none
Bitlocker on Win10 client with one disk and two partitions? RRS feed

  • Question

  • Have a Win10 client image which will be installed on clients with one 500GByte SSD. The OS is installed on a 100GByte primary partition (OSDrive, Drive C:). The remaining diskspace is allocated to a second NTFS partition, which is assigned to drive D: on the client.

    Have successfully enabled Bitlocker on the OS drive, using TPM and recovery password as protectors.

    What I don't understand is why Windows 10 shows the second partition, Disk D: as unprotected in Windows Explorer. Also, when an administrator tries to enable Bitlocker on drive D:, Windows shows different error messages, dependent on the used tool (access denied, 0x8031000A).

    Is my understanding correct that Bitlocker encrypts disks, and not partitions? And that it's a bug of Windows explorer and the Bitlocker tools that drive D: is not shown as Bitlocker Protected in this configuration?

    Thank you in advance for any clarification

    Franz



    • Edited by FranzSchenk Tuesday, September 18, 2018 12:54 PM
    Tuesday, September 18, 2018 12:52 PM

Answers

  • Hi,
    According to the official document:
    The hard disk must be partitioned with at least two drives:
    1. The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
    2. The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.

    Bitlocker encrypts partitions, and not disks.

    For details, we can refer to the article:
    BitLocker
    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 19, 2018 3:30 AM
  • "Is my understanding correct that Bitlocker encrypts disks, and not partitions?" - no, that is incorrect. BL is per partition. Please describe what happens if you perform this on an elevated command prompt:

    manage-bde -on d: -rp -pw -used

    Wednesday, September 19, 2018 7:57 AM

All replies

  • Hi,
    According to the official document:
    The hard disk must be partitioned with at least two drives:
    1. The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
    2. The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.

    Bitlocker encrypts partitions, and not disks.

    For details, we can refer to the article:
    BitLocker
    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 19, 2018 3:30 AM
  • "Is my understanding correct that Bitlocker encrypts disks, and not partitions?" - no, that is incorrect. BL is per partition. Please describe what happens if you perform this on an elevated command prompt:

    manage-bde -on d: -rp -pw -used

    Wednesday, September 19, 2018 7:57 AM
  • Thank you very much for the two very helpful posts!

    I understand now that we have to encrypt the second partition as well. Our goal is to protect the whole disk, without having the users entering PIN's or passwords. According my reading, this is difficult because the recovery key of the second partition can not be protected by TPM. At this stage, we have the following behavior:

    manage-bde -on d: -rp -pw -used does not work. we are getting 0x8003100A, that the active directory is not prepared.

    manage-bde -on d: -rp (without the -pw) parameter works, the D: drive gets encrypted. But the recovery key is not stored in AD. The recovery key of the operating system drive is always successfully stored in AD. After a reboot of the client, the D: drive is not automatically encrypted --> so this use useless for practical usage.

    - Have configured the same GPO settings for the OS drive and the D: partition:

    Have the following questions:

    1. What could be the reason why the recovery password of the D: drive is not stored in Active Directory?

    2. Is it possible to archive our goal (protecting the whole disk without user PIN's and passwords, and automatically unlock the D: drive after system startup as well)? Have seen that the recovery key can be protected by an active directory account with the -AdAccountOrGroup parameter. Is it a recommended solution to protect the key with the "<domain>\domain computers" group for example?

    Kind regards, Franz

    Thursday, September 20, 2018 1:20 PM
  • Hi Franz.

    1 If your policies worked as you show them, d: (in case it's a fixed data drive) would not have a chance to become encrypted, unless the key would be backed up to AD, first, since the GPO "Do not enable BL until rec. info is stored to AD..." is activated. So something is fishy here and I don't think that this GPO is applied on the client (or else it can't be a fixed drive but maybe is a removable drive ->activate the "do not enable" for all drive types, OS, fixed and removable).

    2. Sure. It's called auto-unlock. After encryption, you go

    manage-bde -autounlock -enable D:

    Thursday, September 20, 2018 4:51 PM
  • Hi Ronald

    You are right and I was wrong: Have verified the ID of the password with manage-bde -protectors -get D: and have found that ID with the password on the computer object in Active Directory.

    Have also enabled the autounlock feature, and it works, thank you. Have seen that when enabling the autounlock feature, Bitlocker creates an external BEK Key file as an additional protector for the drive (Strange, this isn't the case for the OS drive).  Do you know where Bitlocker stores this BEK file? 

    Friday, September 21, 2018 9:58 AM
  • The .bek file is saved on c:, in an area where only admins have access, but I can't remember where.
    Friday, September 21, 2018 10:28 AM