Downloading Files During Bitlocker Encryption Bitlocker: How to Deploy on Windows Server 2012 and Later

Home , BitLocker, PowerShell

downloading files during bitlocker encryption BitLocker: How to deploy on Windows Server 2012 and later. This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install. Installing BitLocker. To install BitLocker using Server Manager. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. Select Manage from the Server Manager Navigation bar and select Add Roles and Features to start the Add Roles and Features Wizard. With the Add Roles and Features Wizard open, select Next at the Before you begin pane (if shown). Select Role-based or feature-based installation on the Installation type pane of the Add Roles and Features Wizard pane and select Next to continue. Select the Select a server from the server pool option in the Server Selection pane and confirm the server for the BitLocker feature install. Server roles and features install using the same wizard in Server Manager. Select Next on the Server Roles pane of the Add Roles and Features wizard to proceed to the Features pane. Select the check box next to BitLocker Drive Encryption within the Features pane of the Add Roles and Features Wizard . The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the Include management tools option and select Add Features . Once optional features selection is complete, select Next to proceed in the wizard. Note: The Enhanced Storage feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems. Select Install on the Confirmation pane of the Add Roles and Features Wizard to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the Restart the destination server automatically if required option in the Confirmation pane will force a restart of the computer after installation is complete. If the Restart the destination server automatically if required check box is not selected, the Results pane of the Add Roles and Features Wizard will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. To install BitLocker using Windows PowerShell. Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the servermanager or dism module; however, the servermanager and dism modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation. Note: You must restart the server to complete the installation of BitLocker. Using the servermanager module to install BitLocker. The servermanager Windows PowerShell module can use either the Install-WindowsFeature or Add-WindowsFeature to install the BitLocker feature. The Add-WindowsFeature cmdlet is merely a stub to the Install-WindowsFeature . This example uses the Install-WindowsFeature cmdlet. The feature name for BitLocker in the servermanager module is BitLocker . By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the -WhatIf option in Windows PowerShell. The results of this command show that only the BitLocker Drive Encryption feature installs using this command. To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). BitLocker Drive Encryption BitLocker Drive Encryption Tools BitLocker Drive Encryption Administration Utilities BitLocker Recovery Password Viewer AD DS Snap-Ins and Command-Line Tools AD DS Tools AD DS and AD LDS Tools. The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: Important: Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. Using the dism module to install BitLocker. The dism Windows PowerShell module uses the Enable-WindowsOptionalFeature cmdlet to install features. The BitLocker feature name for BitLocker is BitLocker . The dism module does not support wildcards when searching for feature names. To list feature names for the dism module, use the Get-WindowsOptionalFeatures cmdlet. The following command will list all of the optional features in an online (running) operating system. From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker- NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. To install BitLocker using the dism module, use the following command: This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: A beginner's guide to BitLocker, Windows' built-in encryption tool. The creators of TrueCrypt shocked the computer security world in 2014 when they ended development of the popular open-source encryption tool. Even more surprising, the creators said TrueCrypt could be insecure and that Windows users should migrate to Microsoft’s BitLocker. Conspiracy theories immediately began to swirl around the surprise announcement. What is BitLocker? BitLocker is Microsoft’s easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive as well as help protect against unauthorized changes to your system such as firmware-level malware. BitLocker is available to anyone who has a machine running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows 10 Pro. If you’re running an Enterprise edition, chances are your PC belongs to a large company, so you must discuss enabling BitLocker encryption with your company’s IT department. Most of us buy PCs with the standard version of Windows, which doesn’t include BitLocker encryption. But if you upgraded to Windows 8 during the initial rollout of Microsoft’s dual-interface OS then you probably have Windows 8 or 8.1 Pro. During the early days of Windows 8, Microsoft was selling cheap Windows 8 Pro upgrade licenses to anyone eligible for an upgrade. That Pro upgrade also carried over if you moved from 8.1 to Windows 10. BitLocker system requirements. To run BitLocker you’ll need a Windows PC running one of the OS flavors mentioned above, plus a storage drive with at least two partitions and a Trusted Platform Module (TPM). A TPM is a special chip that runs an authentication check on your hardware, software, and firmware. If the TPM detects an unauthorized change, your PC will boot in a restricted mode to deter potential attackers. If you don’t know whether your computer has a TPM or multiple partitions, don’t sweat it. BitLocker will run a system check when you start it up to see if your PC can use BitLocker. If it turns out your don’t have a TPM it’s still possible to run BitLocker if you tinker with the Group Policy Editor. Check out How-To Geek’s tutorial for how to use Microsoft’s encryption program without TPM. Who should use BitLocker? Here’s the thing about BitLocker: It’s a closed-source program. That’s problematic for extremely privacy-minded folks, since users have no way of knowing whether Microsoft was coerced into putting some kind of backdoor into the program under pressure from the United States government. The company says there are no backdoors, but how can we be certain? We can’t. Sure, if BitLocker were open-source, most of us wouldn’t be able to read the code to find vulnerabilities, but somebody out there would be able to do so. So with BitLocker’s closed-source nature in mind, I wouldn’t expect this encryption program to defend your data against a government actor such as border agents or intelligence services. But if you’re looking to protect your data in the event your PC is stolen or otherwise messed-with, then BitLocker should be just fine. How to set up BitLocker. Here’s how I got BitLocker running on a Windows 8.1 Pro machine. I’ve also added some Windows 10-specific instructions. 1. Open Windows' Control Panel, type BitLocker into the search box in the upper-right corner, and press Enter . 2. Next, click Manage BitLocker , and on the next screen click Turn on BitLocker . 3. Now BitLocker will check your PC’s configuration to make sure your device supports Microsoft’s encryption method. BitLocker checks for the required Trusted Platform Module. If you’re approved for BitLocker, Windows will show you a message like this one (see screenshot at left). If your TPM module is off, Windows will turn it on automatically for you, and then it will encrypt your drive. To activate your TPM security hardware Windows has to shut down completely. Then you’ll have to manually restart your PC. Before you do, make sure any flash drives, CDs, or DVDs are ejected from your PC. Then hit Shutdown . Once you restart your PC, you may see a warning that your system was changed. In my case I had to hit F10 to confirm the change or press Esc to cancel. After that, your computer should reboot and once you log in again you’ll see the BitLocker window. Recovery key and encryption. We’ve rebooted and the TPM is now active. After a few minutes, you should see a window with a green check mark next to Turn on the TPM security hardware . We’re almost at the point where we’ll encrypt the drive! When you’re ready, click Next . Before you encrypt your drive, however, you will be asked to enter a password that must be entered every time you turn on your PC, before you even get to the Windows login screen. Windows gives you a choice of either entering the password manually or inserting a USB key. Choose whichever method you prefer, but I recommend sticking with the manual password so you aren’t depending on a single USB key for authentication. Next, you have to save a recovery key just in case you have problems unlocking your PC. Windows gives you three choices for saving this key in Windows 8.1 and Windows 10: Save the file to your Microsoft account, save to a file, save to a flash drive (Windows 10), or print the recovery key. You are able to choose as many of these options as you'd like, and you should choose at least two. In my case, I chose to save the file to a USB key and print the key on paper. I decided against saving the file to my Microsoft account, because I don’t know who has access to the company’s servers. That said, saving your key to Microsoft’s servers will make it possible to decrypt your files if you ever lose the flash drive or paper containing your recovery key code. Once you’ve created two different instances of the recovery key and removed any USB drives, click Next . Choose whichever option best describes your PC. On the following screen, you have to decide whether to encrypt only the disk space used so far, or encrypt your PC’s entire drive. If you’re encrypting a brand-new PC without any files, then the option to encrypt only the used disk space is best for you, because new files will be encrypted as they’re added. If you have an older PC with a few more miles on the hard drive, you should choose to encrypt the entire drive. Once you’ve chosen your encryption scheme, click Next . We’re almost there. Windows 10 only. If you’re running WIndows 10 build 1511 or later, you’ll be asked to choose your encryption mode: new or compatible. If you’re encrypting your onboard storage drive, then choose new. The compatible mode is mostly for removable drives that will be used with older versions of Windows that do not have the “new” encryption mode. Make sure the box next to Run BitLocker system check is clicked so that Windows will run a system check before encrypting your drive. Once the box is checked, click Continue . and nothing happens. You have to manually reboot your PC to start BitLocker’s disk encryption. You’ll see an alert balloon in the system tray telling you that encryption will begin after you restart the PC. Restart your PC, and you’ll be asked to enter your BitLocker password or insert the USB key you created earlier. After you log in this final time, you should see another system tray alert telling you that the encryption is in progress. Whew! We made it to the encryption phase. You can continue to work on your PC during the encryption phase, but things may be running a little more slowly than usual. Consider holding back on anything that might tax your system during initial encryption, such as graphics-intensive programs. After all those clicks, that’s it! Just leave Windows to do its thing, and in a few hours you’ll have a BitLocker-encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you’re encrypting if you’re only encrypting existing data on a new PC. Ian is an independent writer based in Israel who has never met a tech subject he didn't like. He primarily covers Windows, PC and gaming hardware, video and music streaming services, social networks, and browsers. When he's not covering the news he's working on how-to tips for PC users, or tuning his eGPU setup. BitLocker Overview and Requirements FAQ. You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. How BitLocker works with fixed and removable data drives. You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. Does BitLocker support multifactor authentication? Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. What are the BitLocker hardware and software requirements? Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. Why are two partitions required? Why does the system drive have to be so large? Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. Which Trusted Platform Modules (TPMs) does BitLocker support? BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI. How can I tell if a TPM is on my computer? Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details . In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the Status heading. Can I use BitLocker on an operating system drive without a TPM? Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. How do I obtain BIOS support for the TPM on my computer? Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: It is compliant with the TCG standards for a client computer. It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. What credentials are required to use BitLocker? To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. What is the recommended boot order for computers that are going to be BitLocker-protected? You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. Downloading files during bitlocker encryption. I have 4 internal and 2 external SSD drives, I had been using BitLocker on each which I encrypted all at the same time and retained the encryption key. Decided to turn off on all after a year. No problems on 5 of the drives (4 internal and 1 external) but on the last external drive it failed to decrypt 3 directories and the subdirectories and files on them, there were no interruptions during decryption process and no errors noted. 1. I can't rerun BitLocker as it states it is off on the drive(s). 2. I show under security Full access to the drive and all directories. 3. If I try and run any of the manage-bde command to verify status and such return error as: BitLocker Drive Encryption: Configuration Tool version 10.0.17134 Copyright (C) 2013 Microsoft Corporation. All rights reserved. ERROR: An attempt to access a required resource was denied. Check that you have administrative rights on the computer. 4. I do have administrator rights on entire computer/drives. 5. I still have my BitLocker Recovery Keys. Any and all help is appreciated as the directories contain 50gb of videos, photos of a deceased relative. BitLocker on Windows 10 Home edition. I would like to use BitLocker to encrypt my hard drive, but I have the standard 8.1 version, which will become Windows 10 Home version when I upgrade. Neither of those editions come with BitLocker. Do I have to upgrade to the Pro version to get it? If yes, what would be the best thing to do? Upgrade to 8.1 Pro, then upgrade to 10 Pro? Or upgrade to 10 Pro after installing 10 Home? Isn't there any way to use BitLocker on a standard Windows version? At the time of writing, Windows 10 will be rolled out tomorrow! It will be free to download for one year, so I don't need to hurry. right? Yours sincerely, HdeVries. Subscribe Subscribe to RSS feed. Report abuse. Replies (44) * Please try a lower page number. * Please enter only numbers. * Please try a lower page number. * Please enter only numbers. I would like to use BitLocker to encrypt my hard drive, but I have the standard 8.1 version, which will become Windows 10 Home version when I upgrade. Neither of those editions come with BitLocker. Do I have to upgrade to the Pro version to get it? Yes, only Pro and Enterprise editions have BitLocker If yes, what would be the best thing to do? Upgrade to 8.1 Pro, then upgrade to 10 Pro? Or upgrade to 10 Pro after installing 10 Home? I would take the free offer and upgrade Windows 8.1 to Windows 10 Home then purchase a Windows 10 Pro Pack for $99 and perform an Easy Upgrade to Windows 10 Pro How to Perform an Easy Upgrade in Windows 10 Isn't there any way to use BitLocker on a standard Windows version? You can use third party alternatives such as Truecrypt but you will have to determine if they are compatible with Windows 10. At the time of writing, Windows 10 will be rolled out tomorrow! It will be free to download for one year, so I don't need to hurry. right? That is correct, you have until July 28th 2016 to take advantage of the free upgrade. Yours sincerely, HdeVries.