none
[BITLOCKER] - Win10 + AD RRS feed

  • Question

  • Hi, 

    I've got this config at work: 

    • Win10 Pro (1703)
    • ActiveDirectory 2008 R2

    We'd like to deploy BitLocker that would save the information into AD. So we checked our schema:

    PS AD:\> Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter { name -like 'ms-FVE-*'} | select DistinguishedName

    DistinguishedName
    -----------------
    CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=XXX,DC=com
    CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=XXX,DC=com
    CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=XXX,DC=com
    CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=XXX,DC=com
    CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=XXX,DC=com

    Then we prepared a GPO:

    
    Computer Configuration (Enabled)
    Policies
    Administrative Templates
    Windows Components/BitLocker Drive Encryption
    Policy Setting Comment
    Require BitLocker backup to AD DS Enabled
    If selected, cannot turn on BitLocker if backup fails (recommended default).
    If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.
    Select BitLocker recovery information to store: Recovery passwords and key packages
    A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.
    A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords
    Key packages may help perform specialized recovery when the disk is damaged or corrupted.
    Windows Components/BitLocker Drive Encryption/Operating System Drives
    Policy Setting Comment

    The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

    In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

    Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

    In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

    Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

    Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.

    If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

    If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

    " gpmc_settingname="Choose how BitLocker-protected operating system drives can be recovered" gpmc_settingpath="Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives" gpmc_supported="At least Windows Server 2008 R2 or Windows 7" tabindex="0">Choose how BitLocker-protected operating system drives can be recovered
    Enabled
    Allow data recovery agent Enabled
    Configure user storage of BitLocker recovery information:
    Allow 48-digit recovery password
    Allow 256-bit recovery key
    Omit recovery options from the BitLocker setup wizard Disabled
    Save BitLocker recovery information to AD DS for operating system drives Enabled
    Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
    Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Disabled
    Policy Setting Comment

    Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

    If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

    On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.

    If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

    If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

    Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

    " gpmc_settingname="Require additional authentication at startup" gpmc_settingpath="Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives" gpmc_supported="At least Windows Server 2008 R2 or Windows 7" tabindex="0">Require additional authentication at startup
    Enabled
    Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Disabled
    Settings for computers with a TPM:
    Configure TPM startup: Allow TPM
    Configure TPM startup PIN: Allow startup PIN with TPM
    Configure TPM startup key: Do not allow startup key with TPM
    Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM

    The problem is - The PCs doesn't get encrypted: 

    PS C:\> manage-bde.exe -status c: -computername PCNAME.YYY.XXX.com
    BitLocker Drive Encryption: Configuration Tool version 10.0.15063
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    Computer Name: PCNAME.YYY.XXX.com

    Volume C: []
    [OS Volume]

        Size:                 297.48 GB
        BitLocker Version:    None
        Conversion Status:    Fully Decrypted
        Percentage Encrypted: 0.0%
        Encryption Method:    None
        Protection Status:    Protection Off
        Lock Status:          Unlocked
        Identification Field: None
        Key Protectors:       None Found

    I have found this manual and followed it (setting SELF write permissions for Write msTPM-OwnerInformation): 

    http://jackstromberg.com/2015/02/tutorial-configuring-bitlocker-to-store-recovery-keys-in-active-directory/

    Monday, July 31, 2017 12:41 PM

All replies