Wipefreespace is only available in Windows 8, I think. If I enable bitlocker from a WinPE 5.0 boot, does the bitlocker that is present in the full OS after Windows 7 is installed accept the WipeFreeSpace argument?
If I reboot into WinPE 5.0 at the end and kick off a -wipefreespace, do I have to wait until it finishes or will it continue after a reboot? From: [email protected] [mailto:[email protected]] On Behalf Of Keith Garner (Hotmail) Sent: Tuesday, May 26, 2015 9:01 PM To: [email protected] Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? I don't think Cipher.exe works on unused space, only allocated files. This means that if you have a file that was previously deleted or quick formatted , you could get data leakage using Bit-Locker Pre-Provisioning. So no, I would not recommend Cipher.exe for this scenario. As for speed, this blog<http://blogs.technet.com/b/bitlocker/archive/2006/07/08/unallocated.aspx> post on Bitlocker suggests that during a non-"used space only" encryption pass, Bitlocker won't actually read unallocated sectors, only overwriting these sectors. So it should be only slightly faster than Cipher.exe, which will be slower because of the file seeks. Additionally, I noticed the command: Manage-bde -WipeFreeSpace<https://technet.microsoft.com/en-us/library/jj647761.aspx> Which suggests it can be used to clean these potential problem areas. Kick off the command near the end of your deployment, and let it run in the background :). So rule of thumb: * If you have sensitive data, use Bitlocker to encrypt it. Pre-Provisioning is fast and easy! * If you haven't been using Bitlocker to protect sensitive data :(, then run through a full *slow* bitlocker pass. Or use the -WipeFreeSpace command. :) -k From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Tuesday, May 26, 2015 1:01 PM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? Is it any faster to use cipher.exe to blank/randomize the unused space than it is to just encrypt the whole drive? I'm asking, not arguing. Do you just run that as the last step in the OSD process? My primary goal is to not have to wait very long for encryption to finish before the computer can be used, but make sure encryption finishes in the background in a reasonable time and then reports up that it's fully encrypted status to MBAM. I don't care too much if it is not fully encrypted when I give it to the user, but I do want it to be fully encrypted within a day or so. What would fit my needs best is if there were a way to do an "encrypt used only" during OSD and then flip a switch so that bitlocker goes back and encrypts the rest of the drive (whole drive) later in the background. Finally when it is at 100% it can report to MBAM that it is encrypted. Is your goal to be 100% encrypted before you let a user onto the machine? [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Tuesday, May 26, 2015 9:33 AM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? Our security team had similar concerns and accepted running the cipher command before encrypting to wipe the all data. Cipher.exe /w:c:\ Daniel Ratliff From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Tuesday, May 26, 2015 10:24 AM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? When pre-provisioning and encrypting used space only, remember there may be previously unencrypted data that is recoverable on the drive from a previous unencrypted OS installation - - as Michael mentioned "an empty drive" - that is an important point. If you are concerned about data leaking out, you need to either start with a securely cleaned disk (f-disk is not enough), a brand new disk, or a previously wholly encrypted disk - otherwise you should encrypt the whole disk. I was thinking that the used space was going to be great, forgetting that there would be a lot of chance for leakage if you are moving from an unencrypted disk to an encrypted disk environment. All the unencrypted stuff from the disk's previous installation will be left unencrypted in a used only scenario. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael Niehaus Sent: Monday, May 25, 2015 7:10 PM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? Remember too that Windows 7 encrypts every sector - encryption of used space only was introduced with Windows 8. Encrypting 500GB will certainly take a while on a spinning drive. Leveraging BitLocker Pre-Provisioning also enables used space only encryption - that makes it instantaneous to turn on for an empty drive. Thanks, -Michael From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Keith Garner (hotmail) Sent: Monday, May 25, 2015 4:52 PM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? 12 hours seems a bit excessive, however all of my machines have migrated over to SSD drives, so I may not be the best judge of spinning drives. The other alternative is to enable Bitlocker Pre-Provisioning from the Windows 8.0/8.1 ADK. Basically, it will encrypt the drive but leave the protectors "off", if you have ever "suspended" Bitlocker, it's similar. The Bitlocker is just "ON" and there is no need to go through the lengthy encryption phase. I've seen it work for Windows 7 SP1, and If you are using a product like MBAM, it should utilize the encrypted state of the drive and enable the protectors. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bain.John Sent: Monday, May 25, 2015 11:46 AM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Bitlocker drive encryption process overly slow ? Just curious to hear what others have seen in terms of whole drive encryption. Does 12 hours to encrypt 500 GB seem excessive ? This is to encrypt the drive post Windows 7 install. John John Bain - CIC Engineering Office: JETS C657 | Tel: 613-437-6829 365 Laurier Avenue West Ottawa ON K1A 1L1 | 365, avenue Laurier Ouest Ottawa ON K1A 1L1 NHQ - Solutions and Information Management | AC - Direction générale des solutions et de la gestion de l'information Citizenship and Immigration Canada | Citoyenneté et Immigration Canada Government of Canada | Gouvernement du Canada ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
