BitLocker on Windows 7 Ultimate (x86), Set Up Notes, Boot Issues, BCD
2011-12-27 Updated
2010-07-14 Initial Post
Also see my other post, http://sysadmin-e.com/bcd1.
I finally got around to messing with BitLocker again and learned a few more things about it. I have a Gateway S-7410M laptop which I thought did not have a TPM (Trusted Platform Module) chip. I have the latest BIOS update, but in the BIOS setup, the option to turn on TPM was grayed out and there was nothing in the documentation that mentioned how to enable it, and there was no TPM management software for download.
It turns out that I needed to set up a BIOS supervisor password before I could enable TPM. This wasn’t clearly noted as the BIOS setup options don’t state that when viewing the TPM setting, but it does state that when viewing the option to set up a BIOS supervisor password. It would make more sense for the requirement to be noted in the TPM settings.
If the supervisor password is enabled, Win7’s TPM Management console can interface with the BIOS to turn on and activate the TPM (this isn’t specific to Windows as there’s a standard interface for OSes to interact with the TPM).
You can open up the TPM Management console by running tpm.msc. This will allow you to turn on and initialize the TPM. The computer will need to be restarted or shut down, and after reboot, there will be a BIOS message asking to confirm if you want to enable the TPM.
I have another laptop, Dell Latitude D630 that I completely setup BitLocker on. That laptop has a TPM chip also, but there were options in the BIOS that allowed me to turn it on and activate it without setting any type of BIOS password.
Here are some other things that I learned this time around:
• If Win7 is installed on a blank drive, it will create a 100 MB partition named System Reserved (no drive letter assigned), mark it as System, Active, Primary Partition; and will boot from that partition (the Boot folder and bootmgr file will be on that partition). If you want to avoid this 100 MB partition, repartition your drive before installing Win7 (do that even if you only make one partition that takes up the entire drive). This topic is extremely unclear as you can see if you read http://social.answers.microsoft.com. There are a lot of “I think it does this and that” and “I think that’s how it works.” I tried searching for some MS articles with details on this 100 MB partition, but it was a very elusive topic. Here are some steps for preventing the 100 MB partition: http://www.sevenforums.com.
The reason for this special partition is so that Windows can boot from it first and then access the encrypted volume/partition that contains the rest of the Windows OS (C: by default). The special partition is not encrypted and doesn't need to be because it doesn't contain any user data. The integrity of the C: volume and the computer is verified after Windows boots from this special partition. If you took the drive out and put it into another computer, Windows will not decrypt the C: volume automatically because the integrity checks won't pass. In those cases, Windows will prompt you for the BitLocker recovery key.
• If you only had one partition that took up the entire drive, and Win7 was installed on it, after enabling BitLocker, Win7 will shrink that partition by 300 MB and create a new 300 MB (actually 299 MB on my Gateway) partition that functions the same as the aforementioned 100 MB partition (the Boot folder and bootmgr file will be moved to this partition and Windows will boot from it). No data will be lost from the shrinkage, although it’d be wise to make a backup beforehand, just in case. The 300 MB partition will not have a label or drive letter assigned to it.
I've also seen this partition be 450 MB in size and include the Recovery folder. The system that I saw this on had been upgraded to Windows 7 Ultimate from Windows 7 Professional in order to use BitLocker, so that might have had something to do with the different partition size.
• Win7 includes Manage-BDE.exe, which is the command line interface for BitLocker (Vista had Manage-BDE.wsf, which was similar, but script based).
• I had used a Symantec Ghost 8.2 (yes, this version is several years old, but it still works) partition image when doing my testing. Vista and Win7 have a completely rearchitectured boot routine, so after applying the image, I needed to boot into Windows Recovery Environment (Windows RE) and let it fix the boot errors automatically. If you don't have a Vista/2008/7 DVD around, you can create a bootable System Repair Disc that contains the System Recovery Options -- see http://www.sevenforums.com.
• Even after I got Win7 to boot up and work properly, BitLocker wouldn’t encrypt the drive. I forget the exact errors, but I looked them up and found that running bootsect /nt60 SYS /mbr resolved the issue. See http://technet.microsoft.com for info on the BootSect command. It looks like using an image (or specifically a partition image) does something to the boot sector, and even though Windows worked fine, BitLocker didn't like the boot sector.
Here are how the drives I tested are set up, as viewed from Disk Management, before and after BitLocker:
Computer which had two partitions set up before Win7 was installed:
Before BitLocker
C: 53.71 GB (Boot, Page File, Crash Dump, Primary Partition)
X: 58.07 GB (Primary Partition)
After BitLocker
C: 53.42 GB
X: 58.07 GB
N/A: 299 MB (System, Active, Primary Partition)
^ No drive letter assigned to the 299 MB partition. This partition was created by BitLocker, after BitLocker was enabled, with space taken by shrinking C:. C: shrunk from 53.71 GB to 53.42 GB. Note that this partition is now the active partition, so Windows will boot from it instead of C:.
Computer which had a clean install of Win7 on a clean drive:
N/A: 100 MB (System, Active, Primary Partition)
^ No drive letter assigned to the 100 MB partition, but the partition was labeled System Reserved.
C: 58.50 GB (Boot, Page File, Crash Dump, Primary Partition)
X: 53.19 GB (Primary Partition)
After BitLocker encrypted on the system (C:) partition, there was absolutely no change in the any of the partition sizes. And the System Reserved partition had the exact same amount of used and free space, so it doesn't appear that any files were added after encryption. The point here is that if the 100 MB partition already exists, which it would if Win7 was installed on a blank drive, Win7 won’t create a separate 300 MB partition.
2010-12-17
The other day I did something that I didn't think would work, but figured I'd give a it a shot. I bought a solid state drive to replace my laptop’s hard disk drive. I decrypted all the volumes on the HDD and then used Symantec Ghost 8.2 to image the C: volume only, knowing that BitLocker had moved all the boot files to the special volume, so C: might not be able to boot correctly. I only wanted one volume on my SSD, so that's why I tried this.
Well, I was right, my SSD would not boot up. After trying Windows Recovery Environment and selecting System Repair to let Windows try to fix the issue, it didn't work. Next I tried all BootRec (/FixMbr, /FixBoot, /ScanOS, /RebuilBcd) commands to no avail. No Windows OS was found and I received element not found errors. I then thought about this and figured that I can try to copy the boot files from my other laptop. And if that didn’t work, then I’d do a reinstall of Windows.
From the root of the active/boot volume (won't be C: if you have BitLocker enabled), copy the hidden folder named Boot and the file named bootmgr. You'll see errors stating that you can't copy the BCD and BCD.LOG files--you can ignore the errors. Copy the folder and file to the root of the volume that you just imaged, which in my case was C: on the SSD.
After copying the files over I ran Windows Recovery Environment --> System Repair again and this time it did fix the issue. The SSD booted up fine and I was able to set up BitLocker on it and encrypt the C: volume (I didn't even have to run bootsect /nt60 SYS /mbr).
After I fixed this issue, I did some more reading on Boot Configuration Data (BCD) and the Windows 7 boot process. I had already read about this when Vista first came out, but now I finally had to use some of that knowledge. This article here is a good overview of the Vista/7 boot process as compared to XP: http://www.c-sharpcorner.com.
So basically this is what happened: 1.) The C: volume wasn't active on the SSD, and 2.) The BCD (boot) related files were missing, so there was no way Windows was going to boot. After copying over Boot and bootmgr, System Repair was able to use them to rebuild a new BCD (and BCD.LOG and other related files).