This article is available online at:
http://www.cybernetman.com/kb/index.cfm/fuseaction/home.viewArticles/articleId/207
More Information On, How to Enable Bitlocker for Windows 7 Ultimate
Windows BitLocker Drive Encryption is a security feature that provides better data protection by encrypting all data stored on the Windows operating system volume. For the sake of this article, a volume consists of one or more partitions on one or more hard disks. BitLocker works with simple volumes, where one volume is one partition. A volume usually has a drive letter assigned, such as C:
A Trusted Platform Module (TPM) is a microchip that is built into a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft. A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus. Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person. Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions. This is called "sealing" a key. When a sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only "unsealed" or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to detect attacks against the integrity of the Windows operating system. With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.
BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM the required encryption keys are stored on a USB flash drive. This flash drive must be presented (plugged in) to unlock the data stored on a volume.
The data is protected by encrypting the entire Windows operating system volume. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing the hard disk and installing it in another computer. During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that the Windows installation has been tampered with. By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options. For enhanced security, combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive. On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.
The remainder of this article will assist in initializing TPM successfully in Windows 7 environments so that Bitlocker can be turned on. Errors in doing so are most likely due to incorrect permissions for the SELF account in AD for ms-TPMOwnerInformation attribute.
When trying to turn on Bitlocker on a Windows 7 Hard Drive, an Access Denied Error message may be encountered while initializing TPM.
Additionally, when opening the TPM Management Console and attempting to initialize TPM, error message 0x80070005 will appear.
Solution:
Follow the instruction below to set the correct permissions:
1. Open Active Directory Users and Computers.
2. Select the OU for all computers which will have Bitlocker turned ON.
3. Right Click on the OU and click Delegate Control.
4. Click Next, then Add.
5. Type SELF as the Object Name.
6. Select create a custom task to delegate.
7. From the object in the folder, select Computer Objects.
8. Select the 3 checkboxes under show these permissions.
9. Scroll through the permissions and select Write msTPM-OwnerInformation.
10. Click Finish.
After completing these steps, TPM can be successfully initialized.
Pricing, specifications, availability and terms of offers may change without notice, are not transferable and are valid only for new purchases from Cybernet for delivery in the 50 United States. Taxes, fees, and shipping and handling charges are extra, vary and are not subject to discount. Cybernet cannot be responsible for pricing or other errors, omissions, or consequences of misuse of this website and its functions, and reserves the right to cancel orders arising from such errors. Discounts cannot be retroactively applied. Orders are subject to cancellation by Cybernet. Unless you have a separate agreement with Cybernet, all sales are subject to Cybernet's Terms and Conditions of Sale.
Looking for space saving all in one PCs, all in one medical computers, hospital computers, or all in one desktop computers that can reduce clutter and free up your workspace? Cybernet Manufacturing, Inc. is the right place to find what you need. Cybernet is the industry pioneer in all in one PCs, all in one medical computers, touch screen PCs, keyboard computers, fanless all in one PCs, and IP65 industrial PCs. Since 1996, we have been developing and manufacturing reliable, high-performance all-in-one computer solutions that can be customized to fit any enterprise environment. We serve a wide range of industries, including banking, health care, education, government and POS systems for retail. Cybernet’s product lines include several all-in-one computer designs that fit in compact packages. Our iOne-GX45 is an all in one, customizable LCD PC that has the computing power of a desktop PC packaged in an LCD monitor. Similarly, the iOne-H5 and iOne-G4 are powerful touch screen PCs with a widescreen display. The ZPC-GX31 is a computer housed in a keyboard, with a “zero footprint” on your desktop. There are two medical grade touch screen PCs ideal for use in a hospital or clinic, including a medical all in one computer (the iOne-MP171) and a fanless all in one medical computer (the iOne-MP172) that both have an antimicrobial coating for sterile medical environments. The iOne-MP172 can also be used as a fanless industrial PC. All of our all in one computer products are customizable to fit your specific environment, and our account reps work with you one on one to determine the right configuration to meet your specifications and your budget. The ease of deployment and installation for our all-in-one PCs will lower your overall ownership cost.
Cybernet also offers a full range of computer accessories to complement and maximize the use of your all-in-one PC. From hard drives to medical carts and mounting arm solutions, we have everything needed to maximize your all in one computer.
Cybernet builds in exceptional reliability and quality to all of its products, but also delivers personalized support from day one. With a U.S.-based tech support team, we are standing by to help you get the most of your all-in-one computers. Should the need arise to have the all in one PC sent in for repairs, we also guarantee fast turn-around times to minimize downtime and keep your operations up and running. When an all-in-one PC is returned to Cybernet for warranty service, it is subjected to the same thorough testing as a new all-in-one PC. At Cybernet, our primary focus is on customer satisfaction.
Copyright 2001 - 2012 Cybernet Manufacturing, Inc. All Rights Reserved.
