Changes

no edit summary
BitLocker performs a number of functions depending on the hardware support of the system on which Windows Server 2008 is running. At the most basic level, BitLocker encrypts entire disk volumes so that the operating system files and user data contained on a disk drive cannot be accessed if the computer and/or drive are lost or stolen. In addition, a key is written to a USB flash drive during the BitLocker configuration process. This flash drive must be inserted into a USB port on the computer at system startup in order to gain access to the system.
When used in conjunction with a computer system which that has a Trusted Platform Module (TPM) together with a Trusted Computing Group (TCG) compatible BIOS, BitLocker also provides additional features including verifying the integrity of the boot files prior to system startup. In addition, TPM support also provides the option to specify a PIN that must be entered on system startup in addition to the flash drive containing the key.
This chapter of [[Windows Server 2008 Essentials]] provides a detailed overview of the steps necessary to configure BitLocker Drive Encryption.
== Enabling BitLocker Drive Encryption ==
The first step in configuring BitLocker Drive Encryption involves enabling this particular feature within Windows Server 2008. This is achieved using the Server Manager. To access the Server Manager either open the ''Start'' menu and select server manager or click on the Server Manager icon in the task bar. In the tree hierarchy located in the left hand panel of the Server Manager select the ''Features'' option. Once selected , the Server Manager will display the status of current feature configurations and provide options to add and remove features. The following figure illustrates the Server Manager in ''Features'' mode with no features currently installed:
Once the tool has been downloaded and installed it should appear in ''Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation Tool''. The tool itself is installed as the executable ''%ProgramFiles%\BitLocker\BdeHdCfg.exe''. The tool may either be run as a graphical tool or run from a command prompt with a variety of command-line options to perform the required task.
To obtain a list of the command-line options available run the toll tool with the ''-?'' command-line option:
<pre>
</pre>
If the system has a TPM check in the system BIOS to verify that it is enabled. Also ensure that TPM is enabled in the Trusted Platform Module Management Console. If the system does not have a TPM it is, despite the message above, possible to use BitLocker, but it will be necessary to change group policy to enable BitLocker support in the absence of a TPM.
== Changing Group Policy for BitLocker ==
The group policy settings for BitLocker can be set either in Local Group Policy or Active Directory Group Policy. The policy settings allow BitLocker to be used without a TPM. In addition, settings are available to change BitLocker configuration for systems that do have a TPM.
To access the BitLocker policy settings for the Local Computer Policy, open the Local Group Policy Editor by opening the ''Start'' menu and typing ''gpedit.msc'' in the ''Search'' text box and press enter. When the Local Group Policy Editor has started , select ''Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption''. When the BitLocker settings are displayed double click on ''Control Panel Setup: Enable Advanced startup options'' to launch the appropriate properties dialog:
== Disabling BitLocker Drive Encryption ==
BitLocker Drive Encrytion Encryption may be disabled on either a temporary or permanent basis. To temporarily turn off encryption open the BitLocker control panel (''Start -> Control Panel -> Security -> BitLocker Drive Encryption'') and select ''Turn off BitLocker Drive Encryption'' under the desired volume and select ''Disable BitLocker Drive Encryption'' in the resulting screen.
To turn off BitLocker and decrypt a system volume repeat the above steps, selecting ''Decrypt the volume'' when asked to specify the level of decryption.