BitLocker tips and tricks
In this post, I will be talking about couple of BitLocker tips and tricks, killer mistakes and some resources that you can use for your deployments.
BitLocker User Guide
One of BitLocker tips is to prepare a user guide for using BitLocker in your enterprise. One of the most important things when you decide to roll out BitLocker at your corporate, is simply communicating this to your business users. Not only they deserve to know about encryption on their laptops, they should be aware of this encryption and need to know what to do when for example they forget the start-up PIN. They should also be aware not to share or write down the BitLocker start-up PIN if any, and that they shall not disable encryption on their machines if they have administrative rights.
I created a sample BitLocker User Guide for you to look at, and help you writing your own. The guide contains the following sections:
- What is BitLocker?
- Will I notice a difference?
- How BitLocker works?
- Creating your pin
- Changing the PIN
- What if I forget my PIN?
- Protecting Data drives with BitLocker
- Protecting USB drives with BitLocker
- Standby Mode (Sleep Option)
- Will BitLocker effect performance of my laptop?
- Removing BitLocker protection Policy
BitLocker killer mistake
Assumptions
You have BitLocker deployment where you backup your BitLocker recovery key to Active Directory.
The wrong thing
When you format a computer, you go to AD, delete the computer account, and create a new one, then you join the formatted machine to domain! Killer mistake.
The right thing
When you format a computer, you go to AD, (RESET THE COMPUTER ACCOUNT) , and then join the formatted machine to machine!
What can go wrong if I delete computer account
When you enable BitLocker on a computer drive, the machine will write BitLocker recovery information on the computer account in AD. So if you delete a computer account, you will delete all BitLocker recovery information. Instead resetting computer account will not.
Common Mistake Scenario
A computer with C and D drives with BitLocker enabled on both of them. You backed up everything in the C drive and since the C drive is big enough, you decided to keep the D drive as is, and only format the C drive.
You start installing Windows on C drive, you deleted the computer account from AD, and then you created a new one. Then you join the machine to domain, and enable BitLocker on the C drive.
Now you noticed the D drive is encrypted. You go to AD to find a recovery information for that drive. The surprise is that there is no recovery information for the D drive, since you deleted the computer account and created a new one. Good luck with that.
Remember to always reset computer accounts instead of the old habit of deleting them.
BitLocker issues you may face
Problems
Case 1: What will happen if you rejoin a BitLocker protected computer to the domain
Case 2: Renaming a computer which has BitLocker
Case 3: Computer was used by user1, user1 resigned, so you reset his computer account in AD, reformatted the machine, join it to domain and re-enabled BitLocker on it
Case 4: deleting computer which has BitLocker from AD
Case 5: Enabling BitLocker before joining the machine to the domain
Case 6: divergence happened, you have a domain joined machine with BitLocker enabled, and in AD you do not have recovery information for that computer.
Solutions
Case 1,2
If you rename a computer which has BitLocker already turned ON, or If you re-joined a BitLocker encrypted machine to the domain , nothing will happen to the BitLocker recovery information in Active Directory. You can still see them as per Microsoft blog post.
Case 3
Since the computer object was reset, and not deleted (recommended way), then you will see accumulative BitLocker information under the computer object for the volume encryption keys when the machine was owned by user1, and the volume recovery keys after the format. Nothing bad about this from my point of view.
Case 4
If you deleted a computer object that has BitLocker information on it, then both the computer object and the BitLocker recovery information are moved to the AD recycle Bin if you AD recycle bin enabled. Nevertheless, the links between the computer object and the child objects are broken.
Case 5 , 6
Enabling BitLocker before joining the machine to the domain, means that the BitLocker recovery keys for that machine are not stored in Active Directory and this is very dangerous and risky.
This also can happen if BitLocker was enabled and there was no network connectivity to the domain at that moment. Another possibility is that group policy settings to save recovery information to AD was not enabled at the time of encryption.
To ask your machine to backup its recovery keys to Active Directory, do the following steps for each encrypted volume on the machine:
- Go to that machine, open CMD using elevated admin rights and type the following command to show BitLocker protectors for the C drive:
manage-bde -protectors -get c:
- Search for the Numerical Password item, and copy the ID value. In the below screen shot, the ID value is {21E15846-E03B-4D01-9B98-58A662586947}. This represents the ID of the value that we want to backup to AD. The value it self exist in the Password field. I hide that field from the screenshot for privacy reasons. Anyway, we only need the ID value.
- Now run this command
manage-bde -protectors -adbackup c: -id {21E15846-E03B-4D01-9B98-58A662586947}
- Repeat this for all BitLocker drives.
Recover BitLocker keys from AD Recycle Bin
Problem
- You have AD with Recycle Bin enabled.
- You are storing BitLocker recovery keys in AD.
- You have deleted a computer object with BitLocker Recovery information on it.
- You then restored that computer account from recycle bin.
- No BitLocker Recovery information exists on the recovered computer object !!
Reason
Going back to basics. Do you know where the BitLocker information is stored for a computer object ? They are stored as a child object below the computer object itself.
Now, when the computer get deleted from Active Directory and moved to the AD recycle bin, the links between the child objects and the parent are broken. In the AD recycle bin you will see both computer objects and child objects randomly stored there. If you put your hand in this recycle bin and pull a computer object, you will not see any of its child objects attached to it any more. This is exactly what happened when you restored the AD computer from recycle bin, you will get the computer object without its child objects.
Solution
Lucky for all of us, each child objects of type (BitLocker Recovery Information) will have an attribute called (lastKnownParent). So theoretically if you go to the recycle bin and asked ” I have a parent called ComputerX, so which of you guys are the sons of this computer (which of you has the lastknownParent = ComputerX).
Download Script
Go to your Domain Controller or any machine with Active Directory PowerShell Module, open PowerShell using a domain administrator account (only domain admin can restore from AD recycle bin), run the script from there. Make sure AD PowerShell module exist on that machine.
Do not forget that you may need to run Set-ExecutionPolicy Unrestricted on PowerShell to allow script execution.
The script is written by Norman Bauer and you can download it from his blog post.
How does the script work
- It will ask you about the name of computer to restore
- Validation check: checking if that computer exists in AD first.
- If not, then the computer may be in recycle bin, search there and report if it is not there also (
$deleted = Get-ADObject -IncludeDeletedObjects -Filter {sAMAccountName -eq $computername -and Deleted -eq $True}
- If the computer in recycle bin, we will restore it.
$deleted | Restore-ADObject
- Then we will search the recycle bin for child objects that have LastKnownParent equals the DistinguishedName for the restored computer.
$recoveryinfos = Get-ADObject -IncludeDeletedObjects -Filter {lastKnownParent -eq $restoredobject.DistinguishedName -and Deleted -eq $True -and objectClass -eq 'msFVE-RecoveryInformation'}
- If found, for each child object ForEach($recoveryinfo in $recoveryinfos) we are going to recover it.
$recoveryinfo | Restore-ADObject
This post iss really a pleasant one it helps neѡ the web viewers, whho
arе wishing inn favor oof blogging.
At the top of the script, why do you use samaccountname? Seems like extra work to deal with the trailing $ in the name, when it seems you could use the name or cn attributes. Is there a reason I’m missing?