Losing Network Shares on BitLocker Drive Unlock
I have a new server running Windows Server 2008R2 Standard, without a TPM installed. The server has a separate partition designated only for user data. Our users will access data on this partition remotely through network shared folders. This partition is encrypted using BitLocker with password unlock. Overall everything is working very well and we are happy with the balance of features and flexability. However a new problem has cropped up, when we unlock the encrypted drive(after a reboot), all network shares on this drive are lost and must be recreated! The folders and all of their contents remain, simply the shares are removed. This server is not yet in production, however we do need to get this resolved as soon as possible. I guess I have three questions really: 1. Is this behavior expected and I just missed it somewhere? 2. Is there a way to prevent this behavior and preserve the network shares after a BitLocker Unlock? 3. If we purchase/install a TPM for full server encryption, would this behavior continue or clear up? Thank you for any advice!
February 18th, 2012 12:24pm

I believe you see this issue since this issue since server service is starting before drive is getting unlocked. Do this: 1. Use a TPM based machine and encrypt the OS drive first. 2. Encrypt the data drive with bitlocker and enable auto-unlock from GUI or manage-bde command. GUI: Control panel --> BitLocker Drive Encryption --> Manage BitLocker for data drive --? Enable auto-unlock. Once you have done this, this data drive will be automatically unlocked if you reboot the server. This should fix your issue. Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2012 6:21pm

FrozenJoe: Answers to your questions: 1. Is this behavior expected and I just missed it somewhere? Yes, this is a expected behavoir. 2. Is there a way to prevent this behavior and preserve the network shares after a BitLocker Unlock? You need to use auto-unlock feature of bitlocker, so that data drive gets unlocked automatically. 3. If we purchase/install a TPM for full server encryption, would this behavior continue or clear up? Yes, to use auto-unlock you require TPM for full server and OS drive encrypted with BitLocker. If we allow unlock process without OS drive, then we are giving a attack vector to someone to hack bitlocker and access the data volume. When we add certain protectors we need to make sure we can prevent from all attacks. If you do not want to use TPM on your servers, then you can still use BitLocker. In this case, you will have to use a USB stick as Start up Key. This will save lot of $ for your company. Manoj Sehgal
March 27th, 2012 8:49am

Hello, Enabling Bitlocker without a real TPM chip is not safe and may cause unexpected problems. If the problem persists when Bitlocker is disabled, please try restarting the Server service. Then, check the registry key below to see if a value with the name of the shared folder is created: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares If you can not see the shared folder under \LanmanServer\Shares, then this is the problem shareing disappears after reboot. Remove the share configuration, restart the Server service and share it again. Then check if share configuration remains after a reboot Thanks ZHANG
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 10:16am

I believe you see this issue since this issue since server service is starting before drive is getting unlocked. Do this: 1. Use a TPM based machine and encrypt the OS drive first. 2. Encrypt the data drive with bitlocker and enable auto-unlock from GUI or manage-bde command. GUI: Control panel --> BitLocker Drive Encryption --> Manage BitLocker for data drive --? Enable auto-unlock. Once you have done this, this data drive will be automatically unlocked if you reboot the server. This should fix your issue. Manoj Sehgal
April 7th, 2012 10:27am

Hey ZHANG, I appreciate the reply and based on your information I have figured out a work around. The server service is starting before the BitLocker drive is unlocked. While this does not remove the shares, as I once thought, it does prevent them from becoming available immediately following an Unlock of the BitLocker drive. Checking the registry key above, the shares are present and are not removed following a reboot. Once I unlocked the drive, I then restarted the server service and the shares became available. Also a TPM is only required for encrypting the operating system drive, not when encrypting a non-system disk or a disk not required by the OS to boot properly. In this case a security token or password is fully supported. So my questions still stand: 1. Is this behavior expected? 2. Is there a way to prevent this behavior and preserve the network shares after a BitLocker Unlock? 3. If we purchase/install a TPM for full server encryption, would this behavior continue or clear up? Restarting the server service after an unlock may get us around the issue but it is probably an unhealthy practice in the long run and one we would not want to put into production. Thank you again,
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 11:17am

Hi Spencer, For my deployment environment Yes I have followed the best practices guide. Nowhere in any guide I have discovered so far is my scenario described or discussed. In fact none of the system related side effects of enabling BitLocker are described in any detail, instead the protection gained is discussed. To reiterate my scenario, I have a server (Server 2008R2) with 3 fixed disks (1 System, 1 Data, and 1 Services/Temp). We do not have a TPM installed, which is perfectly fine since we are not encrypting the System volume. Only the data drive will be encrypted. Once Encrypted snapshots will be used for point in time restores from our users. Our users will access their data through Network Shares and will not have physical console access to the server. Everything is working beautifully with the exception of network shares not being restored after unlocking the BitLocker drive. 1. Is this behavior expected? 2. Is there a way to prevent this behavior and preserve the network shares after a BitLocker Unlock? 3. If we purchase/install a TPM for full server encryption, would this behavior continue or clear up? Thanks!
April 7th, 2012 12:01pm

I have a new concern at this point. To remedy the issue I have disabled BitLocker on the drives and will continue testing. So we are are a juncture to either continue testing or opt to buy a TPM for each server. Lets assume a new scenario and consider questions on the new scenario to discuss system related issues with BitLocker enabled for all volumes. In this scenario, I have a server (Windows Server 2008R2) with 3 fixed disks (1 System, 1 Data, and 1 Snapshot data). I have Shared Folders on the data drive that is accessed remotely through mapped drives on our client workstations. The Data drive has snapshots enabled and they are stored on the Snapshot fixed disk. This server has a TPM installed. We use BitLocker with the TPM and encrypt all volumes. 1. Will we have issues after BitLocker has encrypted the drives with storing snapshots on a dedicated fixed disk? 2. Will we have issues with Network Shares disappearing after a reboot? Any assistance on this new scenario will be greatly appreciated, Thanks!
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 12:08pm

I wasn't aware you could setup bitlocker on a server OS. (If the user got the credential to open the share, if encrypted or not, he still have access to the information) I am curious, did you runned some stress utility on the server ? I would fear I/O / CPU congestion under heavy I/O load. MCP | MCTS 70-236: Exchange Server 2007, Configuring
April 7th, 2012 12:25pm

Hey Manoj, That is what we determined from my previous tests however I would expect better, more flexible, operation of BitLocker when locking down a single volume. Switching to full server encryption shouldn't be a fix, not even a work around. The unlock process should be greatly enhanced to resolve issues like these... I know it is built with security in mind but once unlocked my expectations are that functionality would restore at that moment and automatically. I shouldn't have to restart services or re-share the network shares each time. Yes you can't make the unlock process re-enable everything dependent on that drive however basic Microsoft services should be. Thanks for confirming the use of a TPM/full system encryption and shared drives. We wanted to avoid spending the $ on a TPM for 35 servers if it could be helped. However if this is the only way around this limitation of BitLocker we will proceed with a TPM or without BitLocker all together... Thank you again, FrozenJoe
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 3:59pm

Yes you are correct, and Microsoft has a disclaimer on the use of BitLocker on heavily used systems. The servers I am deploying will easily be able to handle BitLocker in our environment. The I/O load we will be seeing is not even close to the kind that Microsoft is describing. You are correct as well with regard to the data access through the network however we must mitigate the servers, or their HDDs, from growing legs and walking out the door of one of our locations. You can train users and increase physical security only so much before you have to look at the server itself and increase its security. BitLocker does just that. We do not care about the hardware itself, but we do care about the data contained on them. According to Microsoft and most hardware vendors, contrary to AV vendors, this is the method most widely used to steal data from an organization because there is a relatively low technical (hacking) skill required to extract data from a stolen hard drive. And with social engineering schemes like fishing with dynamite, most end users will not pose a threat to someone walking in and taking hardware. Oh the life of someone in IT ^_^
April 7th, 2012 4:00pm

To be honest with the BitLocker idea I was curious if you could setup a HDD password on a raid controller, that would be cool, less headache. I looked today but too bad I didn't find any information for that :| With a DRAC or iLO that would be easy to manage even remotly to re-enter the password after a re-start. In our shop we use mcafee fde, the whole HDD is encrypted, so at boot it ask the password and after the boot everything is accessible. I don't know if bitlocker use the same scheme. If yes then maybe juste encrypt the whole HDD, and in the backgroup make some imaging of the HDD for backup purpose. When Windows will start all share will still be there. The minimum spec is a DRAC or iLO to enter the password at boot, I seen that it's makable with a token, but if he stell your token too then your outta luck.MCP | MCTS 70-236: Exchange Server 2007, Configuring
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 4:23pm

FrozenJoe: Answers to your questions: 1. Is this behavior expected and I just missed it somewhere? Yes, this is a expected behavoir. 2. Is there a way to prevent this behavior and preserve the network shares after a BitLocker Unlock? You need to use auto-unlock feature of bitlocker, so that data drive gets unlocked automatically. 3. If we purchase/install a TPM for full server encryption, would this behavior continue or clear up? Yes, to use auto-unlock you require TPM for full server and OS drive encrypted with BitLocker. If we allow unlock process without OS drive, then we are giving a attack vector to someone to hack bitlocker and access the data volume. When we add certain protectors we need to make sure we can prevent from all attacks. If you do not want to use TPM on your servers, then you can still use BitLocker. In this case, you will have to use a USB stick as Start up Key. This will save lot of $ for your company. Manoj Sehgal
April 8th, 2012 1:53am

Hi, Have you followed the recommended best practice for setting up Bitlocker? Best Practices for BitLocker in Windows 7 http://technet.microsoft.com/en-us/library/dd875532(v=WS.10).aspx And also, the following blog may have some help for us to understand Bitlocker more clearly. J Best-Practice Recommendations for Using BitLocker http://technet.microsoft.com/en-us/security/ff690553 Thanks, Spencer ShiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2012 3:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics