
 
LVL 30

Expert Comment

by:serialband
ID: 39927622
Physical access is access.
That's why everyone is starting to focus on encryption now.

You can recreate a RAID array.  I've done it before to recover data.
0
 

Author Comment

by:sglee
ID: 39932734
I like to try your method as mentioned in ID: 39926762.
Please tell me what OS I need to setup for testing - W2008, W2008R2, W2012.
I will do RAID 1 on a test server.
Would you kindley post detailed steps?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39932760
Ok, I will.

But first you have to decide for A or B as I mentioned 2 completely different aproaches.
0
 

Author Comment

by:sglee
ID: 39932859
How about trying A first?
Do you want me to setup HyperV on W2012 Server or VMWare ESX V5.1?
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 340 total points
ID: 39933147
If virtualization is possible with that server, why not?
Please be aware, that Bitlocker is not supported on virtual machines, but it works. Possibly, the reason for lack of support is, that Microsoft developed BL primarily for devices with a TPM chip and until now, a TPM cannot be virtualized. Again: but no problems will arise.

The process is described here for win7, but is the same on server 2012: http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

Please note that the floppy file needs to be put to a share of another server that is indeed physically secured, otherwise, what would be the point :)
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question