|Technical Rating: |
|Published Date : 17 Jun 2008
Last Updated : 06 Dec 2010
Content Ref: TEC923428
- Your system must be an RM factory-prepared "BitLocker-Ready" system.
- You should have either Windows VistaŽ Ultimate or Enterprise pre-installed .
- You should have a Recovery partition (S:) present of at least 1.5GB in size. (S: volume visible in Disk Manager. Note: The S: drive is hidden to prevent misuse.)
- Your system should contain a hardware TPM module (Trusted Platform Module, v1.2), a hardware feature present on the mainboard and supported in the BIOS (not all RM Vista systems have a TPM).
- You are advised to have a non-bootable USB flash memory key available to store the recovery password file.
Note: On an RM BitLocker-Ready system, the S: volume is the active (bootable) partition and contains hidden boot files, etc. RM systems are shipped as BitLocker-Ready only if they have a TPM module and are Vista Ultimate or Enterprise systems.
Warning: Be aware that enabling BitLocker adds a very high level of security to your system, but this has the potential drawback of not being able to access your data, should your hard disk become corrupted or you forget your password.
The following steps are important, do not omit any step and check all BIOS options carefully.
- Check the list of requirements above. If your system has an S: volume then it should be BitLocker compatible. If it does not have an S: volume (drive letter) then your system may not have a TPM module or may have been manufactured without a suitable partition.
Unless your system meets the Requirements above, you are strongly advised not to attempt to enable BitLocker on your system.
- Now insert the USB flash memory key that you intend to store the BitLocker password file on later - Important: Leave this USB key in the system until BitLocker encryption has been successfully enabled.
- Gain access to the BIOS menu. This is usually done by restarting your system and typing a special key (eg F2, <Del>) to enter the BIOS Menu. A password may be required to gain access to the BIOS menu.
- Disable any special BIOS menu option to boot any USB device first (eg as on an RM Expert 3030/IntelŽ mainboards - Boot USB Devices First option).
- Enable the TPM BIOS support on your mainboard. You may see an entry such as TPM, TPM 1.2 or Trusted Platform Module or BitLocker.
- If there is a setting for DEP, XD Technology, HDEP, NX or Data Execution Prevention, then Disable it (may not be necessary for all systems).
- Enable USB Legacy device support and USB support.
- Set the Hard Disk as the first boot device (disable USB booting if possible).
- Save the BIOS settings (usually using the F10 key) even if no change has been made and reboot into Windows VistaŽ.
- Create a Vista account name with Administrator rights, if one does not already exist. Always log on to this account for following the steps.
- Restart the system and log onto Vista.
- From the Start menu select Control Panel, Security, Bitlocker Drive Encryption and confirm the User Account Control dialogue box.
- Click on the TPM Administration menu item on the left hand-side (this runs TPM.msc).
- If there is a Clear TPM... link - choose 'I do not have the TPM owner password'. Restart and then re-run the TPM Administration application as above, click Initialize TPM... and then restart as prompted.
Note: Windows Defender may block the TPM.msc application from automatically launching on reboot -
- Click the taskbar icon to re-launch it.
- Then choose 'Automatically create a password' and save the password to the USB flash memory key already present in the system.
- Click the Initialize button.
If there is a not a Clear TPM option, then simply Initialize the TPM as above.
- On the Bitlocker Drive Encryption page, click Turn On BitLocker (see Fig. 2).
- On the 'Save the recovery password' page (Fig. 3), you will see the following options:
Save the password on a USB drive. Saves the password to a USB flash drive.
Save the password in a folder. Saves the password to a network drive or other location.
Print the password. Prints the password.
Note: Use theSave to the USB drive to preserve the recovery password.
- Select the option and follow the wizard steps to set the location for saving or printing the recovery password. It is recommended that you save the recovery password file to a flash memory USB key and then copy this key to a safe location on another system.
- When you have finished saving the recovery password, click Next.
- On the 'Encrypt the volume' page, confirm that the Run BitLocker System Check check box is selected (Fig. 5), and then click Continue. Leave the USB flash memory drive connected, if a recovery key was previously stored on that key.
- Confirm that you want to restart the computer by clicking Restart Now.
- The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem (see Fig. 1 below). If you also first see the error message in Fig. 8 below, press Enter as prompted and then repeat from Step 8 above. Note: It may require up to 4 attempts starting from Step 11 (clear the TPM each time). Do not change any BIOS settings during these attempts.
- If the C: volume is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by hovering your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen.
- Remove you USB key and keep it in a safe place. Also make a secure backup of the tpm files stored on the key.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to this volume. The next time you log on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files or BIOS settings, or if someone tries to start the computer from a disk to circumvent the operating system, the computer will switch to recovery mode until the recovery password is supplied.
Fig.1 You will see this message if the USB flash memory key was not detected on rebooting (step 8 above)|
|BitLocker step-by-step screen shots|
The following screenshots should aid in enabling BitLocker encryption.
Fig. 2 Vista BitLocker enable page|
Fig. 3 Save the recovery password|
Fig. 4 Save the recovery key to a non-bootable USB flash memory key|
Fig. 5 Tick the option to test the USB flash drive on restart|
|How to boot to Recovery Mode (Repair Mode)|
If you wish to reboot to the Recovery Mode in order to repair the Operating System or perform a backup or restore operation:
- Insert the flash memory key that contains the recovery key files into the computers USB port.
- Restart the computer.
- After the BIOS messages have displayed and just before the system is about to boot from the hard disk, press F8 repeatedly every half-second.
- Proceed as usual and if prompted for the Recovery Key, select the USB option and continue to the Recovery Menu.
Note: If you see the screen below then the USB key has not been detected correctly!
|Problems when using F8 to boot to the Recovery Mode (Repair Mode)|
If you see the screen below, then the system has not correctly detected the Recovery key on a USB flash drive.
You must insert the USB flash drive containing the recovery key file before the system is booted or restarted. The USB flash memory key must not be of the bootable type if using Vista RTM version.
Fig. 6 Text displayed after pressing F8 on a BitLocker enabled RM system|
|This next screen allows you to manually enter the recovery code (contained in the text file that you saved when BitLocker was enabled). You can insert the USB key and reboot, but you must press F8 again if you want to enter the Recovery Mode.|
Fig. 7 Press Enter if you wish to manually enter the 48 numbers required for the Recovery key|
|Does my system have a TPM?|
You can check to see if your system has a TPM by typing tpm.msc in the Start menu 'Start Search' text box (Note: This application may not report a TPM is present if volume encryption is currently in progress or the system is in an undefined state). Specification version 1.2 or higher is required for Vista BitLocker.
Another check is to see if there is a TPM entry in the BIOS menus.
Ensure the TPM is listed in Device Manager. Try using the Windows Vista driver rather than the manufacturers driver. Some WinBond TPM drivers do not work and tpm.msc does not detect a TPM unless the Windows Vista driver is installed.
Only systems advertised by RM as featuring a TPM are supported by RM. Some systems may contain TPM hardware but TPM BIOS support may be disabled if the feature is not supported on that platform.
|BitLocker cannot initialize the TPM and prompts you to remove any bootable CDs or DVDs|
If you cannot reach the 'Save the Recovery Password' dialogue box as shown in Fig. 3 above, and you are prompted to remove any bootable CD or DVD and restart and try again as shown in Fig. 3a below, and you have already cleared and re-initialised the TPM, the problem may be due to an incorrect Master Boot Record. This can be corrected in one of two ways:
- Boot from a Vista installation DVD and exit to a command prompt window. Look for the file bootsect.exe which can be found on the Vista DVD in the \boot folder. Assuming that you have found the location of bootsect.exe, type the command F:\boot\bootsect.exe /nt60 SYS /MBR (assuming F: is the DVD drive letter)
- Disable PCR0 register checking (see the System Boot Information section below for details of how to do this).
Fig. 3a Error message if CD/DVD present or hard disk boot code is considered invalid|
|Vista fails to detect the Recovery key on a USB Flash memory device|
If on rebooting, BitLocker fails to verify the password file on your USB flash memory drive (after four attempts) the most likely cause is that your USB flash key is formatted as bootable (RTM version of Vista only, Vista SP1 tolerates bootable USB flash memory keys but they may need to be re-formatted).
If you have an RM MiniSafe Pro, then you may need to reformat the flash key using the RM Format utility provided on the accompanying mini-CD. Select the Format option and not either of the bootable options.
The following steps are recommended:
- Ensure USB legacy support is enabled in the BIOS settings (sometimes referred to as USB keyboard support in some BIOSes).
- Ensure that the boot order is such that the hard disk is the first boot device - the USB device must be detected by the BIOS on startup, but the BIOS be set to boot from the hard disk first.
- Ensure the USB device is not formatted as a bootable device.
- Check that the USB device has no errors by performing a disk scan and check for bad blocks.
- Reformat the USB flash memory pen.
- Try a different type of USB flash memory pen.
Note: If you have already saved the password key to a flash drive, you can copy this file to another disk temporarily, whilst you reformat the flash drive to be non-bootable, and then copy the file back again.
If a TPM cannot be detected by Vista, reset the BIOS settings and re-enable the TPM menu item (if already enabled then disable it and re-enable it in the BIOS menu).
Try updating the BIOS to a later version (if available). If the system has an Intel mainboard you can update the BIOS from within VistaŽ by downloading a Windows version of the BIOS update program from the IntelŽ Web site as http://www.intel.com/ (Support and Downloads). If you have a non-IntelŽ mainboard, please contact RM Support.
If you are using a third-party TPM driver, try using the Windows TPM driver instead.
Note: Although your system may physically contain a TPM, this may be disabled by the BIOS. RM do not support systems for BitLocker (using a TPM) unless the system is advertised by RM as containing a TPM and is licensed for the VistaŽ operating system.
|Troubleshooting BitLocker encryption|
- Try at least four times in succession before you can conclude that BitLocker will not enable. BitLocker will re-set TPM registers each time you run it and it has been observed that you sometimes need to try four times (without changing any settings at all) to enable BitLocker before all changes have been cleared and the drive will start to be encrypted.
- Ensure you always log on to an account that has Administrator access rights.
- Ensure the TPM is enabled in the BIOS.
- Ensure you have a TPM driver listed in Device Manager. Try the default Windows TPM driver.
- If the 'Initialize the TPM security hardware' application fails, try Clearing the TPM and trying again. If the TPM has been initialized and BitLocker Encryption has begun or has been aborted, when you clear the TPM (run tpm.msc) you may be requested for the TPM password file which you saved previously.
- If, on reboot, your system fails to validate the recovery password key on your flash memory drive, check that any special option to boot USB devices first (eg RM Expert 3030/Intel mainboards) is disabled. On some systems (RM Expert 3030), you may also need to disable XD Technology (Data Execution Prevention).
"The system boot information has changed since BitLocker was enabled" error message
If the message in Fig. 8 below is displayed when the system restarts to check your BitLocker recovery password located on your USB flash memory drive, you should first check that you have configured the BIOS Boot order menu options so that USB flash drives or CD/DVD drives are not in the boot order before the hard disk.
If you see the message in Fig. 8 below, you should ALWAYS proceed as follows:
- When you see this message press the Enter key - you should always do this.
- Repeat the process of enabling BitLocker in Vista four times before making any BIOS or OS changes. The small changes detected by Windows will thus be authorised and the following attempt to enable BitLocker may well be successful. You do need to try up to four times!
- Try disabling some non-essential BIOS features such as XD Technology, VT Technology, EIST, etc. Again retry up to four times to enable BitLocker before concluding that it is still not working.
If this message (Fig. 8) is still seen, you may have to disable one or more PCR registers (not recommended) as follows:
- Press the Windows key and the 'R' key to invoke a Run command box.
- Type gpedit.msc and click OK.
- Browse to Computer Configuration/Administrative Templates/Windows Components.
- Double-click on BitLocker Drive Encryption - Configure TPM platform validation profile.
- Click on the Enabled radio button.
- Untick the PCR 0 option (Core Root of Trust of Measurement) to disable it.
- Click OK and from the Menu bar choose File and then Exit to quit the Local Group Policy Editor application.
- Now try to enable BitLocker encryption as explained above.
Note: You can disable any or all PCR registers at step 6 except for PCR11 which must be enabled in order to enable BitLocker support. The more PCR registers you disable, the less secure your system will be. Try disabling registers PCR0, then PCR10, and then the others - always try to enable BitLocker at least four times after you try a different setting.
Fig. 8 Error message received on restart before BitLocker conversion begins|
If you see this message after BitLocker has been successfully enabled, it usually indicates that there has been some change to your BIOS, hard disk Master Boot Record, hard disk boot code or hard disk partitions. This typically occurs if the system attempted to boot from a different device (perhaps because a bootable CD/DVD or USB key was present). You either need to reverse this change (if can remember what it was) or use the Recovery Password file on your USB flash memory key to start the system. You should then disable and re-enable BitLocker which commits the new changes to the TPM PCR registers as new hash codes.
If you see this message when trying to enable BitLocker, simply try to re-Initialise the TPM and enable BitLocker again (up to 4 attempts). The small changes that were detected are 're-registered' when you retry. If still unsuccessful, try disabling PCR0 - see above.
RM BitLocker-Ready systems are factory prepared as follows:
C: Windows Vista
D: Data volume (contains backup files)
S: Windows Recovery and BitLocker boot files (approx. 2GB)
The Active partition (boot partition) is the S: volume (not the C: volume as on other RM Vista systems).
You should not use the S: volume to store files. You should not attempt to delete or change any files on the S: volume. The S: volume is hidden from Windows Explorer for this reason. Even if you do not want to enable BitLocker, the S: volume needs to have at least 500MB of free space, as this is required when using CompletePC Backup.
If you want to remove the BitLocker encryption security, you can Disable it or Decrypt (Clear) the volume. Decrypt completely removes BitLocker protection and fully decrypts the volume. Disable keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk volume. By storing this key unencrypted, the disable option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire volume. Once the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade and erase the clear key.
More information about BitLocker can be obtained by using the Search facility at http://www.microsoft.com/ (eg Windows BitLocker Drive Encryption Step-by-Step Guide)
|Can I enable BitLocker if my system is not Bitlocker-Ready system?|
If your system supports BitLocker (and has TPM v1.2 or above) but is not shipped as BitLocker-Ready, it is possible to re-partition the system so that it supports BitLocker, however this is only recommended for experienced users and is not fully supported by RM.
If you have a standard RM factory pre-installed system, you will need to increase the size of the Recovery partition by following the process outlined below.
Note: The procedure below is in outline form and is for experienced users only. RM cannot be held responsible for any data loss!
- Backup any important data to another computer or external media.
- Boot from an RM Vista Recovery DVD and click on Command Prompt.
- Make a User Backup using the RM Recovery utility (Tip: If you have important data, you can reboot to Vista and copy the hidden D:\Install.wim backup file to a network drive as a safeguard.)
- Use Diskpart to Delete only the C: (D0P1) volume (do not delete the D0P2 volume!).
- Use Diskpart to Expand the Recovery volume to a size of 2GB.
- Use Diskpart to make a new D0P1 volume (NTFS).
- Using the RM Recovery utility, ensure the 'Restore to:' drive is set to the D0P1 volume letter and restore the User backup to this partition (perform a Clean Install).
- Reboot Vista, obtain and run the BitLocker Drive Preparation Tool from Microsoft (see http://support.microsoft.com/kb/930063 for details or perform a Windows Update and select the tool from the list provided when you click 'View available updates' under the Install updates button).
- Important: Delete the CompletePC Backup on the D: volume and make a new CompletePC Backup to the D: volume.
You do not need a hardware TPM to enable BitLocker and have an encrypted volume, however the volume will be less secure and there will be a software overhead. For more information see Scenario 3 here.
|Re-installing Vista after enabling BitLocker|
If you wish to re-install Vista by using the F8 key to enter the Repair mode and running the RM Recovery Launcher application to restore the factory or your own User backup, or if you wish to re-install by booting from the RM Recovery DVD and installing a fresh copy of Vista, you will be prompted to enter the Recovery password (or to attach the USB flash drive that the password file is stored on).
Unless you have this key, you will not be able to re-install Vista or gain any access to the hard drive. The only way to circumvent this protection would be to boot from a DOS floppy disk or Windows XP Recovery CD (or Linux) and erase the first two partitions on the hard disk, and then re-boot from an RM Vista Recovery DVD to re-partition and re-install the operating system.
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: Bitlocker, TPM, Trusted Platform Module, encrypt, secure, protect