AlertBoot BitLocker Client Installation and Uninstallation - V2

Support Document
AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption
Table of Contents
Running the AlertBoot BitLocker Installer on Windows Endpoints

o Pre-requisites
o Downloading the BitLocker client installer
o Creating a BitLocker token
o User registration popup
Checking Encryption Progress
Verifying BitLocker Encryption Status on Windows Endpoints
Selecting BitLocker Data Drives for Encryption
How End Users can change the BitLocker PIN
Downloading a recovery key
Lock, Reset, Kill: Managing FDE Endpoints
Uninstalling BitLocker from Windows Endpoints
Cloud-ready Mobile Device Management, Disk & USB Encryption

www.alertboot.com
..
..
..
..
..
..
..
..
..
..
..
..
p. 2
p. 2
p. 3
p. 8
p. 11
p. 13
p. 17
p. 17
p. 22
p. 28
p. 30
p. 33
2014 AlertBoot Data Security

All rights reserved
Support Document
Running the AlertBoot BitLocker Installer on Windows Endpoints

Pre-requisites:
The AlertBoot BitLocker MSI can only be used on endpoint machines that already come with Microsoft BitLocker (aka,
BitLocker Drive Encryption). AlertBoot does NOT provide the actual BitLocker feature found in Windows.
The following are supported:
o Windows Vista and Windows 7: Ultimate and Enterprise editions.
o Windows 8 and Windows 8.1: Pro and Enterprise editions.
Devices with TPM Chips must use Chips with version 1.2 and above.
Devices without TPM Chips will require the use of a USB token for start up (external USB flash drive necessary).
Step 1. Log in as an Administrator user on the machine that needs to be encrypted.

Log in as an Administrator user on the machine that needs to be encrypted.

A machine named Win81E64 is used as an example throughout this document (Windows 8.1 Enterprise, 64-bit OS).
User account Type
localadmin administrator (used to encrypt the machine)
localuser
normal user

www.alertboot.com

All rights reserved
Support Document
Step 2. Download the AlertBoot BitLocker Manager Client installer MSI from the central console onto the
machine to be encrypted.

Log into the AlertBoot Management Console.

Navigate to Order Licenses tab > App Setup > Endpoint Client:
Windows 8.1 endpoints:
i. ABBitLockerManagerInstaller_CLR40.msi
(Works with or without TPM Chip)
Installs the default Full Disk Encryption client, encrypts all fixed drives, including the operating system drive.
ii. ABBitLockerManagerInstaller_SDDE_CLR40.msi (Does not need TPM Chip)
Installs Selected Data Drives Encryption client.

Encrypts only selected fixed data drives.
Operating system drive and any external removable data drives will not be encrypted, even if their drives are configured at
the console, as part of the Encryption Policy.
Windows 7 endpoints:
i. ABBitLockerManagerInstaller_CLR20.msi
ii.
(Works with or without TPM Chip)

Installs the default Full Disk Encryption client, encrypts all fixed drives, including the operating system drive.
ABBitLockerManagerInstaller_SDDE_CLR20.msi (Does not need TPM Chip)
Installs Selected Data Drives Encryption client.
Encrypts only selected fixed data drives (operating system drive and external removable data drives are excluded).

www.alertboot.com

All rights reserved
Support Document
Step 3. Run the AlertBoot BitLocker Manager Client installer MSI
Run the downloaded ABBitLockerManagerInstaller by double-clicking it.

Provide your consent if prompted by User Access Control.

www.alertboot.com

All rights reserved
Support Document
Step 4. Installation starts.
Read the installation instructions and click OK to continue.

www.alertboot.com

All rights reserved
Support Document
Step 5. Validation and Registration.
The MSI installer validates the customer and registers the machine in the AlertBoot cloud.

www.alertboot.com

All rights reserved
Support Document
Step 6. Installer checks disk integrity and continues with the installation.
Click Close and restart the machine when prompted at the end.
Note: Two AlertBoot Services are installed as shown below; these services will start up when the machine is restarted.

www.alertboot.com

All rights reserved
Support Document
Step 7. Creating a BitLocker token. (Skip if a TPM Chip is being used)
Insert an external USB storage device to create a bootup token to be used with BitLocker.
o The USB device must have at least 1.0 MB of free space.
o To ensure optimal operability, ensure that there are no files in the root directory.
A "recovery key" for each of the encryptable fixed drives will be saved as *.BEK files at the root level of
the first removable drive detected by the AlertBoot client. This becomes the token.
The recovery key file is saved with Read-only and Hidden file attributes.
o The token can also be used as a storage device; however, it is recommended that a subfolder is created for storing
any files.
This is to prevent read/write issues from or to the USB drive when it is formatted using the FAT file system.
The FAT file system has limits when handling the number of files in the root folder.
Notes:
The endpoint user needs to insert the token to the encrypted machine each time during bootup. Windows will prompt the
user to insert this removable drive and press the <Esc> key to restart the machine. On detecting the token, the encrypted
drive will automatically unlock and allow the user to login to Windows.
The token's recovery key file also gets uploaded to the AlertBoot cloud server. It can be downloaded if it is lost at the
endpoint user level.
The AlertBoot client will inform the user about the drive used for saving the recovery key, in the form of balloon tips, at
the System Tray icon level.

www.alertboot.com

All rights reserved
Support Document
Step 8. Checking for TPM Chip and selecting a PIN.
If a compatible TPM Chip is found (chips version 1.2 and above), the machine will start the installation process.
o The end user can change the default PIN once encryption is finished. The PIN must be a number between 4 and 20
digits (no letters, special characters, etc. Numbers only). For more details see section "How End Users Can Change
the BitLocker PIN".
Notes:
It is critical that internet connectivity is always ON during the initial encryption to ensure the recovery key(s) is
successfully escrowed in the AlertBoot cloud server.
o If the encrypted machine is restarted before a PIN is applied, the only way to unlock the machine is to download
the recovery key (*.BEK) file from the central console onto an external removable media (USB token; see section
for "Downloading a recovery key") and connect it to the machine while booting.
Once a PIN is successfully applied onto the operating system drive, the end user will be able to enter this PIN upon boot-up
to unlock the machine.
If the PIN is lost or forgotten, refer to section "Downloading a recovery key".
All encrypted data drives, if any, will be configured to auto-unlock on successful unlock of the operating system drive.

www.alertboot.com

All rights reserved
Support Document
Step 9. Check for the AlertBoot BitLocker Manager Client as a System Tray icon.
The AlertBoot BitLocker Manager Client application starts automatically once the machine is restarted and the user logs
in. The AlertBoot client is minimized as a System Tray icon, as shown below:

www.alertboot.com
10

All rights reserved
Support Document
Step 10. User registration popup.
The User Registration dialog will pop up at least once when a drive starts encrypting.
Until this user registration is complete, the machine is listed under the Unregistered Machines list in the AlertBoot cloudbased central console.
Once user registration is complete, the User Registration dialog will not come up again, and the machine will be moved to
the Machines/Devices list in the central console.

www.alertboot.com
11

All rights reserved
Support Document
Step 11. Uninstallation is not possible as long as the encryption policy is set.
Any attempt to Uninstall or Change or Repair the current installation, either using the original installer MSI or Uninstall
or change program wizard will fail with the below error message.
For instructions on uninstalling BitLocker, refer to the section "Uninstalling BitLocker from Windows Endpoints".
END of "Running the AlertBoot BitLocker Installer on Windows Endpoints"

www.alertboot.com
12

All rights reserved
Support Document
Checking BitLocker Encryption Progress

Step 1. Find the AlertBoot system tray icon.
Left-click (single-click) on the System Tray icon to bring up the UI.

If the System Tray icon does not appear, wait a couple of minutes before checking again.

www.alertboot.com
13

All rights reserved
Support Document
Step 2. Reading the information screen.
Valid Device IDs and Last Sync. date & time stamps confirm that (1) the machine is correctly registered with the
AlertBoot policy server and (2) the account level encryption policy was received on the local endpoint.

www.alertboot.com
14

All rights reserved
Support Document
Step 3. Reading the encryption status screen.
As soon as the encryption policy is received, the AlertBoot BitLocker Manager Client will start encrypting all encryptable
fixed drives on the endpoint. Any removable drives (such as USB drives) connected to the machine will NOT be encrypted.
Only fixed encryptable drives are encrypted.

www.alertboot.com
15

All rights reserved
Support Document
Step 4. Clicking the Close button will minimize the application to the System Tray as an Icon.
The AlertBoot client can be removed from the System Tray by right-clicking on the icon and selecting the Exit option. In
this scenario, this application will not run until the current user session is changed or the machine is restarted.
The AlertBoot client will start running in minimized mode (as a System Tray icon) on every machine start.
End of "Checking BitLocker Encryption Progress"

www.alertboot.com
16

All rights reserved
Support Document
Verifying BitLocker Encryption Status on Windows Endpoints

When does a machine reach 100% encryption?
The time it takes to complete encryption depends on various factors, including: the number and size of the encryptable drive,
amount of free space available, processor speed, and currently running applications. A 40 GB HDD drive will typically
complete encryption within a couple of hours.
If there is more than one encryptable drive, the Drives: data will list all of them separated by a comma (e.g., C:, E:, F:). The
encrypted/decrypted percent reflects the average of all encryptable drives.
In the below screenshot, the demo machine had only one drive enabled for BitLocker encryption, and thus the Drives: data
lists only C:.

www.alertboot.com
17

All rights reserved
Support Document
Method 1. Reading the encryption status screen.
Please refer to Step 3. Reading the encryption status screen for "Checking Encryption Progress" on page 14 on the use of
the AlertBoot client found in the System Tray.
Method 2. Using BitLocker Manager Wizard.
Users can verify the drive encryption status by looking at the drives list in Windows Explorer or BitLocker Manager Wizard.
A lock icon indicates the drive is BitLocker protected.

www.alertboot.com
18

All rights reserved
Support Document
Method 3. Machine represented as fully encrypted within the central console.
If a machine is fully encrypted, it can be verified from the AlertBoot management console. Navigate to the machine in
question and click on the machine name to show its details.
Note: The machine's recovery key is also listed on the same page (see section "Downloading a Recovery Key").
End of "Verifying BitLocker Encryption Status on Windows Endpoints"

www.alertboot.com
19

All rights reserved
Support Document
Selecting BitLocker Data Drives for Encryption

Step 1. Navigate to BitLocker Encryption section.
Go to "Users/Machines" tab > "Disk Encryption Policies" > "Encryption Policies" to access the BitLocker Encryption policy
section.
Step 2. Select whether a TPM Chip is used or not.
If "yes" is selected but a TPM Chip is not present, the endpoint user will be forced to use a USB token for boot up.

www.alertboot.com
20

All rights reserved
Support Document
Step 3. Select the drives to be encrypted.
If none of the drives are selected, all data drives will be encrypted.
If one or more drives are selected, only the selected data drives will be encrypted.
If a selected drive corresponds to an operating system drive or an external media drive, it will not be encrypted.
Step 4. Save the changes.
Save the policy changes.

Decide how you want to encrypt an endpoint, and deploy either the Full Disk Encryption client or the Selected Data Drive
Encryption client. Please see Step 2 in section "Running the AlertBoot BitLocker Installer on Windows Endpoints" for
details on the different MSIs.
Notes:
Once deployed, the MSI behavior cannot be changed. If the behavior needs to be changed, then the encrypted machine must
be fully decrypted, all client components removed/cleaned, and the correct MSI must be used to start the encryption process.
The default PIN can be found by hovering the pointer over the icon adjacent to the Default PIN Used For Initial
Encryption.
End of "Selecting BitLocker Data Drives for Encryption"

www.alertboot.com
21

All rights reserved
Support Document
How End Users Can Change the BitLocker PIN

Step 1. Find the AlertBoot BitLocker Manager Client in the System Tray.
Within the Windows environment, right-click the AlertBoot BitLocker Manager Client tray icon to bring up the below
menu and select Change PIN:

www.alertboot.com
22

All rights reserved
Support Document
Step 2. Enter the current Windows password.
The following dialog will appear. Validate with the current Windows password.

www.alertboot.com
23

All rights reserved
Support Document
Step 3. Enter a new PIN and confirm it.
Once the Windows credentials are validated, enter a new PIN and confirm it. The PIN must be a number between 4 and 20
digits. You will get the following pop-up window if the PIN is valid.

www.alertboot.com
24

All rights reserved
Support Document
If the PIN is not valid, the following window will show up:

www.alertboot.com
25

All rights reserved
Support Document
Step 4. Confirm PIN change.
Once the new PIN is validated, the AlertBoot client will apply the change on the encrypted operating system drive and show
a confirmation, as seen below:
If the operating system drive is not yet encrypted, the PIN cannot be changed:

www.alertboot.com
26

All rights reserved
Support Document
If you see the below notice, the admin user has stopped the AlertBoot Encryption Manager Service manually. In this case,
the service/machine needs to be restarted.
End of "How End Users Can Change the BitLocker PIN"

www.alertboot.com
27

All rights reserved
Support Document
Downloading a Recovery Key
The recovery key for an encrypted drive is saved in the cloud for disk recovery.
A console administrator can download the recovery key file to the root level of a removable drive and deliver it to the end
user, effectively turning it into a bootup token. The end user must boot the machine, connect the token with the recovery key
file when prompted, and press the <Esc> key to restart and unlock the encrypted drive.
The recovery file is a plain ANSI text file and must be saved with its original name as shown in the example download
dialog below. Any changes to the name or file extension will render the key useless.
[ CONTINUED ON NEXT PAGE]

www.alertboot.com
28

All rights reserved
Support Document
The recovery key file (*.BEK) file is around 1 KB in size and must be copied to the root level of the removable drive.
Important Notes:
o Any changes to the name or file extension while downloading/saving to the root level of the removable drive will
render the key useless; the Windows BitLocker boot engine cannot process the recovery key from this file.
o The recovery file must be copied to the root of the removable drive. It will not be processed if saved in a sub
folder on the removable drive.
End of "Downloading a Recovery Key"

www.alertboot.com
29

All rights reserved
Support Document
Lock, Reset, Kill: Managing FDE Endpoints

The console administrator can issue a Soft Reset or Lock Device or Kill Device commands.
Each of the commands needs to be confirmed before they are effected on the selected machine (See screenshots for each
option on the next page).
The AlertBoot client will do the following on receiving the policy:
o Soft Reset Silently restart the machine immediately.
o Lock Device Silently log off the currently logged on user.
o Kill Device Silently change the encryption key, and thus render the machine unbootable and the recovery key
unusable.
The device will be moved to pending deletion list as soon as this command is issued in the console.
The device will be moved to deleted list as soon as the AlertBoot client confirms that the Kill command is
executed on the corresponding machine.
The encrypted disk becomes unusable and needs to be reformatted before it can be used again.
Please note that the Kill Device command is irreversible. i.e., it cannot be revoked, and the data on the
encrypted machine is permanently lost.
Once this command is issued, the device will be moved to pending deletions list in the AlertBoot console,
and the associated license restored to the account level license pool.

www.alertboot.com
30

All rights reserved
Support Document
Option 1. Soft Reset.
Option 2. Lock Device

www.alertboot.com
31

All rights reserved
Support Document
Option 3. Kill Device
End of "Lock, Reset, Kill: Managing FDE Endpoints"

www.alertboot.com
32

All rights reserved
Support Document
Uninstalling BitLocker from Windows Endpoints

Step 1. Log into the AlertBoot Management Console.
Step 2. Find the target machine in the AlertBoot Management Console.
Find the machine from which to uninstall BitLocker.

o Go to Users/Machines tab.
o Navigate to Users/Machines > Machines/Devices.
Step 3. Delete the target machine
Option 1: Delete the target machine by clicking the Del link on the page where multiple machines are listed.
Option 2: Delete the target by clicking the Delete Machine button on the machine's details page (screenshot below).

www.alertboot.com
33

All rights reserved
Support Document
Step 4. Synchronize the endpoint.
Once the console administrator deletes this machine, the uninstall policy will be delivered to the endpoint on the next
synchronization with the AlertBoot cloud.
On receiving the uninstall policy, AlertBoot client will start decrypting all the encrypted drives.
The AlertBoot client can be uninstalled from the endpoint only after all drives are fully decrypted.
End of "Uninstalling BitLocker from Windows Endpoints"

www.alertboot.com
34

All rights reserved

AlertBoot BitLocker Client Installation and Uninstallation - V2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AlertBoot BitLocker Client Installation and Uninstallation - V2

Uploaded by

Copyright:

Available Formats

Support Document

AlertBoot Data Security: Installing Microsoft BitLocker Disk Encryption

Running the AlertBoot BitLocker Installer on Windows Endpoints

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Running the AlertBoot BitLocker Installer on Windows Endpoints

Step 1. Log in as an Administrator user on the machine that needs to be encrypted.

Log in as an Administrator user on the machine that needs to be encrypted.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Log into the AlertBoot Management Console.

ii. ABBitLockerManagerInstaller_SDDE_CLR40.msi (Does not need TPM Chip)

Installs Selected Data Drives Encryption client.

(Works with or without TPM Chip)

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 3. Run the AlertBoot BitLocker Manager Client installer MSI

Run the downloaded ABBitLockerManagerInstaller by double-clicking it.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 4. Installation starts.

Read the installation instructions and click OK to continue.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 5. Validation and Registration.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 7. Creating a BitLocker token. (Skip if a TPM Chip is being used)

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 8. Checking for TPM Chip and selecting a PIN.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 10. User registration popup.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

END of "Running the AlertBoot BitLocker Installer on Windows Endpoints"

2014 AlertBoot Data Security

Checking BitLocker Encryption Progress

Left-click (single-click) on the System Tray icon to bring up the UI.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 2. Reading the information screen.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Step 3. Reading the encryption status screen.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

End of "Checking BitLocker Encryption Progress"

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Verifying BitLocker Encryption Status on Windows Endpoints

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Method 1. Reading the encryption status screen.

Method 2. Using BitLocker Manager Wizard.

Cloud-ready Mobile Device Management, Disk & USB Encryption

2014 AlertBoot Data Security

Method 3. Machine represented as fully encrypted within the central console.

End of "Verifying BitLocker Encryption Status on Windows Endpoints"