May 25, Enable BitLocker, Automatically save Keys to Active Directory by Shannon Fritz Companies have always been concerned about the security of data on their mobile users' computers.
What happens if the computer is lost or stolen? How can you be sure that the "stuff" on that computer does not fall into the wrong hands? Let me tell you about it and how to use it. While this is basically true, it is more than just locking the files, it's really locking the file system that the files exist on, not just the files themselves.
Here's a brief video to tell you more. The drive can then be used on any Windows 7 computer by simply plugging it in and entering the password you created when you encrypted it.
Locations of BitLocker Recovery information in Active Directory.
This key can be entered manually, which would be very cumbersome, or it can be presented from a USB flash drive that you connect to the computer, but better yet, the key can be stored in a TPM chip that is built in to the computer.
Microsoft has a nice overview of how keys are secured within TPM if you'd like some more details. Most of the laptops I have done this on have required two reboots into the BIOS but you only need to do this the first time you want to enable BitLocker and then leave it alone. For example, here's how you do it on a Dell Latitude laptop. The first time you open this you'll only have the option to Enable TPM security by checking the box. If you've been here before you may see additional options but the main thing is to ensure that the box IS checked.
You'll be told that you need to restart for the changes to take effect so click OK, save your changes and restart. This time you can Activate the chip. Again, save your settings and reboot. Set the Boot Order It may not be obvious, but the way the TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.
This means if you are encrypting your system drive C: it is important that you set the boot order so that the Hard Drive is always first. It's by design.
Store BitLocker Recovery Keys using Active Directory
If later you want to boot from other media you can still hit F12 or change the BIOS setting, just know that the disk will not automatically unlock and you will need the decryption key in order to access it.
I have seen it work fine when a "Diskette Drive" is listed first in the boot order, but laptops don't have those anymore so the HDD ends up being first by natural selection. I find it best practice to force the HDD to be first by definition. For example, if a user has a bootable disc in their computer like a Windows DVD, when their computer boots and reads from the DVD the user is prompted to "press any key to boot" from that disc.
If they do not press any key the machine moves to the next boot option, presumably the hard drive, but I have seen some computers try booting next from the encrypted partition and not from the boot partition.
This prompts the user to enter the decryption key and results in a call to tech support.
If they remove the DVD and boot normally it works fine. Enable BitLocker There isn't really anything to "enable" in order to start using BitLocker itself on Windows 7, just right click any hard drive that you want to encrypt and select "Turn on BitLocker This will start up the wizard that'll first check for a TPM chip. If all goes well you should see this screen.
When asked to save your key, I find it easiest to just save it to a file someplace it just generates a text filethe catch is you cannot save it to the drive that you are encrypting! So click on Save the recovery key to a file and put it someplace.
It'll tell you that the key has been saved and then you can continue.For more info, see BitLocker Group Policy settings. The BitLocker Windows Management Instrumentation WMI interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. Joining a computer to the domain should be the first step for new computers within an organization.
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. In addition, it is also possible that the log entry could be spoofed. To identify the latest password, check the date on the object. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. Instead, administrators can create a script for the backup, as described earlier in What if BitLocker is enabled on a computer before the computer has joined the domain?
You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8. BitLocker recovery password The recovery password allows you to unlock and access the drive in the event of a recovery incident.
BitLocker key package The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. What if BitLocker is enabled on a computer before the computer has joined the domain? KeyProtectorID Important Joining a computer to the domain should be the first step for new computers within an organization.
Is this page helpful? Yes No.
Enable BitLocker, Automatically save Keys to Active Directory
Any additional feedback? Skip Submit. Send feedback about This product This page. This page. Submit feedback. There are no open issues. View on GitHub. The recovery password allows you to unlock and access the drive in the event of a recovery incident. The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery.When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group.
Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory. When Windows stores BitLocker Recovery information in Active Directory, it is storing confidential information in the directory as clear text. At the time Active Directory was developed by Microsoft, the only way to hide information from member users in AD was by encrypting that information.
All objects created with the Confidentiality bit set to 1, are only available for users who have full control access to that object. These objects are hidden for other users in Active Directory. This way, these objects only show for users who have Full Control access to these objects. In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users.
How to mark an attribute as confidential in Windows Server Service Pack 1. Saiba, thank you for the link. This information is very recent and the first public documentation about delegation of BitLocker Recovery information by Microsft I have seen.
I will update the blog shortly with the updated information. MSC method with full access is valid? You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Welcome to nextxpert.
Skip to content. Home About. Symptoms When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Cause When Windows stores BitLocker Recovery information in Active Directory, it is storing confidential information in the directory as clear text.
Resolution In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. Share this: Twitter Facebook LinkedIn.
Like this: Like Loading This entry was posted in BitLockerWindows 7. Bookmark the permalink. Joe says:. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.
A domain security administrator can monitor the BitLocker recovery keys and passwords manually if the number of the computers in the company network is not very large. Group Policies GPOs allow you to configure BitLocker agent on user workstations to back up BitLocker recovery keys from local computers to the related computer objects in the Active Directory.
Each BitLocker recovery object has a unique name and contains a globally unique identifier for the recovery password and optionally a package containing the key. If the computer object in Active Directory stores several recovery passwords, the name of data object will contain the password creation date.
Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a bit password. BitLocker recovery data storage feature is based on the extension of the Active Directory schema, and bringing additional attributes.
Starting from Windows Serverthese attributes are available by default, but it still requires an additional configuration for further functioning. The same is applicable on the computers running newest Windows Server build.
This feature can be installed from Server Manager console or using PowerShell:. If the BitLocker encrypted drive was configured on some computers earlier, just disable and enable the BitLocker feature for this drive, or copy the recovery key to the Active Directory manually using the manage-bde tool. To perform this action you should logon on the workstation under domain account and have the local administrator permissions.
The operation was not attempted. You can delegate the permissions to view information about BitLocker recovery keys in AD to a certain group of users for example, security administrators. The same is applicable on the computers running following versions of Windows Server Posted by Rich June 28, Can more than OU be set up to allow recovery keys be written to? Posted by Dave July 18, Posted by matt August 13, Posted by Brian Bergquist November 23, Add Your Comment Click here to cancel reply.
To get this list, I've ran this simple dsquery statement to generate a list:. The end result that I would like is a list of computer accounts that have an expired computer account password, but no BitLocker recovery key stored in AD. Has anyone done this before or know where to start looking to get something like this accomplished? If no objects were returned then no recovery password was present in the directory. Joe Richards really deserves a pat on the back for his tools.
They make life administering AD so much easier. Sign up to join this community. The best answers are voted up and rise to the top.Enable Bit-locker in windows server 2012 R2
Home Questions Tags Users Unanswered. List of computers with BitLocker recovery keys Ask Question. Asked 10 years, 5 months ago. Active 10 years, 5 months ago. Viewed 6k times. AndyM AndyM 1 1 gold badge 3 3 silver badges 10 10 bronze badges.
Active Oldest Votes. Evan Anderson Evan Anderson k 15 15 gold badges silver badges bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name.In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes. Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information.
It is integrated in features since Windows Server You only have first 8 digit code. If a helpdesk team exists in your enterprise, you maybe want to give them the right to display this information.
However, Recovery key is a confidential information and standard users can not view it. We need to delegate some rights on the targeted OU to specific group. In the example above, I set the right to Full Control on the property. You can get more information about Bitlocker here. Excellent article, thanks. Exactly what I was looking for. Much easier than trying to run the VB scripts Microsoft provides.
I knew there had to be some property that could be accessed via the delegation wizard. Thank you for getting me there quicker.
Your email address will not be published. Feature installation Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. Check Bitlocker Drive Encryption Tools.
Enable BitLocker, Automatically save Keys to Active Directory
Bitlocker Recovery Password Viewer. Bitlocker Recovery Key Feature. Bitlocker Recovery Key Tab. Find Bitlocker Recovery Password. Bitlocker Find Recovery Key. Bitlocker Recovery Key Standard User. OU Delegate Control. Delegate Group.When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization.
The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software.
If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. Use the following questions to help you document your organization's current disk encryption security policies:. The trusted platform module TPM is a hardware component installed in many newer computers by the computer manufacturers.
It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number PIN or inserts a removable USB device, such as a flash drive, that contains a startup key.
These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
Determine whether you will support computers that do not have a TPM version 1. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system.
This requires additional support processes similar to multifactor authentication. The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies.
It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems.
Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes. In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.