CUW-P023-Procedure_Enable_BitLocker_on_deployed_laptop_without_TPM_V1.3.2.doc

Title : Enable BitLocker on deployed laptop without TPMCreation Date:24 Nov 2010Last Modification:11 11月 2013Ref.: CUW-P024Author:CUW Core TeamPrint Date:28 1月 2020Procedure: Enable BitLocker on deployed laptopWithout TPMDocument ReferenceCUW-P024Document StatusIn preparation To be Validated Validated Other (specify)ValidationNameZoneFunctionDateVersion HistoryNDateAuthorEvolution reason0.125/10/2011Cdric GasnierDocument Creation125/10/2011Cdric GasnierDocument modification1.210/12/2012CUWDocument modification1.323/04/2013Arnaud HenriDocument modification1.3.123/05/2013Arnaud HenriDocument modification1.3.207/11/2013Arnaud HenriDocument modificationTable of Contents1.Context42.Requirements43.Procedure5a.Enable BitLocker5b.Secure USB key method8c.Secure USB key method (alternative)12d.Reset recovery password15e.If Script launch twice15f. If BDE partition is not prepared164.User Notice16This document is part of the CUW project which aims at providing a global master to all Air Liquide employees based on Windows 7.1. ContextThe goal of this procedure is to describe actions to follow in order to configure BitLocker on laptop without TPM that already have CUW master installed.At the end of the procedure, the laptop will have BitLocker enabled.2. RequirementsBefore starting the process, You must have an account having local admin rights. For laptop, you must plug in the computer to power adapter. Make sure that the computer is connected to network via an Ethernet cable. You must have a USB that will be used as Startup Key for the user. Download all PS1 and EXE files for BitLocker activation at the following link: /livelink/llisapi.dll?func=ll&objId=19800884&objAction=browse&viewType=1 Backup all important user data before encryption.CautionNote: If a Secure USB Key as AEGIS model is used, please refer to Secure USB Key method section.3. Procedurea. Enable BitLocker#ActionScreenshot1Log onto the computer with a local administrator account.2Execute setup.bat from the USB key to copy folders to C:_INSTALLBitLocker3Navigate to C:_INSTALLBitLockerNO_TPM and validate that the following script are available: 1ActivationBitlocker.cmd 2ResumeSecondDriveEncryption.cmd ErrorBitlocker.ps1 MsgStatusEncryption.ps1 ResumeSecondDriveEncryption.ps1 SecondDriveEncryption.ps1 StartEncryptionnoTPM.ps1Note: If these scripts are not available, download them at the following link /livelink/llisapi.dll?func=ll&objId=18530918&objAction=browse&viewType=1 and copy them to C:_INSTALLBitLockerNO_TPM4Insert the USB key that will be used as Startup Key and check that it is using F letter5Open a command prompt with administrative privileges (right click + Run as administrator)Navigate to C:_INSTALLBitLockerNO_TPM6Launch the following script using the command prompt:1ActivationBitlocker.cmdNote: The script may fall in error due to the GPO not applied. If it happens launch the script a second time. The startup key inserted is the one youll have to use.7A windows appears noticing that a log file be created in C:_installBitLockerBitLocker_Logs.logClick on OK8An second windows appears:Click on OK9The laptop will restart automatically10When the laptop reboots, the startup key has to be already connected to enable bitlocker. Log-in and wait for the encryption to start againYou can click on the popup for open the dialog box.The encryption of D drive has been scheduled before the reboot of the computer.Once done, D drive encryption will start then will be paused.Encryption of D drive will resume once C drive encryption will be complete.Scheduled task checks every 10 minutes the completion of C drive encryption.11The encryption progress silently and can take up to several hours. Type manage-bde.exe status to know the progress of the encryption.12You can also verify the encryptions progress by opening the following log file: C:_installBitLockerNO_TPMBitLocker_Status.log13At the end of the encryption, the bitlocker window will be:14D drive encryption startsb. Secure USB key method#ActionScreenshot1Log onto the computer with a local administrator account.2Navigate to C:_INSTALLBitLockerNO_TPM and validate that the following script are available: 1ActivationBitlocker.cmd 2ResumeSecondDriveEncryption.cmd ErrorBitlocker.ps1 MsgStatusEncryption.ps1 ResumeSecondDriveEncryption.ps1 SecondDriveEncryption.ps1 StartEncryptionnoTPM.ps1Note: If these scripts are not available, download them at the following link /livelink/llisapi.dll?func=ll&objId=19800884&objAction=browse&sort=name&viewType=-1 and copy them to C:_INSTALLBitLockerNO_TPM3Insert the normal USB key that will be used as Startup Key and check that it is using F: letter4Open a command prompt with administrative privileges (right click + Run as administrator)Navigate to C:_INSTALLBitLockerNO_TPM5Launch the following script using the command prompt:1ActivationBitlocker.cmdNote: The script may fall in error due to the GPO not applied. If it happens launch the script a second time. The startup key inserted is the one youll have to use.6A windows appears noticing that a log file be created in C:_installBitLockerBitLocker_Logs.logClick on OK7An second windows appears:Click on OK8The laptop will restart automatically.9Before laptop rebooting, shutdown it.10From another computer, plug the normal USB key then modify folder options to show hidden files.Open a Windows Explorer window, click the Organize link in the toolbar, and from there click on Folder and Search options. The Hidden files and folders options are to be found on the View tab under Advanced Settings.Under theHidden files and folderssection select the radio button labeledShow hidden files, folders, and drives.Remove the checkmark from the checkbox labeledHide protected operating system files (Recommended).Press theApplybutton and then theOKbutton.You will now able to see all hidden files on your USB key as .BEK file(s).11Copy .BEK created from normal USB key to Secure USB Key.12Unlock your Secure USB key then plug it to the laptop.13Power on the laptop in 30 seconds.14When the laptop reboots, the startup key has to be already connected to enable bitlocker. Log-in and wait for the encryption to start againYou can click on the popup for open the dialog box.The encryption of D drive has been scheduled before the reboot of the computer.Once done, D drive encryption will start then will be paused.Encryption of D drive will resume once C drive encryption will be complete.Scheduled task checks every 10 minutes the completion of C drive encryption.15The encryption progress silently and can take up to several hours. Type manage-bde.exe status to know the progress of the encryption.16You can also verify the encryptions progress by opening the following log file: C:_installBitLockerNO_TPMBitLocker_Status.log17At the end of the encryption, the bitlocker window will be:18D drive encryption startsc. Secure USB key method (alternative)#ActionScreenshot1Log onto the computer with a local administrator account.2Navigate to C:_INSTALLBitLockerNO_TPM and validate that the following script are available: 1ActivationBitlocker.cmd 2ResumeSecondDriveEncryption.cmd ErrorBitlocker.ps1 MsgStatusEncryption.ps1 ResumeSecondDriveEncryption.ps1 SecondDriveEncryption.ps1 StartEncryptionnoTPM.ps1Note: If these scripts are not available, download them at the following link /livelink/llisapi.dll?func=ll&objId=19800884&objAction=browse&sort=name&viewType=-1 and copy them to C:_INSTALLBitLockerNO_TPM3Insert the Secure USB key that will be used as Startup Key and check that it is using F: letter4Open a command prompt with administrative privileges (right click + Run as administrator)Navigate to C:_INSTALLBitLockerNO_TPM5Launch the following script using the command prompt:1ActivationBitlocker.cmdNote: The script may fall in error due to the GPO not applied. If it happens launch the script a second time. The startup key inserted is the one youll have to use.6A windows appears noticing that a log file be created in C:_installBitLockerBitLocker_Logs.logClick on OK7An second windows appears:Click on OK8The laptop will restart automatically.9Before laptop rebooting, shutdown it.10Unlock your Secure USB key then plug it to the laptop.11Power on the laptop in 30 seconds.12When the laptop reboots, the startup key has to be already connected to enable bitlocker. Log-in and wait for the encryption to start againYou can click on the popup for open the dialog box.The encryption of D drive has been scheduled before the reboot of the computer.Once done, D drive encryption will start then will be paused.Encryption of D drive will resume once C drive encryption will be complete.Scheduled task checks every 10 minutes the completion of C drive encryption.13The encryption progress silently and can take up to several hours. Type manage-bde.exe status to know the progress of the encryption.14You can also verify the encryptions progress by opening the following log file: C:_installBitLockerNO_TPMBitLocker_Status.log15At the end of the encryption, the bitlocker window will be:16D drive encryption startsd. Reset recovery password1Open a command prompt with administrative privileges (right click + Run as administrator)Navigate to C:_INSTALLBitLockerNO_TPM2Launch the following script using the command prompt:3ResetRecoveryPassword.cmd3A new password have been created and added to Active Directory.e. If Script launch twice1In the case where 1ActivationTPM.cmdis relaunched, a message box will appears by advising that encryption is in progress.Click OK to close.f. If BDE partition is not prepared1In the case where BDE partition is missing, a message box will appears by advising that Bitlocker Preparation Tool will prepare this partition.Click OK to close.Once done, a mandatory reboot will be required.After computer rebooted, you have to relaunch 1ActivationTPM.cmd script to continue encryption process.4. User NoticeThis system has been encrypted with BitLocker Drive Encryption. The Windows Operating Systemas well as the User Data, Windows Registry and temporary files are all encrypted to meetAir Liquides Security Requirements for all Common User Workstation(CUW) systems.Purpose of the encryption is to help ensure this system is not tampered with even if it isleft unat