Time
1 hour 16 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Configuring BitLocker This lesson covers configuring BitLocker. BitLocker is a tool that helps to protect data in a group policy environment. Using the edit function in the default domain policy, participants in this lab-based lesson learn step-by-step instructions in configuring BitLocker drive encryption. It is important to protect the data in case it needs to be recovered from the drive, so this option must be enabled. In the final step, the drive is encrypted so the data is protected and backed up.

Video Transcription

00:04
Securing our environment from
00:07
any number of potential situations is part of the responsibility of all system admits. One of the features that is
00:13
largely focused on nowadays is drive encryption because, really, the thing that we worry about the most is data. So you're a piece of hardware is just a piece of harder. It's the data that has value. So let's start about Dr Encryption and how we can
00:29
use the built in capabilities within server to manage our environment to be more secure.
00:35
First, we're gonna work with bit locker, but like her first, we'll start with our group policy environment. So let's go ahead and open up our group Policy Management Council here on our one of our domain controllers
00:46
Open up good policy management,
00:49
and then we're going to what to? In group policy management.
00:53
I work with
00:54
whatever specific
00:56
environment we have, but we're gonna work with, in our case, our default to many policy. That's what would have worked with is that default to be policy.
01:03
We're gonna actually right click out our default, many policy and do edit.
01:07
So
01:08
once we actually get in there,
01:10
we're gonna edit it and make some changes to it.
01:12
Well, to start with
01:15
in our
01:15
que pasa manager editor, we're going to start with the computer configuration because if you think about it, encrypted hard drive is a computer
01:22
piece of the puzzle.
01:23
So the computer configuration
01:25
we're going to be under the Policies section
01:30
and under the policy section,
01:32
we're gonna work out to our administrative templates.
01:34
So go ahead and scald out administrative templates,
01:38
and we're within our administrative templates. We want to go to Windows components.
01:42
So they had to expand out with its components.
01:45
And we get a long list of options under witness components,
01:49
one of which is
01:49
bit locker drive encryption. So let's go ahead and click on
01:55
a bit like a diver. Corruption here.
01:57
And there's our bit locker drive, encryption notice. We actually have fixed data, drives operatives is to drive removable data drives as
02:04
subcategories underneath our bit locker, Dr. Environment. So,
02:09
in terms of what we want to d'oh, we're going to spend it and we're gonna
02:14
choose our fixed data drives. So we want to fix dated guys versus removable dater. I was dr
02:19
and
02:20
remember, the operative sister drives are a little bit difference We have to be very careful how we work with us.
02:24
So are fixed data drives. We're going to choose how bit locker it protects. The FEC stated drives
02:30
came, could be recovered. It's over here.
02:32
Figure,
02:34
um,
02:35
our environment, too.
02:37
Choose how the locker protected fixed drives can be recovered because obviously
02:43
protecting him is with a recovering of could be more important,
02:46
so we want to protect him. But if there's a issue later on
02:50
and we need to recover data from the drive for any number of reasons, including legal reasons, we might want to be able to recover it. So next we want to actually enable the
02:59
GPL said it.
03:00
So we're gonna enable the GPS setting
03:02
and down here when we enable that we noticed we have options to work with.
03:07
The first option is to allow a data recovery agent.
03:12
So
03:12
in terms of what we want,
03:14
do we issue want to ensure that we could do that? How about,
03:17
uh, how about the save?
03:22
Look here, Say bit like recovery information to a T. D. S for fix data drives.
03:25
Do we want that?
03:27
Well, I certainly makes a lot easier if it's in 80. So we want to actually
03:30
make sure that that is selected
03:32
and do not datable bit Locker to recover information is stored in a D. D s. So
03:38
if we want to make sure that we're gonna choose that,
03:40
that we would also say don't actually allow anything to be encrypted there was still basically allow it to happen until
03:50
a D. D S has the information.
03:52
So a lot of data recovery agent is there, too. We can omit recovery options from the bit locker setup wizard,
03:58
if you want. We have saved bit locker recovery information 80 s, and then we also want to do we want to
04:05
not enable bit locker recovery information,
04:09
not enable bit locker until recovery operation is stored in a. D. D s
04:13
that we could go and click out okay there because we actually have completed the process of what we need to do. So click on the okay button
04:20
and that sets the setting. Remember, how it works is once the setting is said, we don't have to save it.
04:27
And now we're going to want to work with our environment on a device that is going to be impacted by the group policy change we just made. So go ahead, switch over to one of our servers
04:38
credits. Which server one.
04:41
And here were to what?
04:42
To update
04:44
our group policy.
04:46
So we're gonna open over power Shell environment?
04:49
Yes, you can use the committee, but power shells the preferred environment now. So you want to go out and you used to work with it,
04:56
and we're going to want to force an update of the group policy. So we do GP update
05:00
today's slash force.
05:03
So, an update, our good policy, we'll update it, and they will give us the results of that update.
05:09
And after it's done updating to make sure that everything is
05:12
properly encoded for our environment in terms of the bet lacquer process and the steps to go with it,
05:18
we're actually gonna want to restart that server. So
05:23
what we do is we're gonna close out of this and we will go ahead and restart the server and we will pick back up on our server manager. What's the server is restarted
05:31
now? There were rebooted. Back up it running. We need to configure the local environment. Remember, we created a group policy for our domain
05:40
for making sure that that locker was recoverable. Now, if you want to create bit, locker drive encryption
05:45
on a local machine, so on our server here, where I should go to go to our
05:50
manage right
05:51
and add rules and futures
05:55
to bring up our ad rules of features, Wizard
05:58
got next on the initial splash screen and next on the World Base or future based installation.
06:02
And next on the local server
06:05
exits are role screen, so the next thing we have to determine is where this is. Is this a roll or a feature? So if we take a quick look here and there's, there's nothing on the roll page about Bette Locker has got to move on to the future page
06:20
here next
06:21
and now we have bit locker drive, encryption. We also have a bit locker network unlock. If we're gonna be using it
06:28
so a bit locker drive encryption. We're gonna go ahead and select the bit lack of drive encryption.
06:32
It's gonna give me a list of features that we're going to be required. So click on, Add the futures for that
06:38
kid. Then once we have that, we're gonna click on next.
06:41
We're going to do the network. Unlock here,
06:44
bed. We're going to go ahead at this time since his bit locker. We know we need to do it. We're gonna do
06:50
check the boxes. Says restart
06:54
server automatically if required. Visit restart required to service restarts automatically without addition modifications. And yes, we won't allow automatic restarts
07:02
and then we want to click on the install option here.
07:06
So go ahead and click on install,
07:09
and then we will go ahead and wait for the process to finish. And when the process finished,
07:14
the system will automatically reboot force, which is just a little bit time and effort in terms of
07:18
we don't have to remember to do it.
07:20
The aid. We don't actually manually have to do it.
07:23
When the time comes, the process will
07:26
execute
07:27
Ed run through this process and we will then
07:30
bring it back up and running. So we will actually allow the features relation to complete here.
07:34
It says its installation to start it and run through. We can obviously close the wizard. We know that without interrupting any running task, we can also view the task prize just open the page by clicking notifications in the command bar. We have those options, and once it's stunned you unless it reboots. And when it does reboot, we're going to go ahead and paws are
07:55
according temporarily and let it finished rebooting the we'll pick our recording back up.
07:59
There is no point in watching a computer reboot. That's pretty much time and energy.
08:05
As a matter of fact, we're going to go ahead
08:07
cause now it actually finish it in a Listers in the Airs. The next time we look at the screen will be back up and running with our server manager dashboard
08:15
and moving on to the next step of the equation.
08:20
Another service fully rebooted back up a running. You notice we have our
08:24
insulation, Progress tells us, completed, and we have all the information to go associated with it. So we're going to go ahead and click on clothes here,
08:33
so close out of that.
08:35
And now we're actually going to deal with the bit locker piece of the equation.
08:37
So we're going to go to our control panel and find our bit locker option. So open up our control, panel
08:43
it
08:45
to find it. The easy way. Just type in bit locker up there in the search box.
08:48
That's how you spell it, right? Locker.
08:52
And why should go, too?
08:52
Have the option to click on a bit locker drive, encryption or management locker? So you want to actually
08:58
go ahead in there and and a bit like a diver Christian Window.
09:01
What is going to click out of it like a drive encryption?
09:05
And it says that locker drive encryption to help protect, pulled out your files or folders and says sees but lockers off E bit lockers off and F bit lockers off those rocks. She already called F Dr Encrypted. And that's where we're going
09:18
work with in this particular case. So we were on the after everyone actually click on expansion of it and
09:24
choose turn on bit lockers were gonna spend the drive out quick, turn a bit locker
09:30
bear in mind that this is all gonna be a D associate ID. What? We had it. So what? We do it. We need a password to unlock the drive, so
09:39
use the faster it'll lock, drive or use a smart card. Like to drive. We have a smart car, but we're gonna use a password for our environment.
09:46
And so we're going to put in
09:46
the information of the password.
09:50
So bear mind, it's just a password. It's not a user. So putting it
09:54
strong password,
09:56
you won't have that
09:58
associated with a strong password because it's encrypted data
10:01
and we click on next, make sure that match, Of course
10:07
they don't match. You will be warned. This is how do you want to back up your recovery key? So that depends in terms of how do we get back up your recovery key? Well, typically, do is go to save it to a file because saving to use the flash drive, we could print the record freaky. That's ah, something that we could do was gonna save it to a file. So it's quiet and say that to a file,
10:26
and it says bit like a recovery key and it gives us some information, that text, and we have to choose where we're gonna put it. So we're gonna put it into our
10:35
e. Dr. Don't put it in your crypt to drive whatever you do, don't encrypt the recovery. T gonna drive where you need to get to recover key toe unencrypted.
10:43
Let's move on to our lab files and we'll go to my 10
10:48
and we're going to just leave the name as is. We could change the name of Wanted to board to believe it, as is a click on save. So that saves our key. Do you want to say the recovery key on this PC
10:58
says it's a good idea to have more than one recovered key and keep each in a safe place other than your PC. That makes sense.
11:05
So
11:05
because obviously, if they get lost or stolen, you want to make sure you have recovered key elsewhere
11:11
so
11:11
and we could be saved a file once again and put a recovery key in the second place. We're gonna click out next and says, Are you ready to encrypt this? Dr.
11:18
Obviously, we would come to this next step. We want to
11:22
click on, start encrypting
11:24
It could
11:26
and watched It
11:26
progresses Christian in progress,
11:30
and it will give us the information about it, says it. Crush it back up to recover Key Chase ***. Let's forget other features. Here
11:35
you have a backup of you recover key.
11:37
We could change password I can remove the password. I can add a smartcard, turn on auto lock and turn off that locker. So these air all of these pieces of puzzle
11:46
when
11:46
I'm
11:48
actually I'm running a bit locker so I could actually
11:50
go here to our environment. What's is completely encrypted
11:54
it
11:56
use our power shelf
11:58
to spring up. Our power show
12:01
can actually go to our power. Shell
12:03
had
12:03
run certain commands that will actually let us. So we have a bit locker drive, encryption, or Bt and we actually want Look, the status of that's from a partial we can So this case will type in the
12:15
manage, right?
12:16
And what we're gonna manage, we're gonna manage are actually made this dash B d.
12:20
So I managed BD e mail it
12:24
and we're gonna tell it to give us a status, right? So, Josh,
12:26
status
12:30
else. If we spell it right
12:33
ago, spell it correctly.
12:35
It says
12:35
gives us the results of that command. Let it tells us that
12:39
this drives could be protected. That locker, it says via me. All files dated. I was a size is 127 gigs. It's
12:46
conversion status is fully decrypted.
12:50
Their protection is off. It's a locked. It's disabled. So that's our all files After is encrypted, says
12:56
use space on Lee
12:58
used to space on Lee encrypted. So it's only encrypting you space. So it's the sixth gate drive and it's a yes 1 28 Protection is on.
13:05
It's locked. Status is a lot. It's identity issues unknown. Automatic Elect is disabled and Kiefer protectors are password in a numerical password. And as the other ones are fully decrypted
13:18
in our Bible and that tells us the status of our drives within our environment
13:24
way because I'm that
13:26
goes out of our window, we're back to our server manager, and that is the process involved in implementing bit locker
13:33
in our environment.

Up Next

Microsoft Distributed File System Management

The Microsoft Distributed File System Management course encompasses MCSA 411 Modules 9 and 10.

Instructed By

Instructor Profile Image
Michael Boberg
CEO of Broadline Enterprises, LLC
Instructor