Showing posts with label MS BitLocker. Show all posts
Showing posts with label MS BitLocker. Show all posts

Sunday 9 April 2017

System startup script to auto unlock BitLocker encrypted drive

Or, Auto unlock BitLocker encrypted drive without login in windows
Or, BitLocker encrypted drive auto unlock at system reboot
Or, How to setup system startup script in windows machines

Description: If the OS disk is encrypted using BitLocker encryption, TPM PIN or password is prompted at the startup screen and once your enter the required authentication details you are in. The problem is when you have other Data drive encrypted with BitLocker encryption and you have set some password to it.

Every time system reboots, you have to enter the BitLocker password for that drive manually or if you have enable auto unlock, the drive gets unlocked as soon as you logged in with your windows credentials.

Imagine the situation where you have enabled BitLocker encryption for Data drive on some servers and those servers got rebooted due to failures or any reason. Friends, even if you have enabled Auto unlock at that drive, it will not, because to get this auto unlock work, someone should login in the windows.

Scenario: I have a Server, Windows Server 2012 R2 and there are two Drives in this server (C:\OS-Disk and D:\Data-Disk). Data Disk is encrypted with BitLocker encryption (with password) and Auto unlock option is enabled on this disk.

Whenever there is a system reboot, I have to login in the server to make sure the drive is auto unlocked and data is accessible. This auto unlock feature is user based and the user for which this drive is not having auto unlock feature enabled, has to enter the BitLocker password manually to unlock the drive after login in to the windows.

Problem: Whenever there is System failure and no one is available to login in the server, the encrypted data drive will not be unlocked and encrypted data will remain inaccessible until someone login in the server.

Solution/Workaround: We can use manage-bde cmdlets to auto unlock the encrypted data drives at system startup. Even if no one login in the server, the drives will be auto unlocked at the startup whether it is system’s expected or unexpected reboot.

Prerequisites:
BitLocker Recover Key (exported at the time of encryption)
Administrative access on the server to edit the local system policy (gpedit.msc)
Basic knowledge of local group policy and .bat script.

Steps: Setting up Data drive auto unlock at system startup

Open the BitLocker Recovery Key file and Copy the 48 digit Recover Key.
Prepare a small .bat script using below command example:

@echooff
manage-bde -unlock D: -RecoveryPassword xxxxxx-xxxxxx- xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

Copy and paste the above command in a Notepad file and Save as .bat file extension. Replace the XXXXXX 48 digit key with your Encrypted data drive’s Recovery key.
In my case, the script file name is test.bat

Now, on the local server, go to Run and open gpedit.msc














Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Click on Startup













From the Startup properties, Click on Show Files…

























This will take you to the path where startup scripts are kept. Paste your .bat file here. In my case, its test.bat.








Now again go to the Startup Properties > Click on Add

























Click Browse














Select the .bat script file > Click on Open > Click OK


















Click on Apply > Click on OK

























That’s it, you are done with setting up auto unlocking of BitLocker encrypted data drive.

Updated: 07/05/2017
IMP Note: Even if bitlocker is not supported for bootable OS disk of Virtual Machines, you can still encrypt the bootable drives of VMs if you wish to. Startup password prompt and drive unlocking functionalities will be same as hardware based computers.

Cheers, please write me back if you have any query or feedback on this.

Tuesday 2 August 2016

How to disable TPM in BIOS (Acer TMP 257 M-521)?

Or, Error while enabling BitLocker in Windows 10 Acer laptop “the Bitlocker encryption key cannot be obtained from the trusted platform module (tpm)”.
Or, Enable Trusted Platform Module (TPM) option is grayed out in BIOS – Acer TMP 257-M-521.
Or, BitLocker encryption asking for PIN instead of password while enabling BitLocker Encryption.
Or, How to force BitLocker to use Password instead of PIN?

Error Message Details:
Bitlocker could not be enabled 
The Bitlocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.
C: was not encrypted.

Descriptios:
Some of the articles suggested to go to tpm.msc > go to action > Turn off TPM from there. and the most frustrating thing was, there was no option available there to Turn off or Turn on TPM from this action menu. Tried everything like, gpedit.msc to bypass TPM, Clear TPM, Change Owner Password from TPM management page etc. nothing worked.  L

One thing more, this is one culprit which was forcing me to enter TPIN instead of BitLocker startup password while enabling Bitlocker on my laptop with Windows 10 OS.

What Worked well?
If you want to disable TPM completely for your computer, you should do it from BIOS. In My case, I am using Acer TMP 257.

To disable TPM from BIOS of “Acer TMP 257” laptop, please follow below steps.

Steps: Reboot your PC > On the booting screen, press F2 to enter in BIOS > Go to Security tab > Set Supervisor Password



Now Go to Change TPM (TCM) State: > Hit Enter > Select Disable








Again go to “Set Supervisor Password” > Hit Enter > Enter your current password > Leave other fields blank and Hit Enter > Reboot your laptop and you are done with Disabling TPM from BIOS of your acer laptop.











Now you can proceed with enabling BitLocker with password configurations.

Monday 4 July 2016

How to recover BitLocker encrypted drive using MBAM Server?

Or, MS BitLocker recover process using MBAM (Microsoft BitLocker Administration and Monitoring) server console.
Or, MBAM BitLocker recover process.

Steps (On Client Side):
1. When you are on the BitLocker recover screen, Note down the 8 digit code  mentioned as Key ID.













Steps (Server Side):
1. Go to drive recover option.













2. Enter all the required details e.g. User ID, Domain Name, 8 digit key that you noted in step-1, and the reason of recovery > Click on Submit button













3. Now you have the Drive Recovery Key > Enter this drive recovery key information on the Client screen key box appears in step-1 (client side) and you are done with recovery.
















Cheers. Please write me back if you have any query or feedback on this.

Monday 27 June 2016

Enabling BitLocker on MS Windows Server 2012 or 2012 R2.

Or, How to enable BitLocker drive encryption on Windows Server 2012 or 2012 R2 Virtual Machines?
Or, How to Install BitLocker Drive encryption feature in Windows Server 2012 or 2012 R2?
Or, Enabling BitLocker Drive Encryption on Other than OS Disk of Windows Servers 2012 or 2012 R2.

Description:
Most important thing to know before you go for enabling BitLocker Windows Servers Virtual Machine, MS Does not support BitLocker encryption on bootable Drive of Virtual Machine. You can see the VMware reference KB below for more information.

As you know, almost every additional feature and role requires installation through Server Manager’s features and roles installation wizard, same way before enabling the Drive Encryption on Windows Server 2012 or 2012 R2; you need to Install BitLocker Drive encryption feature.

Steps (1): Installing BitLocker Drive Encryption Feature

























Steps (2): Enabling BitLocker Drive Encryption on Other than OS Disk

Please refer my another article given below to know “How to enableBitLocker drive encryption”, same steps you have to perform on the Disk drive you want to be encrypted.
http://www.techiessphere.com/2016/06/how-to-enable-bitlocker-drive.html

Referring this article, you have to select D:\ or E:\ drive instead of C:\ drive.

Decrypting BitLocker encrypted drive.

Or, How to Decrypt BitLocker encrypted drive?
Or, BitLocker Drive Decryption Process.

Steps:
Go to Control Panel > Open BitLocker Drive Encryption Console > Locate to C:\ drive > Click on “Turn off BitLocker”.

Follow the process as shown in below screenshots sequentially(for your reference):




Hardware tab is missing from MBAM admin console.

Or, How to enable Hardware tab in MBAM admin console?
Or, Hardware Tab (missing) in MBAM Console.

Descriptions:
Most likely it’s because, you have not integrated SCCM with MBAM server. Once you have the SCCM server integrated with MBAM server, you would be able to see the Hardware tab in MBAM admin console.

This is how MBAM console looks like if you don’t have MBAM Server integrated with SCCM Server.













If you have SCCM integrated with your MBAM server and still not able to see the hardware tab in MBAM admin console, either you are accessing wrong console or there is something wrong with your MBAM configurations and deployments.

Please refer the technet KB given below (thanks to MS Technet Forum):

Still have any query, please write me back… 

Sunday 26 June 2016

How to change BitLocker AES 128Bit encryption method to AES 256Bit encryption method?

Or, How to change Default algorithm Supported by BitLocker Encryption.
Or, How to change Default encryption algorithm supported by BitLocker.
Or, How to change encryption algorithm or method supported by MS BitLocker?

Descriptions:
Microsoft BitLocker supports XTS-AES 128Bit encryption method by default.  Yes, it can be changed to AES 256Bit if you want it to be. The point you should note is, when you are making the changes to change the encryption method, this change will affect only to newly encrypted drives that has been encrypted after making the changes. Drives which were already encrypted will continue to use default encryption method.
If you wish to change the encryption method on already encrypted drive, you must first decrypt the drive and then perform the encryption again after making the changes in encryption method through local computer policies.
To change the encryption method from AES-128Bit to AES-256Bit, Please follow the below steps.

Steps:
Go to RUN > gpedit.msc > Computer Configuration > Administrative Template > Windows Components > BitLocker Drive Encryption > Choose the appropriate option as per your requirement (as highlighted in below screenshot):












Click on Enable > In the “Select the encryption method” option, Select AES 265-bit

















Cheers, If you have any query or feedback, please write me back..

What is default encryption algorithm or method supported by MS BitLocker?

Or, Default encryption algorithm supported by BitLocker.
Or, Default algorithm supported by BitLocker Encryption.

Descriptions:
Microsoft BitLocker supports XTS-AES 128Bit encryption method by default. To see the encryption method you are using on your computer, you can run the below command:
--------------------------------------
>manage-bde -status
---------------------------------------
Below is the reference screenshot, how its looks like:

Monday 20 June 2016

How to enable BitLocker Drive Encryption in Windows 10?

Or, Enable BitLocker Drive Encryption in Microsoft Windows 10 Operating System.

Steps:
Go to Control Panel > Click on BitLocker Drive Encryption > Click on Turn on BitLocker on the Operating System Drive as shown in below screenshot:

















Now follow the steps highlighted in below screenshots sequentially. 























To check the status of BitLocker Drive Encryption on OS drive(C:\), Open PowerShell with administrative privilege > Type command {manage-bde –status c:} > You will be able to see the current status and completion percentage on Drive encryption as shown in below screenshot.











Cheers, write me back if you have any query or feedback..

Friday 17 June 2016

Where to download MABM server installation setup or package?

Or, Download MBAMServerSetup.exe
Or, Download Microsoft Desktop Optimization Pack Software Assurance
Or, Download MBAM Server Setup.
Or, Download MDOP BitLocker Encryption Server Setup.

Guys, Lets not be confused here with terms MBAMServerSetup.exe and MDOP. You can use your Microsoft Volume Licensing portal to download "Microsoft Desktop Optimization Pack Software Assurance" and this pack will be containing the MBAMServerSetup installation file.

It should look like below:

Thursday 16 June 2016

This device can’t use Trusted Platform Module (BitLocker Drive Encryption).

Or, BitLocker Drive Encryption Error: This device can’t use Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Required additional authentication at startup” policy for OS volumes.
Or, Windows 10 BitLocker drive encryption error “This device can’t use Trusted Platform Module”.


Description:
When you are trying to enable BitLocker Drive encryption, you are getting the above error message. It’s just because of your computer is not having TPM (Trusted Platform Module) or TPM is not enabled in BIOS of the computer.

Anyways, I am taking scenario where your computer is not having TPM. So, now the magic is, you can even enable BitLocker Drive Encryption without a TPM in your computer. To get it done, you have to just enable a Single policy object on your local computer by going to gpedit.msc. Below is the explanation “How to do it?”.

The Error Message:










The Solution (step by step):
Go to RUN > type gpedit.msc > Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drive > Double Click on “Required Additional Authentication at Startup” > Click on Enable









Enable Check mark on “Allow BitLocker without a compatible TPM” > Click on OK > Re-initiate the Drive Encryption, it should work..




















Good Luck. Please write me back if you have any query or feedback on this..