Escolar Documentos
Profissional Documentos
Cultura Documentos
Table of Contents
..
..
..
..
..
..
..
..
..
..
..
..
p. 2
p. 2
p. 3
p. 8
p. 11
p. 13
p. 17
p. 17
p. 22
p. 28
p. 30
p. 33
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The AlertBoot BitLocker MSI can only be used on endpoint machines that already come with Microsoft BitLocker (aka,
BitLocker Drive Encryption). AlertBoot does NOT provide the actual BitLocker feature found in Windows.
The following are supported:
o Windows Vista and Windows 7: Ultimate and Enterprise editions.
o Windows 8 and Windows 8.1: Pro and Enterprise editions.
Devices with TPM Chips must use Chips with version 1.2 and above.
Devices without TPM Chips will require the use of a USB token for start up (external USB flash drive necessary).
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Step
2.
Download
the
AlertBoot
BitLocker
Manager
Client
installer
MSI
from
the
central
console
onto
the
machine
to
be
encrypted.
Installs the default Full Disk Encryption client, encrypts all fixed drives, including the operating system drive.
Windows 7 endpoints:
i. ABBitLockerManagerInstaller_CLR20.msi
ii.
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The MSI installer validates the customer and registers the machine in the AlertBoot cloud.
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Step 6. Installer checks disk integrity and continues with the installation.
Click Close and restart the machine when prompted at the end.
Note: Two AlertBoot Services are installed as shown below; these services will start up when the machine is restarted.
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Insert an external USB storage device to create a bootup token to be used with BitLocker.
o The USB device must have at least 1.0 MB of free space.
o To ensure optimal operability, ensure that there are no files in the root directory.
A "recovery key" for each of the encryptable fixed drives will be saved as *.BEK files at the root level of
the first removable drive detected by the AlertBoot client. This becomes the token.
The recovery key file is saved with Read-only and Hidden file attributes.
o The token can also be used as a storage device; however, it is recommended that a subfolder is created for storing
any files.
This is to prevent read/write issues from or to the USB drive when it is formatted using the FAT file system.
The FAT file system has limits when handling the number of files in the root folder.
Notes:
The endpoint user needs to insert the token to the encrypted machine each time during bootup. Windows will prompt the
user to insert this removable drive and press the <Esc> key to restart the machine. On detecting the token, the encrypted
drive will automatically unlock and allow the user to login to Windows.
The token's recovery key file also gets uploaded to the AlertBoot cloud server. It can be downloaded if it is lost at the
endpoint user level.
The AlertBoot client will inform the user about the drive used for saving the recovery key, in the form of balloon tips, at
the System Tray icon level.
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
If a compatible TPM Chip is found (chips version 1.2 and above), the machine will start the installation process.
o The end user can change the default PIN once encryption is finished. The PIN must be a number between 4 and 20
digits (no letters, special characters, etc. Numbers only). For more details see section "How End Users Can Change
the BitLocker PIN".
Notes:
It is critical that internet connectivity is always ON during the initial encryption to ensure the recovery key(s) is
successfully escrowed in the AlertBoot cloud server.
o If the encrypted machine is restarted before a PIN is applied, the only way to unlock the machine is to download
the recovery key (*.BEK) file from the central console onto an external removable media (USB token; see section
for "Downloading a recovery key") and connect it to the machine while booting.
Once a PIN is successfully applied onto the operating system drive, the end user will be able to enter this PIN upon boot-up
to unlock the machine.
If the PIN is lost or forgotten, refer to section "Downloading a recovery key".
All encrypted data drives, if any, will be configured to auto-unlock on successful unlock of the operating system drive.
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Step 9. Check for the AlertBoot BitLocker Manager Client as a System Tray icon.
The AlertBoot BitLocker Manager Client application starts automatically once the machine is restarted and the user logs
in. The AlertBoot client is minimized as a System Tray icon, as shown below:
10
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The User Registration dialog will pop up at least once when a drive starts encrypting.
Until this user registration is complete, the machine is listed under the Unregistered Machines list in the AlertBoot cloudbased central console.
Once user registration is complete, the User Registration dialog will not come up again, and the machine will be moved to
the Machines/Devices list in the central console.
11
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Step 11. Uninstallation is not possible as long as the encryption policy is set.
Any attempt to Uninstall or Change or Repair the current installation, either using the original installer MSI or Uninstall
or change program wizard will fail with the below error message.
For instructions on uninstalling BitLocker, refer to the section "Uninstalling BitLocker from Windows Endpoints".
12
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
13
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Valid Device IDs and Last Sync. date & time stamps confirm that (1) the machine is correctly registered with the
AlertBoot policy server and (2) the account level encryption policy was received on the local endpoint.
14
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
As soon as the encryption policy is received, the AlertBoot BitLocker Manager Client will start encrypting all encryptable
fixed drives on the endpoint. Any removable drives (such as USB drives) connected to the machine will NOT be encrypted.
Only fixed encryptable drives are encrypted.
15
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Step 4. Clicking the Close button will minimize the application to the System Tray as an Icon.
The AlertBoot client can be removed from the System Tray by right-clicking on the icon and selecting the Exit option. In
this scenario, this application will not run until the current user session is changed or the machine is restarted.
The AlertBoot client will start running in minimized mode (as a System Tray icon) on every machine start.
16
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The time it takes to complete encryption depends on various factors, including: the number and size of the encryptable drive,
amount of free space available, processor speed, and currently running applications. A 40 GB HDD drive will typically
complete encryption within a couple of hours.
If there is more than one encryptable drive, the Drives: data will list all of them separated by a comma (e.g., C:, E:, F:). The
encrypted/decrypted percent reflects the average of all encryptable drives.
In the below screenshot, the demo machine had only one drive enabled for BitLocker encryption, and thus the Drives: data
lists only C:.
17
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Please refer to Step 3. Reading the encryption status screen for "Checking Encryption Progress" on page 14 on the use of
the AlertBoot client found in the System Tray.
Users can verify the drive encryption status by looking at the drives list in Windows Explorer or BitLocker Manager Wizard.
A lock icon indicates the drive is BitLocker protected.
18
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
If a machine is fully encrypted, it can be verified from the AlertBoot management console. Navigate to the machine in
question and click on the machine name to show its details.
Note: The machine's recovery key is also listed on the same page (see section "Downloading a Recovery Key").
19
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Go to "Users/Machines" tab > "Disk Encryption Policies" > "Encryption Policies" to access the BitLocker Encryption policy
section.
If "yes" is selected but a TPM Chip is not present, the endpoint user will be forced to use a USB token for boot up.
20
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
If none of the drives are selected, all data drives will be encrypted.
If one or more drives are selected, only the selected data drives will be encrypted.
If a selected drive corresponds to an operating system drive or an external media drive, it will not be encrypted.
Notes:
Once deployed, the MSI behavior cannot be changed. If the behavior needs to be changed, then the encrypted machine must
be fully decrypted, all client components removed/cleaned, and the correct MSI must be used to start the encryption process.
The default PIN can be found by hovering the pointer over the icon adjacent to the Default PIN Used For Initial
Encryption.
21
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Within the Windows environment, right-click the AlertBoot BitLocker Manager Client tray icon to bring up the below
menu and select Change PIN:
22
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The following dialog will appear. Validate with the current Windows password.
23
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Once the Windows credentials are validated, enter a new PIN and confirm it. The PIN must be a number between 4 and 20
digits. You will get the following pop-up window if the PIN is valid.
24
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
If the PIN is not valid, the following window will show up:
25
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Once the new PIN is validated, the AlertBoot client will apply the change on the encrypted operating system drive and show
a confirmation, as seen below:
If the operating system drive is not yet encrypted, the PIN cannot be changed:
26
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
If you see the below notice, the admin user has stopped the AlertBoot Encryption Manager Service manually. In this case,
the service/machine needs to be restarted.
27
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The recovery key for an encrypted drive is saved in the cloud for disk recovery.
A console administrator can download the recovery key file to the root level of a removable drive and deliver it to the end
user, effectively turning it into a bootup token. The end user must boot the machine, connect the token with the recovery key
file when prompted, and press the <Esc> key to restart and unlock the encrypted drive.
The recovery file is a plain ANSI text file and must be saved with its original name as shown in the example download
dialog below. Any changes to the name or file extension will render the key useless.
28
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
The recovery key file (*.BEK) file is around 1 KB in size and must be copied to the root level of the removable drive.
Important Notes:
o Any changes to the name or file extension while downloading/saving to the root level of the removable drive will
render the key useless; the Windows BitLocker boot engine cannot process the recovery key from this file.
o The recovery file must be copied to the root of the removable drive. It will not be processed if saved in a sub
folder on the removable drive.
29
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Each of the commands needs to be confirmed before they are effected on the selected machine (See screenshots for each
option on the next page).
The AlertBoot client will do the following on receiving the policy:
o Soft Reset Silently restart the machine immediately.
o Lock Device Silently log off the currently logged on user.
o Kill Device Silently change the encryption key, and thus render the machine unbootable and the recovery key
unusable.
The device will be moved to pending deletion list as soon as this command is issued in the console.
The device will be moved to deleted list as soon as the AlertBoot client confirms that the Kill command is
executed on the corresponding machine.
The encrypted disk becomes unusable and needs to be reformatted before it can be used again.
Please note that the Kill Device command is irreversible. i.e., it cannot be revoked, and the data on the
encrypted machine is permanently lost.
Once this command is issued, the device will be moved to pending deletions list in the AlertBoot console,
and the associated license restored to the account level license pool.
30
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
31
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
32
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Option 1: Delete the target machine by clicking the Del link on the page where multiple machines are listed.
Option 2: Delete the target by clicking the Delete Machine button on the machine's details page (screenshot below).
33
Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Once the console administrator deletes this machine, the uninstall policy will be delivered to the endpoint on the next
synchronization with the AlertBoot cloud.
On receiving the uninstall policy, AlertBoot client will start decrypting all the encrypted drives.
The AlertBoot client can be uninstalled from the endpoint only after all drives are fully decrypted.
34