18
JCI BitLocker BU IT Support Document GI Operations EUC

BU IT MBAM BitLocker Documentation.pdf

Embed Size (px)

Citation preview

Page 1: BU IT MBAM BitLocker Documentation.pdf

JCI BitLocker BU IT Support Document

GI Operations EUC

Page 2: BU IT MBAM BitLocker Documentation.pdf

Contents Q & A ............................................................................................................................................................. 2

BitLocker is being deployed to my computer… What will I see? ................................................................. 3

Helpdesk Portal ............................................................................................................................................. 7

How to identify if the drive is BitLocker encrypted? .................................................................................... 8

PC shows encrypted but not compliant ........................................................................................................ 8

Before you start ........................................................................................................................................ 8

To turn off BitLocker Drive Encryption ................................................................................................. 8

To suspend BitLocker Drive Encryption on an operating system drive ................................................ 9

TPM not available on PC ............................................................................................................................... 9

China Only ............................................................................................................................................... 10

Error: “System Partition not available or large enough” ............................................................................ 15

Hardware changes / BIOS Updates ............................................................................................................. 16

Available Reports ........................................................................................................................................ 17

Log Files ....................................................................................................................................................... 17

Page 3: BU IT MBAM BitLocker Documentation.pdf

Q & A What is the hard drive encryption for?

The encryption for End User PC hard drives is needed to ensure that the local stored data at any lost or stolen PC

cannot be used by non-authorized persons.

Our customer VW and Porsche have requested that hard drive encryption is a 'must' for all suppliers that work

with any confidential VW data on their local PC.

Will there be any additional software required for this initiative?

BitLocker itself is built into the Windows 7 Operating System by default.

The MBAM agent is a small client that will be installed on each user’s PC.

This client transmits the encryption keys to the MBAM Encryption Server.

This is what allows for the management of the BitLocker environment.

Will there be any additional User ID and / or additional password to use?

No, there will be nothing different. Same like it is today.

What is the duration of encryption process?

The encryption process itself can vary greatly, based on two factors: the speed of the hard drive, and how much

data is on the drive this can take anywhere from 30 minutes to 24 hours

Will this impede general daily work?

No, there will be no impact to daily work, outside of the small performance decrease during the initial encryption.

Ongoing encryption is transparent.

Will this have any impact on my email activity?

No, there will be no impact to daily work like email, the email and the attachment will not be encrypted.

The email sender & receiver will not be impacted in any case.

What if another user logs onto an encrypted PC? Can they still work?

The encryption is done for the entire PC. This includes all users that use or will use the PC, which means that all

data for all users is encrypted on the PC.

That said, however, if a user logs onto an unencrypted PC, the data on that PC will not be encrypted.

Page 4: BU IT MBAM BitLocker Documentation.pdf

BitLocker is being deployed to my computer… What will I see?

NOTE: The user will not see the installation of MBAM if the PC was reimaged. Only if MBAM is

assigned to a PC via SMIT, the installation notification is seen.

Make sure that there is at least 15% of free disk space available before assigning MBAM.

MBAM will be assigned for installation to your machine. You will see the following notification appear in the

bottom right corner down by the system clock.

This is to notify you that the program contents have downloaded to your machine and are ready for you to start

the installation

You will have 15 minutes to manually run the program before it is forced.

Upon running the program, you will see progress messages as the sequence is performed.

Page 5: BU IT MBAM BitLocker Documentation.pdf

Once installation has completed (this can take several minutes), you will be prompted to reboot. You will have up

to 1 hour to perform the reboot manually. After the 1 hour time, you will be forced to reboot.

Page 6: BU IT MBAM BitLocker Documentation.pdf

After you have rebooted the PC you should see the following window displayed:

*Important Note* - There might be a delay of up to one business day until this window shows. The Policy

encryption has to be done via the Central Management system. Running the local BitLocker encryption will not

use the JCI Standard settings and therewith the client would get non-compliant.

If the “Postpone” button is pushed, the window will go away, however, it will reappear the next time that the

policy is enforced, and every time after each policy application.

If the “Start” button is pushed, you may be prompted to reboot (shown below)

Once you reboot, you should be prompted to enable the TPM Chip (this is required) for BitLocker. This is usually

done by pressing the F1 key (shown below). If you choose the “Reject” (F2 on the example below), please note

that you will be re-prompted to encrypt your drive each time your PC updates its policies.

Page 7: BU IT MBAM BitLocker Documentation.pdf

If you are not prompted to reboot initially, or you have already rebooted and pressed “F1” to enable the TPM, you

will be presented with a new window (below). This should begin automatically. During encryption, you will be

able to work as you normally would. You may experience a temporary performance degradation during the

encryption, but this will pass after the encryption process has completed.

At this point, you can close the window. You can also power off your PC; encryption will resume when you power

your computer back on. Please note, the encryption process can take several hours to complete. When the

process is complete, you should see the following notice:

Your HDD is now fully encrypted.

Page 8: BU IT MBAM BitLocker Documentation.pdf

Helpdesk Portal Link: https://diskencryption.jci.com/helpdesk/Default.aspx

*Note* – Access has to be requested – please view MBAM Access Request Procedure

1. A user will call the Service Desk/Local IT letting them know that BitLocker has locked their PC,

and they need assistance in unlocking their computer.

a. Validate that the user is the real user of that PC!

2. On the left side of the Portal website, click the “Drive Recovery” item.

a. You will not currently need to use any other option on this site.

3. You will need to enter the following information: User Domain, User ID, Key ID, and Reason for

Drive Unlock.

a. Domain : CORPWEB, IFMUK, CGNA, etc

b. User ID : This is the users Global ID

c. Key ID: This is the Recovery Key ID that the user should see on their locked PC (generally

32-digits)

d. Reason for Drive Unlock: Pick the most appropriate reason. If the user gives a reason

that is not listed, select “Other” (Example below).

4. Once the information is entered, click the “Submit” button.

5. If all of the entered information was correct, you will then be presented with the users Unlock

code (Example below).

6. This key should be read to the user via phone (or typed in by local IT). The user will likely not

have access to email/chat, as their PC is locked.

7. Once they’ve entered the code properly, validate that they were then able to log into Windows.

a. Note, BitLocker does NOT impact Windows logon. If they are unable to log on, there is

another issue not related to BitLocker (locked account, expired/incorrect password,

etc);.

Page 9: BU IT MBAM BitLocker Documentation.pdf

How to identify if the drive is BitLocker encrypted? As soon as you have followed above steps and BitLocker did not show an error message the drive is encrypted. This

can also be identified via Computer:

PC shows encrypted but not compliant If the MBAM client and policy got assigned to a PC, but the PC shows as “encrypted, but not compliant” and with a

128bit encryption (JCI Standard is 256 bit) in the MBAM reporting that means that the user has encrypted the PC

manually without using the policy.

To resolve this follow below steps “To turn off Bitlocker Drive Encryption”. By doing this the drive will be decrypted

again. With the next run on the policy update – the JCI BitLocker Policy will reapply and will kick in using the

correct encryption.

http://technet.microsoft.com/en-us/library/ee424315(v=ws.10).aspx

Before you start

To complete the procedures in this scenario:

You must be able to provide administrative credentials.

The drive must be BitLocker-protected.

Complete one of the following procedures.

To turn off BitLocker Drive Encryption

1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. 2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker. 3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some

time. Click Decrypt the drive to continue and turn off BitLocker on the drive.

By completing this procedure, you have decrypted the drive and removed BitLocker protection.

Page 10: BU IT MBAM BitLocker Documentation.pdf

To suspend BitLocker Drive Encryption on an operating system drive

1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption. 2. Click Suspend Protection for the operating system drive. 3. A message is displayed, informing you that your data will not be protected while BitLocker is suspended

and asking if you want to suspend BitLocker Drive Encryption. Click Yes to continue and suspend BitLocker on the drive.

By completing this procedure, you have suspended BitLocker protection on the drive by changing the decryption key to a clear key. To read data from the drive, the clear key is used to access the files. When BitLocker is suspended, TPM validation does not occur and other authentication methods, such as the use of a PIN or USB key to unlock the operating system drive, are not enforced. This allows you to make system changes such as updating the BIOS or replacing a data drive. When you are finished making changes to the computer, click Resume Protection from the BitLocker Drive Encryption Control Panel item to start using BitLocker Drive Encryption again.

TPM not available on PC In some cases it happens that the TPM is not activated or even is missing. To verify please follow below steps.

1. Power Off the PC (reboots may not work on some models) 2. Power On the PC 3. Immediately and repeatedly press the F10 key until a BIOS menu selection pops up (The key for most

supported HP hardware is F10, however some models may differ). 4. From this menu list, select the option that states “Computer Configuration”. 5. Once in the BIOS setup, browse to the “Security” menu (at the top) 6. Browse to the “OS management of Embedded Security Device” setting and ensure that says “ENABLED”

Page 11: BU IT MBAM BitLocker Documentation.pdf

China Only 1. Change the extension of e73248 file to .exe

https://mysite.jci.com/personal/asia_jyangg/Documents/Shared%20with%20Everyone/TPM%20Tools.zip

2. Prepare a USB flash disk(less than 4GB).

Unzip HPUSBFW_boot.rar file:

Follow below steps to make a bootable USB flash disk:

Insert USB flash disk to USB port (recommend USB 2.0 port), double click to execute HPUSBFW.EXE file,

below window pops up:

Set File system to “FAT”

Input “Volume Label”

Checked “Create a DOS startup disk”, browse to the folder where HPUSBFW_boot.rar locate, click “ok”

Page 12: BU IT MBAM BitLocker Documentation.pdf

Click “Start” to format USB flash disk and make a bootable disk

Once done, copy e73248.exe to the root directory of USB flash disk

3. Make sure you didn’t setup BIOS Administrator Password!

Boot machine and press F10 to enter BIOS menu, Set USB Hard Drive to the first one in boot sequence.

Remember what option is checked in System configuration- Device Configurations – SATA Device Mode.

Page 13: BU IT MBAM BitLocker Documentation.pdf

Boot machine from USB flash disk to DOS mode, execute e73248.exe:

4. Press any key to reboot machine, press F10 to enter BIOS setup menu, set USB Hard Drive to the first

one in boot sequence.

You may see below screen during the boot up, just press “Enter”:

Page 14: BU IT MBAM BitLocker Documentation.pdf

5. Enter DOS mode, execute e73248.exe again:

6. Reboot machine, press F10 to enter BIOS - System configuration- Device Configurations – SATA

Device Mode, make sure you select the same option as before:

Page 15: BU IT MBAM BitLocker Documentation.pdf

Enter BIOS-Security, you’ll see TPM Embedded Security show in grey, save and exit:

7. Once complete above steps, after log on Windows, you should see Security Devices in Device

Manager, that mean your TPM already enabled.

Page 16: BU IT MBAM BitLocker Documentation.pdf

Error: “System Partition not available or large enough” In some cases the Encryption cannot start due to the above mentioned error that is shown on the

reports of the Helpdesk Portal. This error indicates that the necessary System Partition could not be

created during the MBAM client install.

In most cases this is due to lack of space on the hard disk. The user should make sure that at least 15%

of free disk is available. Then have the MBAM install run again via Run Advertised Programs.

If the disk has enough space. Check the following: (Mainly comes up with SSD’s)

- Disk Defragmenter Service set to manual?

If set to disabled, BitLocker cannot create the necessary System Partition of 300 MB. Have the

service set to manual.

- Hibernation or Windows Recovery activated?

Check if the user has hibernation or Windows Recovery activated. If this is the case, have it

disabled. After the 300 MB partition is created you can activate it again.

- 3rd party tools installed that are managing disk contents?

Check for those kind of tools and make sure they are uninstalled.

- Backup software installed?

Backup software might reserve areas of the disk and stops BitLocker from creating the System

Partition.

- Pagefile

If the 300 MB System Partition still cannot be created, disable the page file. For that follow

below steps.

1. Go to Computer Management -> Disk Management 2. Shrink drive C:\ so that you get a 320 MB unpartitioned area.

a. If there is no error and disk gets shrinked, use BdeHdCfg.exe -target c: shrink -size 300 –quiet to get System partition created.

b. If this does not work proceed with next step.

3. Go to Control Panel – System – Advanced System Settings – Advanced Tab – Performance

Settings – Advanced – Virtual Memory Change – Set to “no paging file”

4. Reboot to safe mode and check that page file is gone. 5. Reboot to Win 7 normally. 6. Run command from step 2.a. 7. This should now create the system partition.

Page 17: BU IT MBAM BitLocker Documentation.pdf

Hardware changes / BIOS Updates / Configurations To make sure that the TPM is always set with the correct configuration on a PC, you should make sure

that before doing any changes to hardware and BIOS that BitLocker Protection is suspended.

1. Go to Control Panel – Bitlocker Drive Encryption

2. Suspend Protection

3. Do change

4. Boot PC and go to Control Panel – Bitlocker Drive Encryption

5. Resume Protection

6. Reboot

7. OS will be locked

8. Enter Recovery Key

9. TPM will be setup with the correct information

Note – BitLocker has to be resumed manually afterwards. Only this will ensure that the TPM is set to a

“known status” and includes the correct system information/configuration.

Not doing above steps will most likely cause BitLocker to lock the PC on every boot.

Page 18: BU IT MBAM BitLocker Documentation.pdf

Available Reports

http://j201m444/SMSReporting_A01/

MBAM/TPM Report on Site or PC level:

Free Disk Space Report:

MBAM Reports:

Note – You will first need to follow the MBAM Console Access Procedure to get access granted to this

report.

https://diskencryption.jci.com/helpdesk/Reports.aspx

Log Files

Identify MBAM_Client_2.0.5301.1_32-64b_EN_R01.log file presence – it should be located here:

32-bit PCs - “C:\Program Files\JCI Support\AppInstallLogs”

64-bit PCs - “C:\Program Files (x86)\JCI Support\AppInstallLogs”