Skip to main content

Bitlocker

What is Bitlocker?

Bitlocker Drive Encryption allows you to encrypt all data stored on the Windows operating system volume and configured data volumes, and by using a Trusted Platform Module (TPM), it can also help ensure the integrity of early startup components. Bitlocker was updated with the release of Windows 7 and Windows Server 2008 R2.

Backing Up Bitlocker and TPM Recovery Information to AD DS

Backing up recovery passwords for a Bitlocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

You can configure Bitlocker Drive Encryption to back up recovery information for Bitlocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each Bitlocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to.

How it was implemented?

See http://technet.microsoft.com/en-us/library/dd875529%28WS.10%29.aspx for full instructions.

-Extended the Active Directory schema

-Updated the ACE to allow TPM recovery information to be backed up.

- Configure Group Policy to enable backup of Bitlocker and TPM recovery information in AD DS

1.- Computer Configuration\Administrative Templates\Windows Components, click Bitlocker Drive Encryption.
2.enabled - Store Bitlocker recovery information in Active Directory (Windows Server 2008 and Windows Vista).
1.Select Require Bitlocker backup to AD DS if you want to prevent users from enabling Bitlocker on computers that are not currently able to connect to a domain controller.
2.Select Bitlocker recovery information to store, select either Recovery passwords and key package
3.Computer Configuration\Administrative Templates\System, click Trusted Platform Module Services.
1.enabled - Turn on TPM backup to Active Directory Domain Services.
2.Require TPM back to AD DS check box is selected by default
How to recover Bitlocker key?

Open Active directory on a Server 2008 R2 server or via RAST tools for Windows 7. Make sure Bitlocker is a select feature http://www.microsoft.com/download/en/details.aspx?id=7887

Right click the domain and click "Find Bitlocker Recovery Password".

You will need to enter the first 8 characters prompted for and it will search AD for the corresponding record.

If you know the computer host name you can search for the computer as normal; open the properties and you will see a Bitlocker Recovery Tab. This will provide the same details in order to gain access to the encrypted drive.



How to populate AD with the Recovery password manually?

This may be necessary should a machine fail to join the domain but the HDD Bitlocker has run.

c:> manage-bde -protectors -get c: Example: Bitlocker Drive Encryption: Configuration Tool version 6.1.7600Copyright (C) Microsoft Corporation. All rights reserved.Volume C: [Old Win7]All Key Protectors External Key: ID: {F1#####2E-22D5-4420-980C-851#####EB30} External Key File Name: F12#####E-22D5-4420-980C-851#####B30.BEK Numerical Password: ID: {DFB###E6-8B3F-4DCA-9576-C19###C71E} Password: 22##31-534171-4####4-445973-13###7-430507-68###2-70###6 TPM And PIN: ID: {EB###D6-D##4-4AFB-84E3-26#######7AA5} If you see results above you should see ID and Password for Numerical Password. Now run the below command, replace id for ID of Numerical Password. c:> manage-bde -protectors -adbackup c: -id {DFB###6-8B3F-4DCA-9576-C19#####C71E} Bitlocker Drive Encryption: Configuration Tool version 6.1.7600Copyright (C) Microsoft Corporation. All rights reserved.Recovery information was successfully backed up to Active Directory.http://technet.microsoft.com/en-us/library/ee449438%28WS.10%29.aspx

What causes Bitlocker to start into recovery mode when attempting to start the operating system drive?

The following list provides examples of specific events that will cause Bitlocker to enter recovery mode when attempting to start the operating system drive:

Changing the BIOS boot order to boot another drive in advance of the hard drive.
Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
Failing to boot from a network drive before booting from the hard drive.
Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock Bitlocker. This means that if a portable computer is connected to its docking station when Bitlocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when Bitlocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
Turning off the BIOS support for reading the USB device in the pre-boot environment if you are using USB-based keys instead of a TPM.
Turning off, disabling, deactivating, or clearing the TPM.
Upgrading critical early start-up components, such as a BIOS upgrade, causing the BIOS measurements to change.
Forgetting the PIN when PIN authentication has been enabled.
Updating option ROM firmware.
Upgrading TPM firmware.
Adding or removing hardware. For example, inserting a new card in the computer, including some PCMIA wireless cards.
Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
Changes to the master boot record on the disk.
Changes to the boot manager on the disk.
Hiding the TPM from the operating system. Some BIOS settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS secure start-up is disabled, and the TPM does not respond to commands from any software.
Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in most changes to BIOS settings, causing Bitlocker to enter recovery mode.
Moving the Bitlocker-protected drive into a new computer.
Upgrading the motherboard to a new one with a new TPM.
Losing the USB flash drive containing the start-up key when start-up key authentication has been enabled.
Failing the TPM self test.
Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each start-up and causing Bitlocker to start in recovery mode.
Changing the usage authorization for the storage root key of the TPM to a non-zero value.
Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
Pressing the F8 or F10 key during the boot process.
Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.

Comments

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...

Windows 7 Offline files will not go Online when connected to network

Issue Several laptop users move between networks, domain, home, etc and when they attempt to access DFS shares explorer status is working offline.  The issue only resolves it self after a reboot. Connecting directly to the share works and i am able to ping network resources.  This behavior occurs for VPN users as well. Possible Causes "slow-link mode". In win7 (with default settings) a client will enter slow-link mode if the latency to the server is above 80ms. In slow-link mode all writes are made to the local cache and a background sync only happens every 6 hours.  Depending on your connection the default slow link detection speed is 64,000 bps On client computers running Windows 7 or Windows Server 2008 R2, a shared folder automatically transitions to the slow-link mode if the round-trip latency of the network is greater than 80 milliseconds, or as configured by the "Configure slow-link mode" policy. After transitioning a folder to the slow-link mode, Offline Fil...

SCCM Software Update - Job error 0x80004005 Failed to Add Update Source for WUAgent

SCCM Software Updates - Failed to Add Update Source for WUAgent  Today I have been looking at a range of servers (Server 2008 /R2 2012 /R2) that were failing to communicate with the Software Update Point (SUP) in SCCM and retrieve deployment policy. The UpdateDeployment.log was reporting the Job error 0x80004005 Job error (0x80004005) received for assignment ({af7a48e6-d550-4070-dd9b-ecc234567584}) action UpdatesDeploymentAgent 12/6/2017 10:32:27 AM 2096 (0x0830) The WUAHandler.log  was reporting "Unable to read existing WUA Group Policy object" and "Failed to Add Update Source for WUAgent " Unable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 12/6/2017 3:41:00 AM 2828 (0x0B0C) Failed to Add Update Source for WUAgent of type (2) and id ({3AAB6A76-CE2D-4E8A-9F11-123AE69612A1}). Error = 0x80004005. WUAHandler 12/6/2017 11:03:31 AM 2276 (0x08E4) Until the agent can report back to the SUP, SCCM will not be able to summarize Software Update sta...