Bitlocker Drive Preparation Tool Windows 7 Download' title='Bitlocker Drive Preparation Tool Windows 7 Download' />System Preparation Tool or Sysprep is meant for System Administrators and OEMs, to automate the deployment of Windows operating system.See How To video.Get Ready to Deploy Bit.Locker in your Organization the Right Way Bit.Locker Drive Encryption BDE, or Bit.Locker, offers volume level data encryption for data stored on Windows clients and servers.Bit. Locker protects the data when the Windows systems are offline i.OS is shut down and can prevent data breaches such as the theft of confidential data on laptop computers.In the first version of Bit.Locker that shipped with Windows Vista, only a single volume, the OS drive, could be protected by Bit.Locker. Microsoft added support for Bit.Locker protection of different volumes, including local data volumes, in Vista SP1 and in the Windows Server 2.SP1 built in during the release to manufacturer RTM.In Windows 7 and Windows Server 2.R2, Microsoft added Bit.Locker support for removable data volumes, memory sticks, and external data drives.Microsoft refers to this feature as Bit.Locker To Go BTG.Bit. Locker is a great security add on to the Windows OS as it helps organizations save money because they dont need to invest in special third party disk encryption software.But organizations are often reluctant to implement new security features, primarily because the features lack a proven track record.Also, new cryptographic solutions bring a certain administrative fear factor to administrators and operators.To give you more Bit.Locker confidence, this article will highlight three critical steps that you must pay special attention to if you are considering deploying Bit.Locker in your Windows environment.Bit. Locker is available in the Ultimate and Enterprise editions of Vista and Windows 7 and in all Server 2.Server 2. 00. 8 R2 editions with the exception of the Itanium edition.Choose the Right Unlock Method The strength of the protection Bit.Locker offers depends to a large extent on the authentication mechanism it uses for unlocking access to a Bit.Locker protected drive.In Bit. Locker speak, this authentication mechanism is referred to as the unlock method.Before a Bit. Locker drive is unlocked, Bit.Locker authenticates the drive based on identification data that the user or the OS provides and that authorizes Bit.Locker to unlock access to the drive.Bit. Locker supports different unlock methods based on user knowledge of a secret, presence of a hardware component, or software keys, or a combination of all three ofthese.You can select the unlock method when you set up Bit.Locker. The available unlock methods differ for OS drives and for fixed or removable data drives.For example, only an OS drive can be protected using a Trusted Platform Module TPM, a special security chip that is part of most of todays PC motherboards.On an OS drive, you can choose one of the following unlock methods TPM Only startup key only TPM PIN code TPM startup key TPM PIN code startup key The last three of these unlock methods offer the best protection.Unlock methods involving a PIN require the user to provide a PIN code at system startup time.When a startup key is involved, at startup time the user must insert a USB token that holds the startup key.On a fixed or removable data drive, you can choose the following three unlock methods password, smart card PIN, or automatic.For data drives, the smart card PIN unlock method offers the strongest protection.When you use a TPM based unlock method to protect your OS drive, Bit.Locker provides integrity checks for critical system files, in addition to data encryption, at boot up.On the other hand, using a TPM adds setup and management complexity and overhead.For example, the TPM must be enabled in BIOS.On most systems, this can only be done after you have defined a BIOS password.The TPM architecture also requires that an owner password be defined before the TPM can be used.The owner password allows for the clearing and disabling of a TPM and is typically owned by a system administrator.When you consider deploying Bit.Locker with a TPM, you must make sure that your computers have a TPM version 1.BIOS that is compatible with TPM version 1.To check whether a computer includes an operational TPM chip that can be used for Bit.Locker, check the TPM Management snap in tpm.Because many organizations still have older computers that dont have a TPM and you cannot simply add a TPM to a computer, Microsoft included the startup key only unlock method for OS drives.To use this unlock method, you must make sure that your users have a USB drive and that the computer BIOS supports the reading of USB devices during computer startup.For more information on how to set up Bit.Locker without a TPM, read Using Bit.Locker Without a Trusted Platform Module.When you plan to unlock your Bit.Locker protected data drives with a smart card, you must make sure that your users have Bit.Locker compatible certificates loaded on a smart card.To generate these certificates, you can use a certification authority CA, create self signed certificates, or configure an existing EFS certificate for use with Bit.Locker. When using smart cards, it is also recommended that you have a smart card management software in place.You can for example use the smart card management functionality that is offered by Microsoft Fore.Front Identity Manager FIM.When you consider using smart cards, I would advise you to carefully read through the Using certificates with Bit.Locker and Using smart card with Bit.Locker articles on Microsoft Tech.Net. Create a Solid Recovery Strategy An encryption tool like Bit.Locker requires a solid recovery strategy, and Bit.Locker forces you to define a recovery method during setup.This will allow you to regain access to the data on an encrypted drive when the drive cannot be accessed.I. e. when the unlock methods that we discussed in the previous section fail.On an OS drive, you will need a recovery method when a user forgets the PIN or loses the USB token that holds the startup key, or if the TPM registers integrity changes to the system files.For data drives, you will need a recovery method when a user forgets the password or loses the smart card.Also, if a protected data drive is configured for automatic unlocking, you will need a recovery method if the auto unlock key stored on the computer is accidently lost, for example after a hard disk failure or reinstallation.Bit. Locker supports three recovery methods a recovery password, a recovery key, and a data recovery agent DRA.A recovery password is a 4.Bit. Locker setup.You can save the recovery password to a file, which you then preferably store on a removable drive.You can also print the password, or it can be automatically saved in Active Directory AD.If you want to automatically store recovery passwords in AD, you must make sure that all computers can connect to your AD when they enable Bit.Locker. Storage of Bit.Locker recovery information in AD is based on an AD schema extension that creates extra attributes to attach Bit. Wise Installation Wizard Silent Uninstall Malwarebytes . Locker recovery information to AD computer objects.Server 2. 00. 8 and Server 2.R2 Domain Controllers DCs include this extension by default.On Windows Server 2.Bit. Locker specific schema extension.To facilitate the viewing and retrieving of the Bit.Locker recovery passwords from AD, Microsoft provides an AD Users and Computers ADUC MMC snap in extension.It adds a Bit. Locker Recovery tab to the properties of the AD computer object.The tab shows all Bit.Locker recovery passwords associated with a particular computer object.For Server 2. 00.R2, the Bit. Locker Active Directory Recovery Password Viewer tool is an optional feature included in the Remote Server Administration Toolkit RSAT.For Server 2. 00.The second recovery method uses a 2.USB token or another location.Similar to a recovery password, a recovery key enables users to regain access to their protected drive without administrator intervention.When using a recovery key, users must insert a USB token or provide a pointer to another key location during recovery.The third recovery method, based on a data recovery agent DRA, always requires intervention of a member of the IT department.This method leverages a special certificate that is issued to a dedicated DRA administrator in your organization.The DRA certificates thumbprint is distributed to all Bit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |