bitlocker

How to Install Bitlocker with TPM on Hyper-V 2012 R2

In this article we will review the installation of Bitlocker with the TPM module on the Hyper-V Server 2012 R2 Core.

Bitlocker is a built-in Windows utility that allows you to protect data with encryption. Bitlocker uses the AES algorithm with 128-bit keys. To achieve greater data security, the key length can be increased to 256 bits. By default, the TPM stores and ensures the integrity of the encryption key. This module is a chip built into the PC motherboard that checks running code when the OS is loaded, calculates the hash value, and stores the result in special registers called PCRs (Platform Configuration Registers). More information on TPM and Bitlocker is available on Microsoft’s official website

Preparing the Hyper-V Server 2012 R2, Server Core

Typically, TPM support in Windows is turned off. It must be enabled in the BIOS settings. In our case, we are using the Core version of the operating system, and therefore will not be able to check the standard Device Manager to determine whether the TPM is on. Instead, we will use a PowerShell module developed in the Microsoft Partner & Customer Solutions Blog:

Install the module with the following command:

Ipmo .\ScriptName.psd1 –Verbose

PS C:\> Ipmo .\DeviceManagement.psd1 -Verbose

VERBOSE: Loading module from path

'C:\DeviceManagement.psd1'.

VERBOSE: Importing cmdlet 'Disable-Device'.

VERBOSE: Importing cmdlet 'Enable-Device'.

VERBOSE: Importing cmdlet 'Get-Device'.

VERBOSE: Importing cmdlet 'Get-Driver'.

VERBOSE: Importing cmdlet 'Get-NUMA'.

VERBOSE: Importing cmdlet 'Install-DeviceDriver'.

To view all devices in the system, use this command:

Get-Device | Sort-Object -Property Name | ft Name, DriverVersion

If the TPM is enabled, it will appear in the list of devices:

PS C:\> Get-Device | Sort-Object -Property Name | ft Name, DriverVersion

…

Trusted Platform Module 1.2             6.3.9600.16384

The TPM is configured in the Hyper-V 2012 R2 Server Core operating system using special cmdlets activated by the following command:

dism /online /enable-feature /FeatureName:tpm-psh-cmdlets

PS C:\> dism /online /enable-feature /FeatureName:tpm-psh-cmdlets

Deployment Image Servicing and Management tool

Version: 6.3.9600.16384

Image Version: 6.3.9600.16384

Enabling feature(s)

[==========================100.0%==========================]

The operation completed successfully.

A detailed description of all TPM-cmdlets — http://blogs.technet.com/b/wincat/archive/2012/09/06/device-management-powershell-cmdlets-sample-an-introduction.aspx

To view the TPM settings, use this command:

PS C:\ > Get-TPM

Protector configuration

For disk encryption, you need to specify where to store the encryption key. In our case, we will specify the TPM and the recovery password as key protectors, which will help us to decrypt the drive.

To configure the protectors, we will use the system utility: manage-bde

Add the TPM module as the protector:

manage-bde –protectors –add C: -tpm

PS C:\Users\Administrator> manage-bde -protectors -add G: -tpm

BitLocker Drive Encryption: Configuration Tool version 6.3.9600

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:

TPM:

ID: {BC0479C0-96DB-42D4-8C28-957385B9D8D9}

PCR Validation Profile:

0, 2, 4, 8, 9, 10, 11

After the key protector has been added, we initiate the encryption process with the following command:

manage-bde –on –recoverypassword C:

Following the instructions, save the auto-generated password and complete the procedure as described in the figure below.

To view the drive encryption process after you restart the server, use this command:

manage-bde.exe -status C:

PS C:\> manage-bde.exe -status C:

BitLocker Drive Encryption: Configuration Tool version 6.3.9600

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []

[OS Volume]

Size:                 464.44 GB

BitLocker Version:   2.0

Conversion Status:   Fully Encrypted

Percentage Encrypted: 100.0%

Encryption Method:   AES 128

Protection Status:   Protection On

Lock Status:         Unlocked

Identification Field: Unknown

Key Protectors:

TPM

Numerical Password